Balancing act: Ensuring compliance with GDPR and US regulations
The impending GDPR, which will go into effect in a little less than a year from now, is going to have a significant impact on enterprise cybersecurity and data governance policies and practices beyond the European Union, significantly impacting global organizations based in the United States that handle data on EU citizens and residents.
Because of this, American companies with a global reach should take the GDPR seriously and start the process of implementing the necessary technologies, processes and people as soon as possible to ensure they are ready to comply with the law once it goes into effect on May 25, 2018. They must also make sure that this potentially monumental task doesn’t take away from efforts focused on ensuring compliance with their own stateside regulations.
As part of GDPR, many types of personally identifiable information (PII) will be protected, such as banking information, health records and government identity records, as well as any data that can be tied back to a data subject such as geo-location data from a cell phone, home address or data from a medical device. Organizations will need to gain a complete picture of all data that is collected, stored or processed. After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used, proper procedures for backing up and archiving data and data retention and destruction policies. In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.
It also features lofty notification requirements modeled loosely after U.S. breach notification laws – the biggest difference being a new, shortened 72-hour time frame, which promises to be a major challenge for many organizations.
The US, of course, does not have an over-arching data protection law. Data protection measures are buried within numerous laws and regulations. Breach notification, for instance, is not mandated by federal law. Instead, it comes down to numerous state laws, with California and Massachusetts having the most stringent requirements (both states are also home to some of the largest technology companies in the world).
Organizations based in the US that hold data on European customers now have the daunting task of keeping track of each US regulation, while ensuring that they become one hundred percent compliant with GDPR. Given the numerous new requirements mentioned above, it’s enough to make any seasoned IT or data governance professional dizzy. So how do you balance it successfully?
The good news is that GDPR’s requirements for data protection are in line with most regulations in the U.S. For example, there is nothing in the NIST Cybersecurity Framework that conflicts with the data protection practices required by GDPR.
These organizations should not treat Americans’ and Europeans’ data in different ways. This would mean purchasing specific storage systems for EU customers and putting different policies and enforcement structures in place to achieve two separate compliance goals. Keep in mind that U.S. courts rely on case law, which often establishes a best or common practice standard. If EU data was better protected than U.S. data, that would lead to potential liability in civil courts.
The best solution is to create a unified compliance regime that accommodates both arenas. Since GDPR is more extensive than U.S. requirements, this will entail increased information lifecycle management (ILM) efforts. Through an in-depth ILM approach, organizations will be able to better manage the immense amounts of data and metadata collected through an information system, tracking it from creation and initial storage to the time when it’s no longer needed and is destroyed, while at the same time providing specific criteria for managing the data storage.
When ILM is implemented, there will be automated processes to classify data into tiers according to policies. This will enable companies to automate the migration of data from one tier to another based on the criteria within the policies.
Once information is collected, the decision must be made to only keep data that has been explicitly asked for. All other data, such as time and geo-location, will likely be classified as PII under GDPR. During the data storage process, long term archiving care should be taken to understand where it all resides – is it moved to a third party? Who has access to it? Are there backups? Knowing the answers to these questions will go a long way in remaining compliant with all necessary regulations.
At the end of the day, an organization’s CEO and Board of Directors are ultimately responsible for GDPR compliance and ensuring that practices are balanced with all other cybersecurity and data privacy regulations that must be adhered to depending on location and industry. This can be accomplished through effective, smart delegation – including hiring the right team and providing them with the necessary resources to be successful. If not done properly, global organizations will leave themselves incredibly vulnerable to huge fines and consequences.
This is no small task, but the countdown is on – May 25, 2018 will be here before we know it.