momius - Fotolia
The European Union's General Data Protection Regulation may be the most important information security issue you've never heard of -- but everyone will be talking about GDPR compliance by the time the EU begins enforcement of the new regulation starting May 25, 2018.
The new privacy regulation includes requirements for protecting personal information, making sure it stays private and giving individuals the right to verify and control their own data, up to and including granting the "right to be forgotten."
With just a year before the regulation takes effect, the stakes are high: Failure to achieve GDPR compliance can trigger fines of up to 4% of a company's gross revenue for a year, or 20 million euros -- whichever is greater.
Information Security magazine spoke about GDPR compliance with Microsoft's chief privacy officer, Brendon Lynch. This interview has been edited for length and clarity.
The EU's General Data Protection Regulation will begin enforcement in a year. Just how big a deal is this going to be?
Brendon Lynch: I've been a privacy professional now for 17 years -- about 13 of those here at Microsoft -- and I find this moment in time particularly intriguing. On one hand, you've got significant opportunity around data -- data is the key driver of innovation -- and when you think about the promise of artificial intelligence and machine learning, we're on the cusp of data continually providing great value to organizations, to individuals and to society at large. At the same time, when you look at it from an organizational perspective, they've got all this opportunity around data, but now they've also got a lot more risk.
Some of that risk is more of the cybersecurity risk and the risk of a data breach. But now we've also got the much greater risk around the regulation of data and the consequences of not being compliant with these regulations. The European GDPR -- yes, it's got some new aspects to it from a substance standpoint -- goes above and beyond what was in place before. But I think the key driver -- and where a lot of the interest is -- is actually because it's got a lot more teeth: The fact that the regulators can levy fines of up to 4% of your annual global turnover makes it very financially significant if you get this wrong. But we know that there are also reputational risks, and the like, that come with dealing with privacy in a way that's counter to people's expectations.
How much of the task can be solved by choosing a GDPR-compliant cloud provider? Some experts say that still leaves as much as 80% to 90% of GDPR compliance to enterprises.
Brendon LynchChief Privacy Officer at Microsoft
Lynch: When I talk to my counterparts at our major customers, [many] do recognize there's a lot of things -- people, process and documentation -- they've got to do themselves. But they are recognizing that they don't want to create a lot of bureaucracy around this; they actually want to automate as much as possible and have technical solutions that support all of the processes they need to put in place.
If they already have a privacy officer [and] procedures in place for privacy management, it might be that they don't need to do a lot more on that side; they just need to have greater assurance from their technology providers that they are in good shape. People are working through this right now and determining what their plans are and all the work they need to do.
Do you expect GDPR to drive better overall security and privacy practices for companies that are not required to comply? Will GDPR raise the bar for security overall?
Lynch: I believe that this will have a broad impact across all industry sectors and many companies that are located in various parts of the world. This has become a board-level conversation for many companies because there is a financial materiality to the size of these potential fines, and therefore, all organizations that are in the scope of this will really lift their game on privacy and security.
You're right to point out security as well because security is a part of the GDPR -- it talks about the need to have appropriate technical and organizational measures to protect the data. So I think it's yet another driver for security investment. In general practices around privacy, I expect the consciousness among the European population to grow as well around their rights to have access [to information] and the ability to delete data and that sort of thing. Many of the regulators actively promote those rights to their populations. It ultimately becomes a customer service as well as a regulatory-compliance matter.
The EU approved the GDPR last year, including specifying fines and requiring companies handling EU personal data to be GDPR compliant, but are there subtleties that were not immediately obvious?
Lynch: Broadly speaking, there are two areas where more clarity [is expected]. The first is that the regulators themselves [Article 29 Working Party] have been working together to provide additional guidance. They're focused on data portability, for example, and the role of the data protection officer. They're also working on a few other areas. They recognize that [because] the letter of the law was relatively high level, there are going to be areas where companies will need more guidance to know what's expected of them.
The other aspect is that, even though it's a regulation that supposedly applies equally across all the member states of Europe, some elements of it were left to be decided at the member-state level, for example, rules around what we call 'age gating.' If you're going to collect information from a child, you need parental consent. It's similar to the rules we have here in the U.S. -- the Children's Online Privacy Protection Act sets that age of consent at 13. In Europe, they couldn't actually agree on what age; there were arguments being made [for] between 13 and 16. That's an example of where we'll get more specificity as well.
Of course, the other area will actually be the enforcement actions. Eventually, a case history gets built where precedents of enforcement will serve to clarify what to expect. The ideal is that we have full clarity before the enforcement date. I'm sure there will be some variations over time. It'll be somewhat dynamic, particularly as new technologies -- and business models -- come along.
What should CISOs be doing about GDPR compliance?
Lynch: The [first] phase is making sure that responsibility has been assigned for the GDPR work. At many organizations, it'll probably [involve] a number of people, rather than one individual, because it is going to require collaboration between CISOs and -- to the extent they've got a privacy officer already -- maybe some of the business areas that are by their nature managers of data in the organization. So it's first of all establishing accountability, driving it.
The second step really is understanding the scope -- for a lot of organizations, they may not have done a detailed data inventory and may not have a full grasp of the amount of data that they have that's within the scope of the law, the definition of personal data in the law.
And then the third area would be to do the gap assessment of the requirements and what they've got in place to determine ultimately an implementation plan of whatever things the law requires -- and then get an active plan in place to address those areas.
Read more about how important GDPR compliance is for U.S. companies
Find out more about prioritizing EU data protection regulation
Learn more about why data protection regulation will be key for U.K.-based organizations
Dig Deeper on Data privacy issues and compliance
In comparing GDPR and CCPA, lessons in compliance emerge
GDPR compliance: Whose job is it and is it really possible?
Data-driven marketing, the real risk boards are missing
How can a compliance strategy improve customer trust?