Unless you have been avoiding the news this past year, you will be well aware of three things: Brexit, Trump being elected president, and the General Data Protection Regulation (or GDPR) is on its way. It was certainly an eventful year. There have been plenty of columns analysing the effects of the first two topics, one thing that has been apparent to me has been the lack of commentary on the real point of GDPR.
The easiest way to think about the EU's newest regulation is to use a house as a metaphor, with the GDPR prompting you on its upkeep, both inside and out. While not effective until 25 May 2018, the broad scope of this legislation it will require companies collecting EU residents' personal data to undertake two different household chores.
The first is a full clean of all rooms on every floor, from attic to cellar. Inspecting each piece of furniture is essential, including all knick-knacks – or data – large and small. Companies will need to discover how they first collected the knick-knacks, which represent consumer data, and how they use them now. They will need to make sure these precious items are well protected, both from a privacy and security perspective.
Once the house is in order, then companies must plant an easy to read sign in the front garden telling all neighbours if there are any of their knick-knacks stored in the house. This sign needs to be pride of place on the front lawn, not buried in the terms and conditions at the bottom of a webpage. It must also explain to the other residents where they can find their items, and give easy to understand instructions for them to tell the homeowner whether they can keep using their belongings. If they say no, then you'll need to be neighbourly about it and respect their wishes.
Its already been widely discussed how the GDPR will affect specific industries, especially digital advertising and its underlying adtech and martech industries, but not to be overlooked is how it will impact security. It's important to note that this law is about data protection, which encompasses not only privacy but also security, and lays out two sets of detailed requirements for companies to follow. Failure to do so may expose an organisation to one of two tiers of penalties: the greater of up to €10 million or two percent of global turnover, or the greater of up to €20 million or four percent of global turnover. Either way you look at it, the financial risk for not getting security right under the GDPR is high.
The first security requirement will require legal and security departments to work closely. It will require vendor agreements with companies used to process collected data. This is simple enough. But additionally, companies willl need to demonstrate they are managing those vendors to the letter and spirit of the contracts on an operational basis. It won't be enough to just put the legal paper in place. The agreements will need to be monitored and enforced. With so many companies now deploying cloud services, vendor audits will be a challenge.
The second security requirement (already familiar to many US organisations) is the 72-hour data breach notification requirement. From the discovery of a security incident, then the clock starts ticking for you to get notice out the door to the relevant data protection authority. Luckily there are some practical limits to this new obligation, chiefly that the notification requirement kicks in only when there is a risk to the affected person.
However, IT, legal and info security now have to be in sync with a detailed security incident reporting, investigation and response plan that is tested and perfected on a regular basis. Not many have this in-house expertise, so expect astounding growth in the data breach services sector to help with this new obligation. Investigations, forensics, and risk based analysis to determine security and privacy impact risk, as well notification services, will be offered on a fee for service basis. Much of this will be driven through insurance carriers and outside counsel, but the statutory obligation to get it right rests with the company. The breach notification industry is only there as an extension of a firm's security and legal department. The responsibility of ensuring the breach is reported rests with the company.
There is much to do to get your house in order and there is no need to hit the panic button yet. However, it is certainly time to start walking through the house and list all the knick-knacks you've collected and think about how to protect those precious things. You will be surprised how much is actually there, but once the cleaning is done, the clarity will be rewarding.
Contributed by Todd Ruback, chief privacy officer, Ghostery