The New Regulatory Terrain for Data Privacy
2018 saw the introduction of The General Data Protection Regulation, or GDPR. A major piece of legislation designed to address the protection and responsible use European Union citizens’ personal data. GDPR is not an EU only regulation; it affects any business or individual handling the data of EU citizens, regardless of where that business or individual is based. The sanctions for non-compliance are stiff: Up to €20 million (approximately $24 Million USD) or 4 percent of annual global turnover, whichever is greater.
According to Bart Willemsen, research director at Gartner – “GDPR will affect not only EU-based organizations but many data controllers and processors (entities that decide what processing is to be performed and/or carry out that processing) outside the EU as well. Threats of hefty fines, as well as the increasingly empowered position of individual data subjects in controlling the use of their personal data, tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
Since May 2018 when GDPR went into effect, there have been nearly 60,000 breaches reported to European data protection regulators. In a recently published report, the global law firm DLA Piper details that the greatest number of breaches occurred from the Netherlands, Germany and the UK respectively. One such incident in Germany where a company was fined €80,000 by the German data protection authority (LfDI Baden-Württemberg) for publishing health data on the internet. Another fine of €20,000 by the same Germany authority was levied towards a company for failing to properly hash employee password resulting in a security breach. The highest GDPR fine to date was for €50 million by the French data protection authority CNIL made against Google in relation to the processing of personal data for advertising purposes. Many organizations are playing it safe and proactively reporting even the smallest of incidents instead of sweeping them under the rug. Although up to this point the majority of fines have been relatively low.
The GDPR is similar in some ways to PCI DSS in that it aims for a comprehensive approach to data protection that goes well beyond technical controls. Even though the individual GDPR requirements aren’t as prescriptive, its security objectives are the same as PCI DSS: to protect, secure and track use of specific types of data. Compliance with its (PCI DSS) requirements requires both implementing security best practices and modifying human behavior to comply with best practices, including timely analysis of suspected breach activity.
In 2018, California also adopted the California Consumer Privacy Act (CCPA). Like GDPR, CCPA focuses on protecting the information of a natural person who can be identified. These regulations require that businesses adopt organization-wide security measures appropriate to protect collected consumer data. We will be seeing more compliance regulations with regards to consumer data protection at all levels in the near future. These will be at the regional, state, federal or international level. Individual countries have already begun to adopt their own data regulation standards. The key again is implementing security best practices to ensure compliance.
The regulatory terrain is rough and evolving faster than it ever has and those responsible for compliance will need trusted tools and processes to keep up with the new standards. There will be a paradigm shift in 2019 with the way data is shared and used and organizations and regulators will become accustomed to the new norm. The pendulum will continue to swing from right to left as we gain clarity on what can and cannot be done with data, how it can be stored and how it can be used. In the meantime, this is the opportunity for organizations to get their houses in order by reviewing assets, evaluating processes and establishing security baselines that may have been loosely managed up to this point.
Steve Tcherchian, CISSP
Chief Product Officer
For over 35 years, businesses across the globe have relied on XYPRO for their security. Companies that manage and transport business-critical data on a large scale select our security, compliance & database solutions to harden and streamline their HPE NonStop server environments.
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is a Member of the Forbes Technology Council, on the NonStop Under 40 executive board and part of the ANSI X9 Security Standards Committee. With over 20 years in the cybersecurity field, Steve is responsible for strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance and security to ensure the best experience to customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.