Brexit has catapulted the European Union (EU) into the news recently. However, from a security perspective, I think the EU General Data Protection Regulation (GDPR) is more important in terms of potential actions that need to be taken by organizations. The European Parliament passed the GDPR in April of this year, and it will become enforceable in May 2018. Once in force, the regulation will require every organization that offers products or services to EU citizens, as well as those handling data of EU citizens, to adhere to a strict set of data privacy and security measures.
The impact of GDPR measures is broader than information security
The impact of these measures is broader than information security, and it may well require significant changes to business processes and systems. If the GDPR applies to your organization, it is likely that your business leaders, privacy experts, and legal professionals are already discussing compliance measures. Security leaders should be included in these discussions to ensure that security is adequately prepared and funded to address the changes to people, process, and technology needed to meet the requirements of the regulation.
Reasons the GDPR is important to security professionals
- Penalties for violations are severe: Under Article 83(5) of the Regulation, serious infringements can result in fines of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher.
- The “personal data” definition has expanded: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition of personal data is important to information security professionals because it implicates data that may not seem, at first glance, to qualify as personal. IP addresses, application user IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI) are some examples.
- “Technical and organisational measures” require adequate general information security controls: The GDPR uses the phrase “technical and organisational measures” 21 times. In essence, the GDPR is asking controllers to employ information security frameworks, which enable professionals to create consistent, repeatable processes and implement controls that are generally accepted by the information security community.
- The jurisdictional reach includes organizations outside of the EU: The GDPR’s jurisdictional reach (called the “territorial scope”) is broad and includes most organizations. Organizations based outside of the EU that offer goods or services to EU data subjects are covered by the regulation.
If you don’t suffer from triskaidekaphobia, I invite you to join Scott Giordano, a data privacy expert, and me for an upcoming webcast on July 27th where we will discuss Thirteen Essential Steps for Meeting the Security Challenges of the New EU General Data Protection Regulation. Scott is an attorney with nearly 20 years of legal, technology and risk management consulting experience. He holds Information Security Systems Professional (CISSP) and Certified Information Privacy Professional (CIPP) certifications. He is an expert on the intersection of law and technology as it applies to e-discovery, information governance, compliance and risk management issues.