Some cybersecurity experts are focusing their attention on the European Union’s soon-to-be-implemented General Data Protection Regulation, which could have a big effect on how businesses worldwide handle data privacy.
“I believe that the majority of companies in the U.S. are not prepared for this,” says Heather Stratford, CEO for Spokane-based cybersecurity firm Stronger International Inc., which provides information technology services, including onsite training, vulnerability assessments, and compliance consulting.
She adds, “Most of our clients are larger companies or organizations that are looking to improve their internal IT practices. But I’d say only about 25 percent are aware of what the GDPR is and are taking steps to make sure they’re in compliance with it.”
GDPR, which goes into effect May 25, is a regulation that was passed two years ago by the European Union as a way of standardizing the handling and security of data, as well as residents’ rights to their personal information.
According to Stratford, the GDPR requires companies to report data security breaches more quickly—within 72 hours to the proper supervisory authorities as well as without undue delay to the data subjects themselves—and also requires companies to have a data protection plan that complies with new, more stringent standards.
“The GDPR says your company has to know what data it has on EU residents, where that data is stored, and what third parties may have had access to it,” she says. “Should an individual request to have a copy of that data, your company has to be able to provide it in a readable format, and if they’d like it deleted, you have to be able to erase all of it.”
The regulation also requires clearer consumer consent, which means no automatically checked boxes or legal language designed to obscure or confuse.
Stratford says the GDPR applies to any organization that offers goods or services to—or monitors the behavior of—people in the European Union.
“This would include anyone residing in one of the 28 EU countries,” she says. “They don’t have to be a citizen, although they can be.”
She says any U.S. company that has a web presence and markets their products over the internet will be affected by the new GDPR regulations.
“It’s important to remember that the company doesn’t have to be based in Europe,” she says. “Companies with larger global impacts, and even small companies with websites that sell products outside the U.S. will still be affected.”
Stratford says the rule also will affect higher-education institutions, including private universities and public two-year and four-year universities and colleges.
“Universities are affected if they target EU residents for programs or admission,” she says. “That includes if they go to lectures and conferences in an EU country and collect information and if they have printed materials or a website targeting a specific country.”
To make matters more complex, Stratford says the GDPR also applies retroactively, meaning the regulation applies to the data companies have currently in addition to any future data they will collect.
“Consent to hold personal information must be clear and requested,” she says. “Personal data includes business cards, signups, and feedback forms.”
Stratford says companies that employ more than 250 people are required by the new rule to have what’s called a data protection officer separate from executive staff with designated levels of education and expertise, who serves as the point person in terms of compliance and liability for GDPR.
“I like to think of them like an auditor, although they’re employed by the company, they’re protected from being fired for doing their job,” she says.
Stratford says companies that don’t comply with the new rule are risking both fines and bad public exposure.
“This is a minimal requirement for collecting and keeping personal data safe that should be upheld by companies that value their customer’s business and information,” she says.
She says the maximum fine as a result of noncompliance with GDPR is up to $20 million Euros, or 4 percent of global revenue, whichever is higher.
Stratford says examples of Inland Northwest companies and organizations that might be affected by GDPR include Gonzaga University, Post Falls-based knife manufacturer Buck Knives Inc., Spokane-based work boot maker White’s Boots Inc., Liberty Lake-based communications networking equipment manufacturing company Amphenol Telect, and Spokane-based manufacturer Pyrotek Inc., which has 60-plus locations in 35 countries.
Jamie Nelson, senior counsel for Pyrotek, says the company has been working to ensure it’s in compliance with the GDPR for almost a year now.
“We retained a team of external experts to help us access where we were under the existing directive, and what we needed to do to comply with the new extension,” she says. “We’ve completed a comprehensive analysis of all our data and processes to assure compliance and are currently still determining whether we need to hire a data protection officer.”
Nelson says the process has required significant time and effort for the company, and though the official deadline for compliance is May, assessments will be ongoing.
“The GDPR has the potential to have significant impact,” she says. “It’s more about creating a cultural awareness of privacy regulations overall and doing our best to ensure Pyrotek is in compliance with those.”
Stratford says the GDPR already has brought renewed focus on limited or weak privacy regulations and policies here in the U.S., and she’s hopeful it will result in more companies here taking a closer look their data protection practices.
“I believe we should have a right to our personal data, and I am cynical about the cavalier nature in which some, not all, U.S. companies treat that privilege and responsibility,” she says.
The European Commission says personal data can be any information relating to an individual’s private, professional, or public life, including their name, a home or email address, photo, banking details, social networking posts, or computer IP address.
“Here in the U.S., we have a very different attitude toward data privacy,” she says. “We have constitutional rights, and security and privacy regulations like HIPAA (Health Insurance Portability and Accountability Act) for health care, but laws regarding individual’s right to data and privacy have been a bit slower to catch on.”
Stratford says GDPR is the EU’s answer to helping secure the right of privacy for its residents.
“The 28 countries that make up the European Union include some 512 million people, which is a large block of the democratic world,” she says. “In developing this rule, the EU is stepping things up, trying to create a new global standard.”
For most companies, Stratford says, securing all that data isn’t a simple, overnight process, which is why the rule has taken two years to go into effect.
“The EU wanted to make sure everyone had time to become compliant,” she says. “The trouble now is that few have looked into how this rule might impact them, which is why we’re working so hard to spread the word before it goes into effect.”
While it may be a bit late for companies to begin preparing for the GDPR, Stratford says there are a couple of things they can start with.
First, she says, companies need to have a 72-hour incident response plan in place. “This plan is essential for quickly responding to a breach,” she says.
Second, she says, companies will need to find out whether they need to hire a date protection officer.
“Smaller companies may not need to hire a DPO, but if you do, you’ll need to know where to look to find an individual who meets the necessary qualifications,” she says.
Stratford says companies also should know what data they have and where it’s stored.
“Many companies and organizations don’t realize they keep more data than they really need, so it is important to only keep data you have permission for and you need,” she says.