Yes, Especially Regulated Industries. And US Regulations Are Coming. Prepare.
The General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens for engagement that occurs within EU member states. Companies do not need to have a business presence within the EU for the regulation to apply. To incentivize compliance, non-compliance can lead to significant fines (up to 2% of the entity’s global gross revenue for lesser infractions and 4% for more serious offenses.)
In response to rapidly growing citizen concerns about how their personally identifiable information (PII) was being handled online, the European Parliament approved the GDPR in April 2016. It came into force in May 2018. In the US, California is leading the way to following suit by passing the California Consumer Privacy Act, which goes into effect in 2020. At the federal level there are a couple of data privacy-related bills working their way through Congress, including Senator Ron Wyden’s Consumer Data Privacy Act.
The handwriting on the wall for businesses – especially those in regulated industries: It’s critical to address data privacy for cyber security compliance, whether you’re subject to the EU regulations or not. In effect, the Internet is a platform without borders. You must entertain the possibility that an EU citizen will trade data for your gated content or otherwise register on your website. US data privacy laws are an eventual certainty at federal and state levels. It’s time to act – although with care not to over-react.
Though there was not as much immediate GDPR impact as some cyber security experts predicted, in 2019 we’re beginning to see high-profile results of GDPR breaches in EU crackdowns on Facebook, Google and other major social media and Internet companies mis-use or improper sale of user data.
What personal information is protected by GDPR?
According to CSO.com, the GDPR protects the following personal data.
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
It gives website users the right to request that a site provide a report on all of the PII it holds about them and to request further that it delete any or all of that data. It also puts a time limit on how long a company may retain that data, after which it must proactively request user permission to retain it. Even though permission may be given, the individual may also rescind permission at any time in the future.
What Are Companies Doing?
The answer is: not enough. Although a PwC study made prior to GDPR’s effective date showed that 92 percent of U.S. companies considered GDPR a top data protection priority, a recent Thomson-Reuters survey revealed that awareness levels of GDPR and other data privacy issues are lowest in the U.S., where only a quarter of respondents believe the GDPR will affect their organization.
What should your company be doing?
According to technology journalist Maria Korolov in a CSO.com article, companies must “… start seriously thinking about a privacy-first approach to data, especially as these laws expand to more jurisdictions, and to narrowly targeted verticals, such as banking, medical and payments. That will require some major changes in how companies collect, use, and share data.” Ms. Korolov covers cybersecurity and artificial intelligence and also contributes to CIO magazine.
Building and implementing holistic cyber security policies and a robust cyber security program, including employee training, goes a long way to safeguarding user data. Beyond that, there are steps to take to facilitate transparency, user permissions and documentation as required by GDPR and privacy laws to come. Marketing software platforms, for example HubSpot, are building in data privacy functionalities, i.e. cookies notifications, permission requests and other privacy related items.
Don’t overreact. It’s possible to become too concerned with overstepping individual user privacy that you can take your eye off the ball that is hacker threat prevention. And don’t be surprised that GDPR is opening some new doors for bad actors. There are incidents where hackers are finding enough information about individuals to spoof them in making PII access requests. If it’s the user’s bank, broker or physician’s site the hacker can get access to far more personal information to use in committing cybercrimes. There are other new cyber threats emerging from the new data privacy environment that we’ll address in future posts.
Of course, the first step to solving any problem is recognizing that a problem exists. We hope that this post has accomplished this for your company.
As discussed earlier, data privacy is only one aspect of a comprehensive set of cyber security policies and procedures. It’s not sufficient to treat it as a stand-alone effort. You would do well to enlist a cyber security specialist team, whose business it is to assess and identify weaknesses in your environment, fix the problems and teach staff and management how to avoid them before they arise, while keeping you on the right side of the GDPR.
If you’d like to speak with Soundshore Technology Group’s cyber security experts send an email to firstname.lastname@example.org. We’ll be happy to help. While you’re here, please take a look at our full array of cyber security services.