EU Data Security: Three Elements of Uncertainty
Companies responsible for complying with the European Union's General Data Protection Regulation (GDPR) have a lot of uncertainty to process. From Brexit to the demise of Safe Harbor and the unfolding Digital Single Market (DSM), questions abound over how to proceed with compliance efforts.
What follows is a breakdown of these developments and a suggestion for the way forward.
First, a bit about GDPR, which will require any company doing business in the EU to more securely collect, store, and use personal information by 2018. Its provisions include:
Mandate to obtain consent: Organisations must get clear, unambiguous consent before collecting or processing an individual's personal data.
Right to be forgotten: Data controllers will be required to delete an individual's personal data upon request, unless there is a legitimate need for the organisation to retain the data.
Notification of data breaches: Data controllers must notify government authorities (and in some cases affected individuals) within 72 hours if personal data is stolen or compromised. However, this notice is not required if the stolen data is protected by persistent data encryption.
Data protection officers: Companies or government agencies that process sensitive personal information will be required to appoint data protection officers, who will be responsible for monitoring compliance with the law.
The requirements are pretty straightforward. But in the face of fast-changing events, it's easy to worry about how current efforts might be undone. Here are the three elephants in the room:
Brexit: The UK's vote in June to break away from the EU has caused what is perhaps the most uncertainty over the future of GDPR compliance efforts. The question is if a break from the EU means companies doing business in and with Britain are no longer bound by GDPR. Experts say it's far too soon to know the true impact of the Brexit vote. For the short term, nothing changes. There are many legal and procedural hoops that have to play out before the UK is separated from the EU. Long term, there are bigger considerations: Will this vote lead to another Scottish referendum on independence or the exit of other European countries from the EU? If that happens, then laws like GDPR could undergo significant changes.
Some CSO and infosec legal experts have gone as far as to say GDPR in its current form could be doomed, but it is still too early to start hammering nails in the casket.
The death of Safe Harbor: The October 2015 nullification of a "Safe Harbor" agreement between the European Union and United States means US companies have a tougher road to GDPR compliance. The Safe Harbor rule allowed firms to transfer massive amounts of data to their servers in the U.S. and streamlined the complicated process companies had to go through in order to comply with European regulations. Thousands of global companies used it, including Google, Amazon, Twitter and Facebook.
The European Court of Justice killed Safe Harbor in October 2015 out of concern that U.S. authorities would use the personal data stores for mass indiscriminate surveillance. The decision was in response to revelations made by former National Security Agency contractor, Edward Snowden.
The Digital Single Market: On the surface, DSM wouldn't appear to change the things companies must do to achieve compliance with GDPR. But many are still trying to understand what the final shape of DSM will look like. That adds a layer of thickness to the uncertainty that already exists over Brexit and Safe Harbor.
Specifically, a DSM is a system designed to allow for the free flow of people, services and money. People can seamlessly do business online under what the EU calls conditions of fair competition and a high level of consumer protection, regardless of nationality or residence.
The idea of a DSM makes sense. A lot of bureaucracy and laws exist in the member countries of the EU that predate the Internet. Since the older laws don't fit the online world, new businesses often face a nightmarish maze of red tape. The DSM is an attempt to create a system that better fits the 21st Century.
But some worry the plan in its current form will include loopholes government agencies can use to create backdoors into encryption programs, weakening the very protections the EU claims to be creating.
For now, the question is how to proceed in the midst of uncertainty. The best strategy for now is to stay the course where current compliance efforts are concerned.
One thing companies need to remember: No matter what kinds of changes happen to the cyber security laws because of Brexit, Safe Harbor or anything else, compliance is the low bar, anyway.
The data security and privacy measures that must be taken to protect customer information and company reputations are much more aggressive than most regulatory requirements. Comprehensive data-level encryption, for instance, will remain a must regardless of what lawmakers do with GDPR, PCI DSS, or the next big regulation.
The requirements of compliance represent the bare-minimum cost of doing business in the 21st Century. If companies only worry about checking off boxes, they will fail. Concern Number-one must be to have security in place to protect customer data and intellectual property.
Regardless of the uncertainties described above, no one is getting off the cybersecurity hook.