by Olenka Van Schendel | January 2, 2017
For reasons going back in history, the EU has established itself as pioneer in data protection legislation and 2016 was no exception.
In April 2016, after years of preparation, the new General Data Protection Regulation (GDPR) was adopted to harmonize patchwork directives across EU member states and safeguard the rights of citizens in the digital economy. It comes into effect on May 2018, and being a regulation rather than a directive, will apply regardless of any approbation by individual member states. Its noble goal has been to simplify the task of compliancy and ultimately reduce its cost. But the GDPR comes with a massive sting in its tail. According to a recent global study, what 80% of IT professionals fail to recognize is the international reach of this EU regulation, and the eye-watering penalties of failing to comply.
Whether your organization is based in the US, UK or anywhere else in the world, insufficient provision for protecting EU citizen data runs the risk of fines of up to 20 million EUR or 4% of your turnover worldwide (whichever is higher).
Organizations can amass personal data on EU citizens unwittingly through common techniques such as profiling, loyalty cards, online shopping and the like. The final text of the GDPR even references “monitoring the behavior” of EU residents by tracking their digital activities. The GDPR cannot get much broader, given that nearly every website in the world does exactly that.
So what actually constitutes personal data, and how can you comply? Any data that pertains to a person’s online ids, credit card information, IBANs, any type of banking information, as well as health information, even location data and biometric/genetic data is considered personal. The GDPR requires that you take both organizational and technical precautions to prevent the transfer of data to a non-compliant body, prohibit use outside its intended purpose, and anonymize data where necessary. It also demands notification of a data breach within 72 hours (welcome news in the wake of the Yahoo debacle where it took nearly 2 years to disclose one of the biggest customer security breaches on record). Note to self: why not take a stand against Facebook’s attempt to share Whatsapp user data across its services, in direct contravention of its promise when it bought the app?
What is also new with the GDPR is the notion of “privacy by design and default”. In choosing to include these as key principles, the legislator has acknowledged that privacy cannot be ensured by means of legislation alone, but it must be incorporated in the design and maintenance of information systems. Under Article 25 of the GDPR, a data controller is required to implement protective measures both at the “time of determination of the means for processing, and at the time of the processing itself”. Such measures include data anonymization, pseudonymization or other privacy-enhancing technologies.
You might be forgiven for thinking that as a US or UK-based company who avoids soliciting EU business that data protection is not your problem. But there are many reasons to take it seriously.
Case Study #1 – USA
Take the U.S. for example. Although there is no single, comprehensive federal (national) law regulating the collection and use of personal data, each congressional term brings proposals to standardize laws at a federal level. A mixture of federal and state laws and regulations sometimes overlap, match and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.
Yet attitudes to data privacy in the US and EU have historically been considered as polar opposites. EU attitudes towards data privacy, which favor the rights of the individual, contrast with those of the US under the US Patriot Act which favors the rights of the state. So how can we reconcile data privacy and public security in a world where terrorism is striking at the heart of our democracies? Wherever you stand in this debate, the impact of these regulations will be non-negligible.
Some of the most prominent US federal privacy laws include the Federal Trade Commission Act (FTC Act), Financial Services Modernization Act (Gramm-Leach-Bliley Act – GLB), Health Insurance Portability and Accountability Act (HIPAA), Security Breach Notification Rule, Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act, Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. The president-elect has already said that with regard to cyber security, data retention, data transfer and compliance, some of the existing regulations will be changed, potentially even replaced with some new, stricter regulations.
So like it or not, data privacy is a force to be reckoned with in 2017. Compliance with the most stringent GDPR is a safety net in transatlantic business. The old “Safe Harbor” mechanism in the US has now been replaced by the “Privacy Shield”, effective from August 2016 and endorsed by the European Court of Justice. Any US company can self-certify for Privacy Shield to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under US law. It is said that the new framework will underpin over $250bn of transatlantic trade in digital services annually by facilitating cross-border data transfers with the EU.
Case Study #2 – UK
Yes, but Brexit!
Independently of the Brexit negotiations, UK national laws already apply. Though due for replacement, the UK Data Protection Act 1998 (DPA) currently applies to organisations in the UK that collect, process or store personal information. A failure to comply runs the risk of up to £500,000 in the event of a data breach.
Now the UK’s third generation of data protection law has entered Parliament. The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come.
The new bill includes much harsher penalties than its predecessor. Among the plans laid out in the bill is to give the ICO (Information Commissioner’s Office) the power to fine companies up to £17 million, or 4% of global turnover, in the “most serious data breaches.”
This UK Data Protection Bill is due to come into force this by the end of 2017, ahead of the GDPR which will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.
Previously referred to as the Great Repeal Bill, the EU Withdrawal Bill will also convert all existing EU laws into UK law, to ensure there are no gaps in legislation on Brexit day.
According to PwC, the new compliance journey will require organisations to map and classify all their personal data; perform risk assessments; design privacy protections into all new business operations and practices; employ dedicated data protection officers; monitor and audit compliance; and document everything they do with data.
Clearly, GDPR compliance will become a major advantage for organisations over rivals.
Case Study #3 – Tech companies and IT departments
One of the fundamental changes with the GDPR is that companies that provide services to other companies – known under the legal term of “data processors” – will also face the same hefty fines, which will affect technology service providers in particular.
An independent survey of large company CIOs showed that 52% of US companies possess data on EU citizens, making them subject to the GDPR. Primary concerns for these companies are the ability to know where customer data is at all times, and proper concealment of customer data used in testing. Interestingly, the vast majority of this customer data actually resides on back-end systems. In this context, test data privacy solutions will place a major role in compliance.
Other key findings from US respondents to this survey include:
- 83 percent use live customer data in test systems when testing applications, because they believe the use of live data ensures reliable testing and accurately represents their production environment
- 83 percent provide customer data to outsourcers for testing purposes and 78 percent agree that outsourcing makes it more difficult to pinpoint instances of customer personally identifiable information (PII)
- 71 percent believe the emergence of mobile technologies is one factor making it more difficult to track customer data as it moves through the enterprise
The adoption of DevOps and agile approaches and their reliance on continuous testing actually increases the criticality of test data protection, as the pace and frequency of software rollout is increased.
With more modern 3-tier applications (particularly mobile) ultimately connecting through the back-end application, test data anonymization tools (such as DOT-Anonymizer, which is both platform and database agnostic) are an effective solution to mask sensitive customer data throughout the application testing process.