Tim Critchley is CEO of Semafone.
If your company operates outside the European Union, you may not have paid the EU General Data Protection Regulation (EU GDPR) much attention. That is about to change, as security professionals across the globe need to start paying heed to these new European data protection requirements.
At Semafone our global headquarters are in the U.K., so we’ve been keeping a watchful eye on the development of the EU GDPR. We are not only considering the specific ramifications of these requirements more closely, but are also thinking more about regulatory requirements, global security frameworks and international business standards in a different way than ever before.
The EU GDPR was developed with the aim of creating a consistent data protection framework across the EU. The goal is to help simplify business rules for companies and better protect citizens’ personal data in the digital age. Indeed, more than 90 percent of Europeans say they want the same data protection rights across the EU, regardless of where their data is processed. Many organizations outside the EU, however, are unaware that this GDPR may also apply to them.
While it was first being developed, many thought of GDPR as simply another regional requirement. There was a bit of isolationist thinking by some organizations who thought that as they didn’t conduct business in the EU, the legislation wouldn’t apply to them. However, that is just not the case. The GDPR applies to any business that holds data about or markets to individuals within the EU. Now that organizations are beginning to understand that the requirements are attached to EU citizens, wherever they may work, we have found that the GDPR increasingly plays into our conversations with our enterprise customers in the United States, Canada and elsewhere.
Furthermore, with the Brexit vote in the rear view mirror, enterprises based in the U.K., like ours, will need to adjust their thinking and operations. To be part of a global economy, U.K .businesses will need access to data. And, if we want to access that data from the EU, we will need to adhere to the GDPR and be able to demonstrate compliance. Businesses that do not comply with GDPR face fines as high as 4 percent of the company’s annual global revenue. As the protections afforded by the GDPR follow EU citizens, wherever they may reside, it is in fact, in many ways, one of the very first truly international data protection frameworks.
Layers of Local Requirements and Self-Regulation
If you think about it, the alphabet soup of big regulations that businesses currently pay mind to generally stops at the borders of the originating country. For example the NIST, HIPAA, GLBA are only law in the U.S., and the Canadian Privacy Commission’s recommendations are limited to the scope of Canada. In addition, states and provincial rights and laws are often layered on top of any national requirements that promote data security and privacy, further complicating the issue. For example, 48 of the 50 U.S. states have breach notification laws of some type, but they aren’t standardized. In practice, this means that an enterprise operating in Peoria, Arizona, will have different obligations than one located and operating in Tupelo, Mississippi.
Other initiatives have attempted to become unified, international frameworks or standards, but with varying degrees of success. The International Organization for Standardization evolves and updates certain industrial and commercial standards; however, these tend to be more in the name of creating shared expectations – a level playing field across geographies and countries. Their requirements for certification are often technology-based, measurement-based, or confined to specific technology use cases. The most important differentiation here from the GDPR is that ISO standards are voluntary – not required. The GDPR is mandatory, and has penalties for non-compliance, including the right for EU citizens to sue as a class.
In fact, the more we explore, the more we realize that broad enterprise-use of specific frameworks or standards – part of the daily routine and operations – are few and far between. I would suggest that the closest to truly global enterprise security requirements would be the Payment Card Industry Standards, including the Payment Card Industry Data Security Standard (PCI DSS). However, PCI DSS isn’t in the same league as the GDPR because, while one could argue that it includes a bit of the stick in addition to the carrot (i.e. penalties for non-compliance), it is a self-regulated industry standard. It isn’t a law (law of the land is another matter entirely).
All of these have created an operational nightmare for large enterprises. Not only have they increased complexity, but they have also potentially increased the likelihood of a severe data security incident. That’s because, in order to cope with the regulations, enterprises may adopt compliance programs aimed at simply checking the box for each individual requirement. Businesses check one box then move on to the requirements for another standard, and the system changes designed to meet that second standard can force a security issue with the first standard. Some would suggest that Governance, Risk Management and Compliance (GRC) software is the answer to this conundrum, which sets a measurable threshold for each requirement and then guides steps to achieve those that the business has not yet met. While this will prevent you from pulling a chair out from one guest to seat another, the consolidated requirements are not published as a unified collection of requirements.
One Framework to Rule Them All?
Is there a single international process that could be put in place and evolved to meet ALL data security and privacy needs? Can a framework be developed that has a balance of advocacy for all parties, which incentivizes participation while also penalizing non-compliance (at a valid and appropriate level)? Is it possible to pursue a single, landmark process, outlined to simplify the regulatory environment for international business by unifying regulation?
Because of the unique qualities of the GDPR outlined above, I would suggest that this is exactly where we are headed with the rollout and adoption of the regulation. This is a positive move to define a very specific goal for data privacy for all global citizens, while also standardizing the necessary processes and requirements businesses need to meet the objective.
I am the first to admit that it isn’t perfect, but the GDPR does start to create a new international guide for data security, and one that we, as security professionals should embrace. While it won’t come into effect until May 2018, companies should start preparing now. The GDPR really could be the toolkit that will help business align to ensure that the sensitive data of those most important to our businesses – our customers and employees – remains stringently protected in a uniform manner, wherever it may reside.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.