‘State Of The Union’: EU Reg. GDPR Set To Revamp Data Privacy

May 25. It’s the day global organizations have had marked off on their calendars for two years. The question is: Are these enterprises ready for the European Union’s (EU) most sweeping data privacy regulation in decades?

The General Data Protection Regulation (GDPR) is upon us.

Seeing as it does not need enabling legislation, it becomes directly applicable on May 25. Some of the regulation’s highlights include privacy by design, the right to be forgotten and fines for noncompliance up to 4% of yearly turnover. Suffice to say, GDPR is poised to revolutionize data privacy in and around the EU. It will also likely have pervasive effects on U.S. companies, especially those that handle EU citizen data.

With the rollout so near, we spoke with cyber security legal expert, Jamal Hartenstein, for his take on the regulation. The remainder of this “State of the Union” piece will zero in on GDPR’s scope, corporate response, certification and projections.

The Effects

Built in to GDPR is the Record of Processing Activities (RoPA, Article 30), which helps organizations avoid being an easy target for regulators and helps raise awareness. Hartenstein said organizations should have documentation on data flow, Data Protection Officer (DPO) appointment, types of personal data and protection methods.

Can U.S. companies reduce their risk exposure? The cyber expert and Cyber Security Hub Editorial Advisory Board (EAB) member said, “If a U.S. company can unequivocally and consistently keep EU personal data identifiers out of their clouds and off their on-prem fabric, then compliance exposure is mitigated.”

To track performance and gauge compliance levels, organizations can utilize various metrics, undergo periodic reevaluations, third party assessments and internal audits.

Impact Radius

Hartenstein told the Cyber Security Hub that “third parties must also provide ‘adequate assurances’ of (data) protection.”

He added: “Controllers of EU personal data can become liable for the conduct of a party simply processing it temporarily.”

Outside of the security team, the cyber legal expert also said that data processing/analysis, partner companies and vendors need to be aware of the “new expectations” set forth by GDPR. To put that into perspective, GDPR writes that security should be baked into various controls and operations from the development stage (privacy by design).

See Related: How Does GDPR Impact Business Units? Hear From CSHub Dir. Dorene Rettas

Global organizations must truly understand the scope of the regulation, Hartenstein urged, because even if data processing is outsourced, Business Associate Agreements (BAA) “are no longer enough.”

Hartenstein said: “All parties controlling or processing EU personal data, regardless of terms of use, must periodically confirm the capability of the vendors/partners/multinational locations, to comply or provide ‘adequate assurances’ of protections.”

Enforcement Measures

Hartenstein told the Cyber Security Hub that there will be “no massive fleet of officials that will storm buildings on May 25” demanding GDPR compliance. He called this reality an “honor-based” system, which could intensify upon an assessment/audit, legal claim or breach.

“Many companies who are not currently compliant might avoid fines while on their way to eventual compliance,” the cyber legal expert said. Nevertheless, there is still an “expectation of compliance,” retroactive to May 25. This is something organizations may have to prove, if necessary.

What’s the true financial hit of GDPR? Larger fines could entail 4% of annual worldwide revenue. Hartenstein predicts that large enterprises with EU citizen data will likely be prepared for the regulation. It could be a different story for smaller enterprises or large U.S. companies which process small amounts of EU personal data. It’s there, Hartenstein said, “where bullet-biting and concerns over fines are being deliberated.”

See Related: GDPR And Cyber Security: A Critical Juncture [Video]

The regulation, it seems, will have residual effects on American consumers. Hartenstein explained: “U.S. consumers whose personal data does fall under GDPR protection may consequently experience improved data protection regulation. But, for example, U.S. consumers should not expect to receive all the benefits of GDPR, such as the right to rectification or erasure…”

Will U.S. businesses with ties to Europe abandon business there? Hartenstein doesn’t think so. “I would be surprised if large U.S. enterprises who process small amounts of EU data decide to terminate business (there),” he said.

Right now, it is still largely a guessing game of the immediate impact. The CSHub EAB member added that once more details come forth on cost and maintenance of compliance, a more precise view of global business will emerge.

GDPR Certification?

Another timely GDPR topic surrounds the concept of certification. That is, can enterprises earn a pass-fail score on their compliance level(s)?

Hartenstein called the European Union Agency for Network and Information Security (ENISA) “an authority on certification frameworks regarding compliance with GDPR.” But accreditation is key, as pointed out by Article 43 of GDPR. One must consult the National Accreditation Authority (NAB) of their respective member state.

See Related: Palo Alto Networks CSO Talks Risk Metrics, Algorithms & Automation

“There is no certificate from a regulatory body that you earn that you can flash during audits/inspections or use to advertise unequivocal compliance with law,” Hartenstein countered. “Instead, you can have ENISA (or their competitors) certify that you conform to a framework derived from GDPR law.”

The consultation could add value and prove to show periodic measurements of compliance.

What Lies Ahead?

While it’s tough to predict the future for data privacy in and around the EU, Hartenstein likened some effects to a smog emission law and a regulation enacted by the New York Department of Financial Services (NYDFS).

California smog emission laws make manufacturers craft vehicles which are clean enough for the state, regardless of where the vehicle is sold. The same sort of adoption could unfold with the data privacy measures enacted by GDPR.

Another example the cyber legal expert draws upon is the NYDFS regulation requiring covered entities to have a cyber security program. The effect could be quite widespread.

What it could come down to, however, is “reading the laws and consulting with an attorney,” Hartenstein added. Some effects could be immediate, while others could impact strategic plans for activity in EU countries.

What’s more, the EAB member said that “GDPR will likely create stronger influence for the U.S. federal government to attempt to address the patchwork of cyber security laws that California and New York have been progressively leading. But we might not see it occur quickly…”

Jamal Hartenstein

"State of the Union" is a feature on Cyber Security Hub, deconstructing policy news as it relates to the enterprise.

Sign up for the weekly Cyber Security Hub newsletter here.

Be Sure To Check Out: Reducing Risk, Creating Compliance With GDPR