May 25, 2018 is General Data Protection Regulation day, which means organizations around the world holding data about EU persons have just one year to go before they must become GDPR compliant or face fines that can go as high as 4% of annual turnover — or 20 million euros, whichever is greater.
GDPR compliance means companies will be able to identify GDPR-protected data — personal data relating to an identifiable EU person — and protect that personal information to prevent it from unauthorized disclosures, offering GDPR-protected people the ability to verify and control their own data, and protect their “right to be forgotten” under the privacy regulation.
Gary Southwell, general manager at CSPi, a network and IT security company based in Lowell, Mass., spoke with SearchSecurity about the challenges of GDPR compliance as companies around the world are waking up to the need to become GDPR compliant in the last year before enforcement of the new privacy regulation begins. See the first part of this Q&A here.
This interview has been edited for length and clarity.
Companies have just a year to become GDPR compliant. What steps should they be taking?
Gary Southwell: That’s not a lot of time, so they’ve got to ask, are they doing business in the EU countries formally? If I am, then I have to get very serious about this. If I’m doing it informally, I should at least make myself aware as to what are the possible ramifications. I may get inquiries from the EU asking me to respond so I’d better, at least, be knowledgeable so I have a good response back and say, ‘No, I’m not a registered company. I don’t do business in the EU.’ You want to have that so you can deal with that.
But if you are doing business formally in the EU when you register to sell products or services to any of the countries or the U.K., I think you need to follow what the directive is saying. You really should assign somebody to be the point person within your organization that can then be that interaction with those authorities in those countries. You really need to establish that so you have that relationship.
And then you start to look at how the rules will impact you, especially around the 72-hours notification. How would I do that? I should have the ability to figure out who to notify in those countries. And then go through the processes so I know when that triggers and then what do I have to do to be in compliance.
So that person that you identify, they are the data privacy officer?
Southwell: Data privacy officers are mandated but only for people that do significant processing of records. If you’re doing business but only collect a couple hundred records a month for EU citizens, that’s not the same thing as a credit card data processor who’s doing hundreds a second. They absolutely must have a data privacy officer, and that is what they must focus on. There’s kind of that delineation in the rules.
You must have someone who wears that hat and acts as the data privacy officer liaison, if you will, to make sure that if you do have these issues, you know how to deal with it. You may not be forced as a company to have this formal position, though.
There’s a lot of work involved in identifying and tracking data so an organization is GDPR compliant, and maintains GDPR compliance. Can you hire someone to do it for you?
Southwell: I can find nothing in there that says you can’t do that. And a lot of people and a lot of firms are gearing up to help people do that.[To be GDPR compliant] I need to make sure I keep track of where this data is. And then the other side of the law is that there’s data portability and there’s the right to be forgotten. And so I need to make sure I can actually figure out where these records reside and then manage them: allow them to be moved, allow them to be wiped clean from my systems. So I don’t see there’s any reason you can’t apply additional resources outside of your own organization to do that.
You do have to make sure the records are protected, so you might not want to move those records to some third party. There may be some liability there because you have to make sure that they actually are compliant with GDPR. That’s where I wonder a little bit if there might be some legal worries — how do you make sure that they’ve actually done everything to be compliant? And have they made sure that you’re legally covered and indemnified you if they fall short? That’s where it gets a little interesting.
How about GDPR in the cloud? If all your data is kept in-house, on premises, that’s one thing — but if you’re using the cloud, it seems to multiply the problem.
Gary Southwellgeneral manager, CSPi
Southwell: It does. I use Amazon as an example or Azure. That’s basically using it as an extension of my data center and spinning up VMs or instances so I can do work and then turn them down. But I’m still totally responsible for managing all that data. But I look at their services, what they’re capable of doing, and they really can’t help much. So you have to still manage all that.
And then the other part is you’ve got to track the data. I’m using data there. Where did it go? Where am I storing it? Where am I backing it up? I’ve just been using that for additional processing power and the data always lives in my data center and always comes back and forth, and it’s still in my data center and then I back up. But if I back up from Amazon to stores there, I’m responsible for making sure I know where those stores are and making sure that I pull them down if I’m removing that data when asked to remove the data.
How about cloud applications? We’ve heard that there are 1,000 or more cloud apps running in the average enterprise.
Southwell: Right. So there is where it gets interesting, because you can see it. We use Salesforce, we have all our customer records there and if any of that is personally identifiable information, that counts [for GDPR compliance]. And Salesforce really isn’t liable for that. They’re saying, “You’re responsible for whatever records you put here. We’re not going to hold the bag here.” They may provide you with some applications that help you trace data that looks like personally identifiable information, for you to administer yourself, but they’re not going to help you — you are totally responsible for that.
And if you’re doing multiple apps and they’re pulling information, this is where it gets very, very complicated to deal with and to manage. If someone asks to be forgotten, I’ve got to figure out all those apps that are using this data and where are they storing the data and how do I make sure that I’ve cleansed those, and where there are any backups as well.
So are the cloud application providers starting to respond? Microsoft did seem to be offering something.
Southwell: Microsoft is the first I’ve heard to actually come out and make a proclamation that ‘we’ll help.’ But they were very vague; [they’re] not going to offer you a professional service that’ll help you. They didn’t say that [they’ll] help you if you give them access as an administrator to go through your data and look at it for you. I don’t think they wanted to say that because you hold liability now. Most of these guys are going to be careful as to what they say, because they don’t want to open themselves up for liability.
What else should people be asking about GDPR compliance now that enforcement is imminent?
Southwell: They should be asking ‘if GDPR applies to me, what impact does this have on my other compliance reporting issues?’ Because, like I said at the beginning, this can be the first domino that falls and then it triggers other things that you would now have to do if you’re under these other forms of compliance.
Then, they should ask, ‘Do I have insurance?’ If they do have [cybersecurity] insurance, the insurance rules are tightening. The actuaries are figuring out these things have higher impact than we originally thought — we’re seeing the average breach around $3.5 million. If that’s really the case, then these insurance policies are going to get very expensive. They’re starting to tighten down the rules to make sure that you’ve done a good job of protecting the data in the first place, that you’ve got a process in place, and then, there’s a timeline where you have to do all of these things within a certain period if they’re going to pay.
So now you’ve got to start to look at that and ask if GDPR triggers something that requires you to make sure you can meet the rest of the terms of either your other compliance or your insurance policy so that you are covered. You’ve got to take it seriously to put the process in place in advance before something happens, otherwise you could be facing fines and may not have any insurance to cover it.
Will there be a panic on May 24 next year?
Southwell: I don’t think so, because it’s not like you’re going to get fined on May 25. I think people will get their act together. I don’t think there’ll be a panic. I do think there’s going to be a big groundswell of interest around what GDPR does. I’m thinking like a U.S. citizen right now, so if I’m over in the EU, I do think it’s going to be a whole lot more interesting there for those people because it’ll start to bubble up and people will start to get interactive with their individual countries and ask, ‘How are we actually going to implement this?’ Because it’s really left to the countries to enforce, hence implement.
I think that’s where the interesting part is going to come. Is Germany going to be different from France? Is France going to be different from Belgium? If I’ve got 28 different sets of entities, how am I going to deal with this? I won’t call it a panic. You might lose some nights of sleep, though.