Maksim Kabakou - Fotolia

Security Think Tank: All aboard as European data regulation nears final station

What is the role of information security professionals in helping organisations to ensure they are compliant with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018?

Hear that heavy locomotive chugging along? It’s the General Data Protection Regulation (GDPR), a massive 260-page legislative reform, which left the Brussels station in April and will visit every privacy and data security professional in Europe – and indeed, around the globe – over the next couple of years.

When the train reaches its final station on 25 May 2018, the effective date of implementation, it will be too late to make the technical, organisational and legal changes businesses need to adapt. Act now. All aboard.

After more than four years of negotiations, including intense lobbying never before seen in Brussels, with delegates from the US government and a long line of Silicon Valley leaders practically setting up camp near Place du Luxembourg, the GDPR has been written into law.

What does this mean for information governance professionals?

Get management to take notice

First, you should make sure your management is paying attention. In the past, it was an open secret that European data protection law was more noticeable in the books than on the ground. Academics wrote books about it. But with little to show in terms of enforcement, regulators and privacy professionals had a hard time convincing corporate management that data protection requirements were meaningful.

In this respect, GDPR is a game changer. With sanctions aiming for the stars, in some cases up to 4% of global annual revenue – for Walmart, for example, that could mean a fine of up to $20bn – information professionals can finally play with the big boys and girls. 

Be aware that European law crosses borders

Second, you should recognise that the scope of application of the new legislation is broad, some would argue exceedingly so. In contrast to the previous data protection regime, which applied to companies established or using equipment in Europe, the GDPR applies to any entity that is “offering goods or services to” or “monitoring the behaviour of” European citizens. This means that an app or ad network based in the US or Canada, which regularly collects data about EU consumers, will now come under the remit of EU law.

Add that to the 4% sanctions, and you surely see why your company should pay close attention. You would hate to see your CEO arrested at Charles de Gaulle airport as she arrives there to spend a romantic weekend in Paris with her husband, on account of a delinquent data protection fine.

Learn the data protection lingo

Third, you should learn and rehearse your data protection vocabulary. Not knowing how to distinguish between personal data, pseudonymisation and anonymisation, profiling and automated decisions, right to erasure and data portability, data protection impact assessment and accountability, will not bode well on occasion of a data breach or when the data protection regulator comes knocking.

There are less than two years to GDPR implementation. Use them to train, certify and recruit staff and outside assistance to deal with the new framework.

Know that privacy goes beyond security

Fourth, make sure you distinguish between data protection and data security. Too many security professionals think, “we have privacy under control, we use firewalls and encryption”. Right? Wrong. Data protection, or privacy, can go sideways even when security is perfectly intact.

Rather than being concerned with confidentiality, integrity and availability, privacy sets forth policies for legitimate collection, use and disclosure of personal information. Privacy is about the “why”, whereas security is about the “how”. Privacy requires meeting consumers’ expectations, managing your brand and reputation, and behaving ethically in an environment marked by dizzying technological and social change. To be sure, security is part of it; but it is not enough.      

Build data protection into products and services

Fifth, there is a reason it is called “data protection by design and by default”. Constructing a new product or service with data protection requirements in mind will save time, energy and substantial resources on the back end.

Most commonly, the day of reckoning will arrive not when there’s a regulatory incident, but rather when your company decides to go public, to seek funding from venture capitalists or to close a lucrative deal with a corporate suitor. Discovering then that your database of millions of users is “toxic” will put a lid on the coveted “exit”. Repairing the damage in retrospect will be practically impossible, particularly with the bankers looking nervously at their watches thinking about their next transaction.

If you don’t want to be left behind, make sure you address privacy from the start.

The clock has begun ticking on GDPR implementation. Information professionals have a busy two years ahead of them. When this train arrives, make sure your company is on board.

Omer Tene is vice-president of research and education at the International Association of Privacy Professionals (IAPP).

Read more on Privacy and data protection