Governments across the world are showing a contradictory attitude towards privacy and data protection. On the one hand new legislation insists that business is minutely protective of personally identifiable information (PII), while at the same time PII must be more readily handed to law enforcement. This contradiction is exemplified in Europe, where the new EU General Data Protection Regulation (GRPR) strictly controls business use of personal data while many nation state members are simultaneously introducing new national surveillance laws.
Forrester’s 2016 Global Heat Map for privacy and data protection makes this point. The Netherlands and Finland are rated as ‘most restricted’ in their attitudes towards privacy; and yet both are drafting new laws that considerably increase government surveillance powers. Germany, also considered to be very protective towards personal privacy, is doing similar; while the UK — home to one of the more active intelligence agencies (GCHQ) — is close to passing its new Investigatory Powers Bill (IPB).
Forrester describes the IPB as a bill that “would require telecommunication providers to hold communication data for over a year. This also includes data on internet usage, such as services, websites, and data sources that a user visited in a year. It also maintains an existing requirement to compel UK companies to hand over encryption keys to law enforcement.” The FBI Vs Apple legal tussle earlier this year would have been a non-event in the UK.
Forrester’s senior analyst Chris Sherman also makes the point that the EU’s new GDPR is setting a business standard that is being followed around the world. “The slow global convergence toward the requirements outlined in the regulation continued through 2016,” he writes. “For example, Argentina and Japan strengthened pre-existing policies, while Nigeria passed its first comprehensive cybercrime legislation.”
This convergence towards GDPR does not apply in the U.S., which the Heat Map describes as having minimal privacy restrictions. But the U.S. too, probably more than most geographic locations, will still be affected by the heavyweight privacy restrictions that will be imposed by GDPR in May 2018. For U.S. corporates to effectively trade with the EU, they will need to be able to demonstrate GDPR conformance.
“In a world where privacy has become a competitive differentiator for multi-national organizations, businesses must increasingly work with their general counsels and chief privacy officers to understand global data privacy requirements, implementing controls that protect personal data accordingly,” says Sherman.
Two new reports demonstrate the range and extent of those new controls needed to ensure GDPR compliance.
One survey (PDF) from Vanson Bourne, commissioned by CA Technologies, found that almost nine in ten (89%) businesses stated that they need to invest in new technologies and services that include encryption (58%), analytic and reporting (49%) and test data management (47%) technologies. Of particular concern is that the majority of respondents were not completely confident that their organization could meet two of the key provisions of the GDPR known as the ‘Right to be Forgotten’ and the ‘Right to Data Portability’. Meeting these requirements will need full knowledge of where every piece of European PII is located, and full control over its use and movement. This survey comprised 200 B2B interviews with companies with more than 500 employees and a global annual revenue in excess of $1 billion.
A second survey (PDF) from AvePoint and the Center for Information Policy Leadership questioned more than 200 predominantly multi-national organizations of varying sizes (with annual turnovers ranging from less than $1 million to more than $100 billion). This survey found that most companies are at least preparing for GDPR. However, only a quarter of organizations currently comply with the new GDPR consent requirements; 44% of organizations do not have procedures in place to identify and tag personal data, sensitive data or other confidential information; and 39% of organizations do not understand the full life cycle of the personal data that they hold.
It is not so much the protection of personal data that is a problem for GDPR conformance, but the management of that personal data. GDPR brings in new rules that cover its location and its use, and demands that the user maintains more control over it. New procedures and processes to enable this are new requirements for most US businesses — and the problem is that time is running out.
“It takes six months to plan and implement for the GDPR (plus revisions). If organizations do not start to create a compliance plan soon, they may run out of time before the deadline in May 2018,” concludes the CA report.