U.S. Businesses Need to Prepare Now to Align with EU Privacy Law
By Holly Dragoo
2016 was a year filled with legislative attempts to redefine how businesses manage and protect customer data. Businesses looking to do more commerce overseas need to prepare now for significant changes under one of the most sweeping pieces of policy passed in 2016—the General Data Protection Regulation (GDPR).
Passed by the European Commission in early 2016 and set to take effect in 2018, the GDPR intends to “give citizens back the control of their personal data” and to unify the European regulatory environment on data privacy for international commerce. Now is the time, as businesses review annual 2017 financial plans and operations, to consider the cybersecurity consequences of not preparing for GDPR.
Any entity holding or using European citizens’ personal data collected online or offline, inside and outside of Europe, will be affected.
Businesses will of course vary in their needs for getting GDPR-ready, but the universally important step is to make allowances now for the substantial time and labor investments needed to lay the groundwork. Tasks to consider early in 2017 include:
1. Educating staff across all functions of the business about what GDPR means. For example, this education may include how finance or marketing shares data with third-party vendors or suppliers.
2. Designating a data privacy officer or someone responsible for compliance. GDPR does not mandate these except for companies that perform “systematic monitoring of data subjects on a large scale.” If possible, smaller companies may also want to designate someone in this role as a best practice.
3. Documenting inventory assets and infrastructure (especially where exactly what kind of personal information is stored). Be mindful of definitions. The GDPR now characterizes personal information as anything “relating to” an individual.
4. Documenting what specific legal basis there is for collecting and retaining that data.
5. Implementing mandatory privacy policies and consent to collect data notices. Any updates need to be communicated to customers.
6. Determining if a Data Protection Impact Assessment (DPIA) is needed. These are notifications to users stating how data is handled prior to gaining their consent. Currently, DPIAs are not required under GDPR but having them indicates the company has been proactive and transparent in data management and security strategies.
7. Developing standard responses for when customers request that data be deleted or records sent to them. Customer rights set by GDPR include the “right to be forgotten” and an elimination of fees for record requests.
8. Reviewing data breach response and reporting plans. Guidance on how the GDPR will change reporting regulations is not yet clear but forthcoming.
9. Incorporating revised data protection standards into contracts with vendors or partners. The GDPR now holds data processing organizations directly responsible for the safety of client data, which will likely translate into higher costs for taking on more risk.
Forecasting for the year ahead is always an exercise in “wish list management” and requirement coverage, and there is no magic formula for absorbing risk. With the countdown to GDPR implementation already begun, it’s best to embrace the change early in order to spread costs evenly and not push these tasks into a compressed timeframe. That’s when mistakes happen.
Holly Dragoo is a research associate with the Cyber Technology & Information Security Laboratory at the Georgia Tech Research Institute. Her previous work with the U.S. Department of Defense and Federal Bureau of Investigation give her a unique understanding of intelligence community requirements. Dragoo’s research interests include cybersecurity policy issues, threat attribution, metadata analysis, and adversarial network reconstruction.
The NTSC partners with the Georgia Tech Institute for Information Security and Privacy to share regular blog posts and articles from some of the nation’s foremost cybersecurity experts.