May 24, 2018

Here's what you should know about new European Union data security law

Maine, like its New England neighbors, can boast some of the most stringent personal information security laws in the country.

But, unless the state's businesses take additional steps to safeguard their customers' personal information, they could face steep fines if they run afoul of the European Union's even stricter, albeit blandly titled, General Data Protection Regulation after it takes effect on Friday, May 25.

That is because the GDPR applies to E.U. citizens' information regardless of where it is stored and in a global marketplace it can be difficult (if not impossible) to determine where a customer holds citizenship.

The E.U. law goes beyond Maine's data protection standards in important ways, beginning with how it defines "personal information."

Under the state's rules, it refers to any combination of a resident's first and last name and other identifiable information, such as Social Security and driver's license numbers, credit card information, and other data that can be used to identify an individual. As is the case with most of the region's data protection laws, the formulation was intended to protect against identity theft and other cyber crimes.

In contrast, the E.U. law seeks to broaden protections for consumers' information and their privacy by including location data, online identifiers and characteristics specific to the physical, physiological, genetic, mental, economic, cultural and social identity of an individual under its definition of personal data.

The inclusion of location data, in particular, has substantial implications for companies that rely on GPS coordinates, email, login records, cookies and other "online identifiers" that are tied to a user name.

Another important difference is GDPR's consent requirement. While almost all U.S. data protection rules are lax in this area, the E.U. law takes great pains to ensure all matters involving consent are "specific, informed and unambiguous." For instance, even if an online marketing agency unwittingly gathered data on a E.U. citizens with an "opt-out" method it could be in violation of the law and subject to a penalty.

Similarly, GDPR's so-called "right to be forgotten" provision is not found in any U.S. law. It refers to the principle that unless there are no legal requirements to retain the data, people ought to be able to have their personal information erased. Putting aside implications this provision has for search engine and social media companies, all organizations that maintain data on E.U. citizens will be required to identify and irrevocably delete personal information upon request.

However, finding encrypted (and unencrypted) data that is often stored across multiple locations for deletion is no small task and, in many cases, requires companies to deploy new technology and hire consultants or additional employees. According to Forbes, GDPR compliance is costing the average Fortune 500 company around $16 million. While big multinationals may be able to absorb the hit, it represents a significant burden for small-to-medium size firms.

It is unlikely that the European Union will hand down potentially bankrupting fines of up to $25 million (or 4% of a violator's annual revenue, whichever is higher) anytime soon, so there is still time to take action.

What it will take to comply

Here are four steps to take:

  • GDPR compliance is a whole enterprise endeavor, requiring close cooperation between IT, security, compliance, legal and privacy departments.
  • An organization's existing data classification scheme must be updated to account for GDPR's definition of "personal data." Many Maine and regional companies continue to use the traditional definition of "personal information identifiers" found in existing state laws.
  • Developing a comprehensive inventory of storage locations for GDPR personal data is essential. (Locations will likely extend well beyond a single company database and include such areas as cloud services and company and personally-owned laptops.
  • Businesses should run a simulated "test-of-one" drill to simulate a right to be forgotten request and confirm the information can be irrevocably deleted.

As arduous (and costly) as this process may seem, sooner or later, either U.S. companies will find it untenable to maintain multiple data protection standards or Americans will demand the same kind of safeguards that 500 million E.U. citizens will soon enjoy.

GDPR gives businesses an opportunity to build trust with clients now and offers Congress a good example of what universal data protection legislation should look like in the future.

Erin Benson is security practice director at K logix in Brookline, Mass., with over a decade's experience with data security compliance across New England.


Type your comment here:

Today's Poll As gasoline prices near $3 per gallon, do you have to adjust your operations?<>
Most Popular on Facebook