GDPR “Reach”—Far and Wide
The European Union’s (EU) General Data Protection Regulation (GDPR) is clearly a game-changing event for businesses and governments both in the EU and beyond. GDPR finely balances the right of EU citizens to control their personal data against the responsibilities of organizations to protect that data both in the course of normal operations as well as in the case of data breaches. Significant new EU personal information protections include the right to explicitly approve personal data usage and a “right to be forgotten,” enabling people to demand that an organization purge any personal data about them. It also enacts a requirement that organizations publicly report data breaches impacting EU persons within 72 hours after their discovery.
The EU has made it clear that it will enforce GDPR through fines, sanctions, and injured-party compensation. Potential fines range from as much as €10 million or 2% of the organization’s revenue for minor infractions, or €20 million or 4% of the organization’s revenue, whichever is higher. Although the EU has no plans to set up a new cybersecurity policing unit, it will respond to personal complaints and monitor how organizations subject to GDPR respond to breaches.
While businesses and governments with a physical presence in the EU will need to abide by GDPR, it may also apply to organizations with significant EU customer or client bases. This would likely be the case for e-commerce-based businesses operating internationally, as well as businesses that serve significant numbers of EU tourists, visitors, or expatriates and capture personally identifiable information (PII). Exposure to GDPR for non-EU based entities can be a complicated legal question that should be referred to lawyers and/or an organization’s compliance team. But if you suspect that your organization might be subject to GDPR, it would be a good idea to do an informal “What if?” review of business processes that involve personal data and also assess the readiness of your organization to meet the 72-hour data breach reporting mandate.
GDPR at the Industry Level
The reality is that most businesses are not ready for GDPR, even though it is less than six months away from going into full effect. A recent survey found that 61% of U.S. businesses have not begun to prepare for GDPR, and 50% of them will not be able to comply with GDPR when it goes live.
While GDPR affects private- and public-sector organizations handling PII, there are certain ones that have heightened exposure both as a result of the volumes of PII data they handle as well as the nature of their businesses. Industries with high GDPR exposure risk undertakings include:
- Financial services
- Travel, tourism, and hospitality
- Physical and electronic security
- Marketing, advertising, Internet search, and information services
- Media and telecommunications
For the purposes of this blog post, I will not go into detail on each of these industry segments but rather just three. The impact of GDPR across industries varies, as the brief discussion below shows.
GDPR can apply to both brick-and-mortar and e-commerce retail businesses. While GDPR exposure of e-commerce businesses needs no explanation, brick-and-mortar businesses serving EU customers can find themselves liable to GDPR PII protections. Paying with a credit or debit card, providing shipping address information, and participating in a customer loyalty program can fall under GDPR protections. That said, retail businesses most likely to curate GDPR-relevant PII data include cross-border e-commerce operations, multi-venue retail chains, or hospitality, travel, and restaurant businesses.
Many retail businesses also receive PII data from third parties such as payment processors, online marketplaces, Internet search engines, contact management applications, email and messaging services, among others. Many of these service providers are reengineering their offerings to reduce retail-related PII data exposure. Retail businesses themselves would be wise to consider how internal business processes could be changed to reduce privacy and exposure risks.
While most businesses are only subject to GDPR if they have a business presence in the EU or use personal data collected in the course of operations performed in EU countries, GDPR extends its coverage to non-EU organizations storing or processing the medical information of EU persons if the organization either 1) offers goods or services to EU persons or 2) monitors behaviors of persons within the EU.
GDPR enacts particularly stringent protections and processes for handling certain kinds of PII medical information. In general, an organization may collect and process personal medical information only if it is necessary for patient treatment and diagnosis and with the explicit consent of the patient, if the person is incapable of giving consent. It may also collect and process this information if the data is necessary for occupational health or public health purposes such as combatting an epidemic. GDPR also mentions genetic data as an area of particular concern.
GDPR does not completely replace any medical data protections enacted by individual EU countries. These can differ, and sometimes even be stricter than the EU-wide GDPR protections. The best advice is to tread very carefully and seek expert legal advice if you have any worries about potential exposure to GDPR health science and medical information protections.
