Data Privacy in the Age of GDPR
Almost one year ago, on May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. GDPR is one of the most comprehensive data privacy frameworks mandated by any government to date, and has forced a fundamental shift in the way organizations collect, store, and process personal data. The fines are steep, and compliance is not trivial. On this one year anniversary of GDPR, let’s take a look at how this mandate has changed the cybersecurity landscape.
General Data Protection Regulation (GDPR)
GDPR places strict requirements on any personally identifiable information (PII) collected or stored about EU residents. The definition of PII is very expansive and affects all forms of data, from website analytics to marketing databases, to customer relationship management databases.
If you have offices or customers in the EU, the impact is more obvious. However, it also impacts you if your US-based employees travel to EU countries and access your systems from there. For the purpose of compliance, EU residents refer to anybody physically located in the EU, including visitors and non-citizens. Conversely, EU residents lose GDPR protections if they travel outside the EU countries, but more on this later.
Mishandling or losing personal data can inflict severe brand damage in addition to financial penalties.
GDPR fines for non-compliance are steep – up to €20 million, or up to 4% of worldwide annual revenue. According to a report from the law firm DLA Piper, fines have been imposed over 91 times in the period between May 2018 and January 2019. The largest fine was €50 million imposed by French regulators against Google – for improper use of personal data for advertising purposes.
GDPR compliance requires a significant audit and overhaul of all your software systems that process any personally identifiable data. With the rise of software-as-a-service (SaaS) applications such as Office 365, G Suite, Salesforce etc., this poses an additional layer of complexity.
Organizations are required to have a Data Processing Agreement (DPA) with all third parties that handle their PII, which would include most SaaS vendors. If the vendor is unable to comply, this may require a change in vendors, which involves more resources and complexity. This requires funding and buy-in at the highest levels of an organization. And all of this covers just the known knowns.
One of the more vexing challenges of GDPR is Accidental Data Disclosure (ADD). Let’s say you secure all your known systems and achieve compliance. An employee then forwards a customer email containing PII to another department using an authorized GDPR-compliant email system. However, instead of sending it to email@example.com, they send it to firstname.lastname@example.org, who is an entirely different person outside the organization.
If that customer was from the EU, this counts as a data breach under GDPR rules, and must be disclosed to authorities within 72 hours. However, as the Data Protection Officer (DPO), how do you even know this happened? The employee is unlikely to report this out of embarrassment. And GDPR does not give you a break for accidental data breaches.
GDPR has elevated this discussion to the board level, and protecting data is just the right thing to do!
A similar issue could arise using popular cloud collaboration tools like Google Drive, Box or Dropbox. The biggest challenge for DPOs and Chief Information Security Officers (CISOs) is to be able to detect these accidental disclosures so that they are not in breach of compliance and liable for fines. Even better, they need a way to prevent accidental sharing or recall disclosed data.
Privacy Regulations Worldwide
Popular opinion is definitely swinging toward stronger data privacy with all the current press about social media platforms and election interference. GDPR compliance has taken many of the excuses off the table and proven that privacy does not have to be a tradeoff. Emboldened by this, many jurisdictions around the world are enacting data privacy regulations of their own.
California recently passed the California Consumer Privacy Act (CCPA), which takes effect in January 2020. Brazil has approved a General Data Protection Law, while legislatures in India, Switzerland, New Zealand and Hong Kong are working to strengthen their data privacy protections. Canada has had a data privacy law (PIPEDA) in force since 2000.
The US currently has no uniform nationwide data privacy law, but many states have passed their own, and calls for a uniform federal statute are growing (Microsoft calls for a US version of GDPR).
Data Privacy is No Longer Optional
One thing that has become clear in the past year is that data privacy is no longer optional. Mishandling or losing personal data can inflict severe brand damage in addition to financial penalties. GDPR has elevated this discussion to the board level, and protecting data is just the right thing to do!
GDPR does not give you a break for accidental data breaches.
Thousands of businesses around the world have achieved compliance by investing in the appropriate processes and systems. Yet risks remain as collaboration and messaging systems, like Slack, G Suite, Office 365 and Asana, create a porous exterior for organizations. The weakest link in any organization is its people, and according to the 2019 Verizon Data Breach Investigations Report, 96% of all attacks start with email; social engineering continues to deceive even the best of us.
Defending against these threats and accidental disclosures requires a new approach. The vast majority of enterprise communication is textual and Natural Language Understanding (NLU) has evolved to a point where machines can interpret not only the metadata, but also the content and context of human communication. Using the latest advances in deep learning and NLU, Armorblox can analyze enterprise communication to automatically detect threats and prevent accidental data disclosure, providing you the necessary controls to achieve GDPR compliance.
If you’d like to learn more, schedule a demo and we’d be happy to show you how Armorblox can help you achieve regulatory compliance and prevent data breaches.