Ignore At Your Own Risk: How GDPR Will Impact US Companies
Effective May 25th, 2018, companies collecting data on European Union (EU) citizens will be subject to a new set of rules aimed to protect consumer data. The goal of the EU’s new privacy regulation, the General Data Protection Regulation (GDPR), is to simplify data protection laws across the EU, safeguard citizens from wrongful use, and enforce disclosure of personally identifiable data.
As organizations in the EU are in the final days of ensuring GDPR compliance, US-based companies must pay close attention too. GDPR will significantly impact the way all global companies collect, store, and use data. In today’s global information economy, with no shortage of high-profile, far-reaching data misuse incidents, it would not be far-fetched for GDPR to become a new standard for data protection with global implications outside of the EU.
Organizations in regulated industries such as healthcare, education, and the financial sector, are accustomed to compliance initiatives via HIPAA, PCI, FERPA. However with GDPR, global corporations, academic medical centers and research groups, and higher education institutions will also undoubtedly be impacted. For instance, hospitals will need to be careful to obtain consent for EU patients before they disclose any data sets to third-party marketers. This is a change from 164.514(e) of HIPAA, which allowed for this without restriction.
In the US, the Federal Communications Commission’s (FCC) net neutrality rules, now controversially rolled-back, would have prohibited an ISP from selling, sharing, or otherwise using consumers’ browser history and application usage data unless consumers had affirmatively given permission to do so.
The idea of affirmative permission is extremely important because it is a default opt-out policy for the sharing of personally identifiable data. For companies doing business in the EU, this could be the simple act of storing a cookie or an IP address of a prospective EU customer. The shift marked by GDPR means that companies will need to make it abundantly clear what information they are collecting, especially if they aren’t looking to block their EU customers from accessing services.
What do you need to know about GDPR?
Below are key highlights from GDPR, including requirements and potential implications for global companies. The full regulation, final version date April 27, 2016 can be viewed here.
Processor of Data – GDPR defines what ‘lawful’ processing of data, which has a range of cases that could apply, not all of which need apply:
First, it could be lawful if the subject has consented to their data being processed;
Lawful can mean to comply with a contract or legal obligation;
To protect an interest that is "essential for the life of" the subject;
Processing the data is in the public interest;
Processing data in the controller's legitimate interest such as preventing fraud.
GDPR requires that at least one of these justifications must apply in order to process data.
Breach Notification - The new guidance around breach notification is also extremely important and requires that corporations notify a data protection authority within 72 hours of a breach or incur massive fines of up to 2% of annual revenue. If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Mandatory On-Staff Data Protection Officer – This is a requirement for companies acting as a controller or data processor with more than 250 employees. GDPR does not establish the precise credentials data protection officers must carry, but does require that they have “expert knowledge of data protection law and practices.” Now is the time to develop a data governance strategy and consider hiring within or using an outside consulting firm with privacy law expertise.
Cross Border Data Transfers – Cross border data transfers are possible under appropriate conditions and this is a large topic in and of itself. Ensure that you have appropriate privacy processes and procedures consistent with GDPR and approved via certifications or contractual clauses that are acceptable to the EU Commission. New technologies can allow for automation of business processes and rules governing data movement and access.
Right to be forgotten – Although originally based on a 1995 EU Data Protection directive, an individual under certain circumstances now has the right to request that their information be deleted especially as their data relates to marketing purposes. There are other reasons and thus, it is important to consider how this will affect data retention, backup, and restore procedures in various environments. Similar to the right to be forgotten, consumers must also be given the ability to download their data that has been captured under a portability clause. Make sure your disaster recovery and backup tools support these new requirements, so that you don’t inadvertently recover data that legally should have been forgotten.
Profiling – A hotly contested provision of the GDPR, the “profiling” restrictions ultimately adopted were narrower than initially proposed, writes Rita Heimes is Research Director at the International Association of Privacy Professionals. Under the EU directive, profiling in an automatic fashion using algorithms, or the like, cannot be used to make a negative legal decision without human intervention. For instance lenders or insurance companies profiling data to for credit scores. Processes must be in place to notify the individuals and allow for objection to the decision through a formal process. Understand your Big Data tools and processes around machine learning and artificial intelligence and solicit an agnostic cloud partner if you need guidance.
Ignore GDPR at Your Own Peril
The penalties for non-compliance are steep. If found in breach of GDPR, organizations can be fined up to 4% of global revenue or $20 million EUR, whichever is greater. That being said, aside from fines, ignoring GDPR could result in irrevocable brand damage, such as the recent fallout of political research organizations’ use of APIs to pull massive amounts of data from US-based social networks. Adherence to GDPR likely would have prevented this.
Ironically, to monitor and enforce the proper controls and use of data outlined by GDPR, companies will need to leverage new insights into data. For example, where the data rests, by whom was it accessed, where it has been accessed, what it contains, and where it flows for business process—including internal and external threats to the organization. This will require investing and modernizing your infrastructure and, if you deliver applications and services, you will need to consider breaking them up into modular microservices for security, scalability, and management.
In addition, shadow IT won’t be an option for employees in this new era of data management. Mapping out data paths, undocumented applications, and Software as-a-Service providers is a must. This will require new tools that enable visibility into encrypted network traffic and data available across the enterprise, for instance.
As a first step, consider leveraging solutions that ingest information from HR systems, consent, and then have the ability to categorize sensitive data across a growing number of internal and external services. For example, AWS, Google, Dropbox, SharePoint, Office 365, email, file shares, individual laptops, and all associated backups of data. Once you have found your sensitive data, you need to understand the intelligent role-based activity and the owners of the data to distinguish normal from abnormal behavior. We recommended implementing a solution that is all-inclusive of your data management needs and undertaking a data risk assessment across your organization.
“As with any powerful technology, we cannot put the big data genie back in the bottle, and we ignore its risks at our peril. How we use or abuse digital technologies and the data they generate is one of the greatest ethical challenges of our time.” - Kon Leong, "Is Your Company Using Employee Data Ethically?"