To say that the financial services industry is highly exposed to GDPR requires almost no explanation. Several factors specific to financial services, however, stand out as particularly important risk factors. Financial organizations maintain huge stockpiles of PII data on account holders. They also consume and generate vast quantities of highly personal marketing data to support selling financial services and assessing credit worthiness of commercial and individual customers. The financial industry is also quite borderless, and it’s hard to imagine any bank, brokerage, credit union, insurance company, payments service provider, customer data service, credit monitoring organizations, etc., that does not hold sensitive data on EU persons and organizations.
Furthermore, data breaches, often on enormous scale, are common in the financial industry. As reported in SC Magazine, IBM X-Force Research documented 1,684 known attacks on financial sector organizations, compromising over 200 million records in 2016. The Equifax data breach revealed in October 2017 compromised personal data of 145 million people, many of whom were unaware that the organization collected information on them in the first place. Although Equifax operates primarily in the U.S., there is little doubt that many EU persons—whether resident, visiting, or engaging in cross-border e-commerce with U.S. firms—had PII data compromised in this breach.
Preparing for GDPR
With GDPR scheduled to come into full effect in May 2018, private- and public-sector organizations across the U.S. have no time to waste in taking action to ensure they are ready to prevent, detect, and remediate data breaches of PII. Organizations will need to focus on two main areas.
First, reconfigure business processes and IT architectures to reduce exposure of PII data. The first step towards this goal involves mapping sources, processing, communication, and storage of PII data. In short, organizations need to know where data comes from, how it’s used by groups and business processes within your organization, how and where it’s stored and communicated, and what happens to it longer term. Also, organizations need to know what lengths they would need to go to gain explicit customer/client/user permission to collect and use PII, honor requests to delete PII data, or to individually notify the owner of PII data that it may have been compromised during a breach.
Second, even as organizations re-engineer processes and procedures to reduce usage of PII data, they need to strengthen their security defenses and improve visibility throughout their infrastructure. GDPR’s requirement that organizations report breaches within 72 hours after their discovery is a very tall order, as it requires organizations to simultaneously report the full impact of a breach to affected parties even as they combat the breach itself. To meet this requirement, threat detection, visibility, and response will need to be substantially improved at most organizations.
Getting Started Toward GDPR Data-Breach Compliance
Tactically, organizations should take the following steps in parallel:
- Engage a third-party firm to conduct an assessment of your data protection practices and exposure to GDPR rules.
- Conduct a thorough data audit to get a clear picture of what personal data you collect or handle in any way, and whose data it is. This should also include documenting where GDPR-impacted data is stored, how it’s communicated between systems within your domain, and any external clouds or third-party data custodians.
- On the security side, determine how long data-breach detection and mitigation currently takes your organization and what is required to improve these processes to meet GDPR requirements. This element of the action plan should also include a thorough security assessment by Fortinet and/or qualified and trusted Fortinet partners.
At this point, I should mention that Fortinet has made GDPR a strategic thought leadership and value proposition priority, publishing numerous white papers, solution briefs, reports, blog posts, webinars, among other content assets to generate more awareness of GDPR provisions, impacts, and solutions. Readers may find our recent white paper, “Understanding the Implications of the Data-Breach Notification Requirement in the EU’s GDPR,” particularly helpful.
As a closing thought for this blog post, many readers may ask why they should radically change the way they do business and make potentially hefty investments to beef up security to comply with mandates that might apply to only a small minority of an organization’s customers, constituents, and stakeholders.
At the end of the day, complying with GDPR may very well simply turn out to be the right thing to do to protect the privacy and interests of all of an organization’s stakeholder communities. As a society, we simply can’t go on shrugging off data breaches that harm millions of people, often on multiple occasions in their lifetime. As onerous as GDPR might seem, it could very well mark a big step towards restoring public confidence in the ability of information technology-using organizations to deliver social benefits while simultaneously curbing social risks.
Read more on how to best prepare your organization for the General Data Protection Regulation (GDPR).