The recent Equifax breach that has been all over the news raises an interesting question: How would the situation have played out if it was after May 25, 2018 when the new General Data Protection Regulations (GDPR) are due to come into force? While none of us has a crystal ball, we can bet the outcome for Equifax would be even worse.
This report (PDF) provides comprehensive information on the GDPR but, in brief, the GDPR is a new set of regulations to protect the personal data and privacy of citizens of EU countries. It will affect any company that processes personal data of EU citizens – even if that company doesn’t have a presence in an EU country – making this legislation more than a European concern. To begin with, the regulations set a high standard for the speed with which businesses are required to report data breaches, in some cases within 72 hours after becoming aware of the breach. Companies also have to comply with each of these rights, transparently and without cost to EU citizens:
• Right of data portability – if a customer asks for their data you are required to provide it
• Right of removal – if a customer requests that their information be removed from your systems you are required to do so
• Data transfer notification – prior to sharing customer data with a third party, you must notify the customer and gain explicit consent to share it
• Customer access requests – if a customer asks whether or not you hold data on them, you are obligated to let them know
To satisfy the GDPR regulations, companies will likely need additional processes, technology and personnel in place. In a survey by PwC (PDF) of U.S. companies, nearly 70% of respondents said they plan to spend between $1 million and $10 million to address GDPR obligations. While that may sound like a lot, it could pale in comparison to fines. Failure to comply with the GDPR can result in hefty financial penalties of up to 4 percent of global turnover or 20 million Euros (more than $23 million), whichever is greater in certain instances. For companies operating with razor-thin margins, profits could easily evaporate into thin air.
The need to comply with data privacy regulations is nothing new to U.S.-based companies. In fact certain states like California and Delaware have particularly strict rules around online data privacy. Further, the U.S. Department of Commerce has worked for some time to synchronize privacy legislation between the U.S. and the E.U. so that trade (mostly online) can be conducted successfully in the joint interest of both groups. This led to the creation of the EU-U.S. Privacy Shield Framework designed to give concurrency to protection, meaning the same level of protection for EU citizens whether in the EU or the United States. Companies based in the U.S. can self-certify that they provide “adequate” privacy protection and then must comply with the Framework’s requirements. Even the status of this agreement is fragile, however.
GDPR continues some of the core principles set out by this earlier legislation which helps ease the transition for companies that have maintained compliance. But differences including the 72-hour reporting deadline, exactly how ‘personal information’ is defined and the broader rights granted to EU citizens must be considered. So what can U.S.-based companies do to prepare for the GDPR? These five steps can help:
1. Understand what data you have and where it is. Make sure you understand what data you hold on EU citizens. If you don’t hold data on EU citizens then you need not concern yourself with the GDPR, but given the global nature of business this is unlikely to be the case. If you do hold EU citizen data then consider this: every company has a certain amount of data loss, yet many aren’t aware that they’ve already been breached. If you don’t already do so, proactively monitor sites on the open, deep and dark web for your customers’ information. Understanding any data leaks and addressing them now will give you a clean start when the GDPR goes into effect next year.
2. Engage in supply chain security. Most businesses have a long supply chain. For example, it isn’t unusual for a Tier 1 financial institution to have 15,000 suppliers/partners who quite often hold proprietary information on the institution’s customers. Under the GDPR, both data controllers and data processors have protection and privacy obligations to EU citizens. Make sure your company’s security guidelines and controls with suppliers are adequate and that your suppliers are in compliance and following best practices.
3. Complete the EU-U.S. Privacy Shield self-certification process. It is still unclear whether or not the EU-U.S. Privacy Shield Framework will continue. However, companies that are self-certified when the GDPR goes into effect can demonstrate a commitment to protecting the data and privacy of EU citizens. This puts you further down the path of compliance with the GDPR and on more solid footing to continue business with EU companies and citizens during the transition.
4. Establish GDPR compliance processes now. You need to establish and test processes in advance to ensure you know how and who to notify in the event of a breach. With only 72 hours to spare, you can’t afford to wait and figure it out ‘on the fly.’ Additionally, make sure you have identified processes to support all the other rights of EU citizens under the GDPR including data portability, removal, transfer notifications and access requests. Consider appointing a data protection officer to oversee these efforts.
5. Seek legal counsel. All of these changes require considerable thought, time and effort. Before you go too far down the path of implementing processes and any supporting technologies required, seek professional legal advice to ensure that your chosen approaches suitably address the legislation.
Crystal ball or not, it’s clear that the GDPR is not just a European concern. What’s not yet clear is how quickly or severely
the Information Commissioners Office will treat non-compliances in the early part of the legislation. Regardless, given the scope of requirements, affected U.S.-based companies should start to prepare now to mitigate risk.
Related Reading: The Effects of GDPR on Security Operations and Incident Response