John Donne said in Meditation XVII that "no man is an island." Each of us is part of the larger whole. Because we are so interwoven or connected, the actions of one can or does, affect the rest.
Humans, typically have a hard time with that concept. We like thinking that we're islands. It's easier to protect yourself if you're an island. No one can tell you what to do on your island. You make the rules there. Your island is a unique little paradise, un-molested by the larger world.
The Island of You is forever pristine, and the only exotic touch is that of the warmest tropical breeze, gently caressing your beaches and rustling your palm fronds from time to time.
We feel the same way about our businesses and organizations. We should be able to do things the way we want. No one should dictate how we store and process information! If we want to dump all our customer data into a publically shared Dropbox folder then the more power to us! Our islands are secure! Our islands are safe! Our islands shall never be trod upon by an outside influence.
Well, get ready for a shock, 'cause there are sails on the horizon, and the landing party members are carrying muskets.
You see, those sails belong to the EU's new General Data Protection Regulation (GDPR) standard. And the muskets are held by the EU courts. Your little slice of paradise is about to change whether you like it or not.
Now, we're not talking smallpox infestations here or human rights abuses. The point we're making is if you do business on the internet and you've collected PII data from European (and British) customers, you're affected by the new GDPR regulations and have to adhere to them.
What is the GDPR?
The General Data Protection Regulation standard is new European Union legislation that will go into effect on May 25th in Europe (May 24th here in the United States).
The new legislation replaces a previous standard implemented in 1995. The new legislation's goal is to "harmonize" data privacy laws across the European Union and grant individuals a more comprehensive degree of protection.
Businesses and organizations that handle PII data will have to comply with the new standards or face repercussions/criminal charges if cyber attackers steal the PII data on their servers.
PII data consists of any information that can identify someone to a specific degree. Names, addresses, IP addresses all constitute as PII Data. The category can expand to include things like genetic data, religion, political views, sexual orientation and more.
The GDPR is closely related to the "Right to be Forgotten" movement. We've written about that previously and can find the story here.
What are some examples of the new GDPR rules and regulations?
I'm not going to list everything that's in the standard. There are 99 unique articles. That being said, there are a few interesting tidbits I decided to include below:
Article 15 and 22 (Data Protection Directive and Automated Individual Decision Making) - Private citizens (and businesses) have the right to question or fight significant decision making based on algorithms or vague policy descriptions. Sort of a "Right to an Explanation" clause (as it has been dubbed by the European media).*
Article 25 (Privacy by Design and by Default) - This statute requires that data protection measures be included in the overall design and development of product and services from day one.
That includes the pseudonymizing of personal data. Using pseudonyms are an efficient way of protecting PII data and if done correctly can limit the impact of leaked or stolen information.
The GDPR refers to pseudonymization as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.
An example of pseudonymization is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymized data.
Article 35 (Data Protection Impacts Assessment) - Risk assessments and mitigations have to be conducted when specific risks occur to the rights and freedoms of data subjects. This is "required, and prior approval of the Data Protection Authorities (DPA) is required for high risks. Data Protection Officers (Articles 37–39) are to ensure compliance within organizations."
Data Protection Officers need to be appointed:
- for all public authorities, except for courts acting in their judicial capacity
- if the core activities of the controller or the processor consist of:
Processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
- or -
Processing on a large scale of special categories of data pursuant to - Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10
Under the GDPR, what can businesses and organizations do legally with the information they collect?
If you collect PII data from individuals, the GDPR allows you to process data if:
- The data subject has given consent to the processing of his or her PII data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject before entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What are the penalties for violating the GDPR?
Some of the following sanctions can be imposed:
- A warning in writing in cases of first and non-intentional non-compliance,
- Regular periodic data protection audits
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, where there has been an infringement
- A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, where there has been an infringement
- The transference of personal data to a recipient in a third country or an international organization
- Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority
How does GDPR affect businesses in the United States?
Does your business do business abroad, specifically in the EU or Great Britain? If the answer's yes and you do business overseas then yes, you're affected by the GDPR, and you have to adhere to the standard if you wish to continue doing business on the other side of the pond.
If you don't do business overseas, then you don't technically have to adhere to the standard, but we recommend you do.
The U.S. has it's own PII laws and compliance standards. Those requirements are unique and mostly issued on a state by state basis. Federal oversight is lacking, putting it mildly.
The primary goal of the GDPR was to harmonize the multiple data privacy laws spread out amongst the European states. The adoption of the GDPR creates an all-encompassing standard that provides a clear and concise set of rules that are easy to follow and enforceable.
The adoption of GDPR in the United States would be a good thing and would offer the consumers a level of protection not currently available here in the good ol' US of A.
It's time for the United States and the businesses based here to take the initiative and start taking action to protect not only their skin but the skin of all the people whose PII Data they collect and sometimes leak (we're looking right at you Equifax, you bastards.)
So you see, those sails you saw as you sat on the beach, slowly sipping a tropical drink out of a coconut, wasn't a harbinger of doom and destruction but a sign pointing towards a brighter, safer future.
Welcome to the larger world, little island. We hope you survive the experience.
Download our FREE GDPR self-assessment if you're interested in learing what you have to do to make your business or organization compliant.
*We here at Security7 Networks are specifically interested in the "Right to an Explanation," as we were recently banned from advertising on Google for no definitive reason, but that's a story for another day or when I'm not still livid with those jamokes in Mountain View.