Here’s news worth monitoring. Ohio lawmakers passed a handful of bills before heading into the 2018 summer break. One of those, Senate Bill 220, includes legal protection for companies that suffer a data breach, provided they had reasonable security controls in place when the incident occurred. Governor John Kasich signed the legislation in early August.
That might give some comfort to business leaders in the Buckeye State. But if the legislation is regarded as an example by lawmakers elsewhere, expect it to also ignite a debate about what constitutes “reasonable controls,” given the increasingly anxious conversation that already exists around the issue of privacy in our digital age.
Indeed, studies by the Pew Research Center have shown that people using social media are worried about all the personal information that is collected and shared about them and the security of their data.
It hasn’t helped that in recent years there have been numerous high-profile data breaches among global retailers and other prominent institutions. Each new incident has amplified worries about data privacy and put added heat on senior executives to take data protection seriously.
At the same time, companies in the United States had long resisted adopting “chip-and-pin” credit and debit cards, which require the user to enter a personal identification number to authenticate transactions at point-of-sale terminals and automated tellers. That created a massive security vulnerability that wasn’t addressed until recently.
Now there’s a new factor to consider. Lawmakers in Europe passed one of the strongest measures yet concerning the privacy rights of citizens and residents, in a way that reaches far beyond their own borders.
The European Union’s General Data Protection Regulation, or GDPR, took effect on May 25, 2018, and it’s making data security an even greater C-suite concern worldwide.
Intentionally broad reach
As the first major update to data protection laws in the EU since 1995, the GDPR combines previous directives into a single, comprehensive regulation — a feature that is often touted as one of its main benefits.
Even so, many organizations are still struggling with it. “That’s not surprising,” said Dannie Combs, DFIN’s senior vice president and chief information officer. “A survey conducted by DFIN shortly before the May effective date revealed that 38 percent of companies believed they were ‘not very’ or ‘somewhat not’ prepared to comply. Fewer than 20 percent believed their companies were very prepared.”
Combs also noted that nearly 30 percent of the companies surveyed did not begin GDPR preparations until a month prior to enforcement. “Only 19 percent began preparing for the extensive regulatory changes more than 12 months ahead of the deadline, and just 31 percent confirmed the appointment of a data protection officer — a GDPR requirement — within their organization,” he added.
The GDPR affects organizations even if they don’t have operations in Europe. Any entity processing the personally identifiable information (PII) for even a single individual who is a citizen or resident of the EU must comply with the new rule.
What makes those numbers jaw-dropping is that the GDPR affects organizations even if they don’t have operations in Europe. Any entity processing the personally identifiable information (PII) for even a single individual who is a citizen or resident of the EU must comply with the new rule.
PII can be anything ranging from a name, photo, email address or posts on social networking websites, to medical information, bank details, a computer IP address, a social security number or a physical address. “The GDPR’s reach is intentionally broad and applies to almost any information gathered about individuals,” Combs explained.
Also, compared with past privacy regulations, the GDPR has more stringent enforcement mechanisms and carries larger fines for non-compliance. Even accidental data breaches that are not dealt with immediately will place organizations at greater legal risk than in years past. The financial penalties for data protection violations step up massively, too, and can carry a price tag of up to four percent of a company’s annual global revenue.
For those organizations that scrambled to prepare ahead of the regulation’s effective date, the calculation seemed simple enough: compliance clearly cost time and money, but ignoring the GDPR could cost far more if penalties followed.
Some organizations reacted differently: they simply blocked all European Union IP addresses from accessing their data as of May 25.
The problem with that tactic is at least twofold. On the one hand, companies that merely block access are still not in compliance with the GDPR, given that they continue to possess PII about individuals in the EU, which is the crux of the privacy protections.
Those companies may not be entirely wrong that it’s easier to simply put up a firewall — provided they are actively working on aligning their data policies to comply with the regulation at the same time. Think of it as akin to erecting a plywood perimeter around a construction site to keep people out until the work is done.
One of the greatest challenges in GDPR compliance relates to the fact that organizations are held responsible for the practices of any third-party data processors they use, as well their sub-contractors.
But even then, there’s a risk of underestimating just how much effort might be required before the barrier is removed. One of the greatest challenges in GDPR compliance relates to the fact that organizations are held responsible for the practices of any third-party data processors they use, as well their sub-contractors. For those that deal with digital information, a potentially dizzying array of contracts may need to be carefully reviewed.
Under the GDPR, the concept of an individual’s privacy has shifted from simply a legal concern to a technology and security issue that demands attention from senior management and boards.
So, what can an organization do to respond?
Ensuring that the proper internal structure is in place is an important first step in facilitating GDPR compliance. In addition to a designated data protection officer, that structure should include a vendor relationship management team responsible for ensuring that external business partners adhere to the GDPR, and an experienced security expert who reports to the C-suite.
Also, a robust data protection impact analysis that addresses questions such as “What constitutes a sub-processor?” and “Who is a non-material service provider?” should be prepared — an exercise that can reveal unexpected gaps in an organization’s compliance preparation.
More challenges ahead
It’s not too late to put the structures and best practices in place to meet the demands of the GDPR. Meanwhile, it’s important to also recognize that many of the same pressures that prompted the European regulation are growing elsewhere, including in the United States.
In fact, over the past year alone at least 27 states have considered legislation dealing with internet privacy, according to the LexisNexis publication State Net Capitol Journal. So far, only two of those states — Oregon and Virginia — had passed data protection measures, while others were still mulling bills focused more specifically on the privacy of user data collected by social media companies.
Those actions, the report suggested, were a response to the Trump administration’s repeal of federal internet privacy protections in April 2017.
But now, California has also entered the mix. Governor Jerry Brown signed the GDPR-like California Consumer Privacy Act in July of this year. The law, when it goes into effect in 2020, is expected to give the Golden State the toughest data rules in the country. Significantly, those rules include a provision that will force organizations outside of the state to comply if they have any business that crosses into its jurisdiction.
What’s clear is this: With the GDPR in effect, the added challenge of California’s legislation looming and the likelihood that other states will enact similar laws, privacy and data protection will continue to be a higher priority for every organization that transacts data globally.
That said, Dannie Combs is quick to focus on the potential downstream benefits of securing users’ data, as DFIN learned while preparing for compliance well in advance of the GDPR’s effective date.
“C-suites that make data privacy a priority will learn that it is not just a good business practice,” he insisted. “In addition to addressing a long-simmering concern, they will benefit by continuously assessing their data privacy policies, firewalls, data transit connections and encryption of data at rest in storage. By having those best practices in place, they will be better positioned to achieve a significant competitive advantage.”