Inside GDPR: What Does It Mean for U.S.-based Companies?

For our podcast “The Silo Sessions”, Authentic8 CEO Scott Petry spoke with Steve Durbin (Information Security Forum) about the ramifications of the European Union’s General Data Protection Regulation (GDPR) for U.S. organizations.

This podcast transcript has been edited for readability.

*

Scott Petry: I’m joined by a colleague in the information security space, Steve Durbin. Steve, I’ll leave it to you to introduce yourself.

Steve Durbin: Hi Scott, thanks very much for having me on. I’m the Managing Director of the Information Security Forum. The ISF is headquartered in London, we’re a not-for-profit organization and we work with many of the world’s leading organizations on issues of information security risk management and increasingly, of course, the subject of today’s session: what all of that means from a General Data Protection Regulation standpoint.

The GDPR is coming into effect in May of this year.

Scott Petry: Yes, sooner than people expect, I think – although we’ve had a couple of years to prepare for it. Glad to have this conversation on GDPR, Steve. You’re consulting with a lot of American companies about how they should think about GDPR and prepare for it.

Why is GDPR important for them, and how are U.S. organizations doing in their overall preparedness?

Steve Durbin: Really good questions to start with, Scott. I think that certainly over the last 18 months I have noticed a much higher level of awareness in the United States around the implications of the GDPR.

Anyone who collects or stores or processes data on EU citizens or indeed has an EU-based processing facility is covered by the General Data Protection Regulation. If we think about US-based organizations, many of them of course are global entities. They do have that information, they do collect it.

If you’re collecting such personal data, the GDPR does apply.

Scott Petry: What “teeth” does GDPR have? What drives this upswell in awareness?

Steve Durbin: There’s certainly been a lot of talk about the fines that can be levied.I mean, up to four percent of your global revenue? Anybody’s going to sit up and take notice.

I think the other factor, certainly in the U.S., that has caused people to pay attention is the media focus. There has been a lot more talking about what GDPR would have meant for past data breaches. For instance Equifax is a good example that is quite often referred to.

What might the implications of that have been under GDPR? I think the other factor that has really helped to raise awareness isn’t so much about the way perhaps in which U.S. organizations have been collecting and storing data in the past. It’s more that there is a little bit of a realization that the two sides of the Atlantic view this issue of personal data privacy in very different ways.

So on the European side of the Atlantic privacy is a personal right. Everything is centered – certainly in the GDPR – around the rights of the individual.

Of course on the other side of the Atlantic, in the United States, it’s very much more about how the corporation views data that it can use. So I think we’ve just had some reconciliation of those two stances taking place, if you like. And I think a lot of organizations have now come to understand that actually legislation is coming that is going to be draconian, in terms of the fines.

But that isn’t the main driver. How can I get some business benefit out of this? How can I perhaps outsmart my competition? How can I demonstrate that I’m a responsible when gathering and as a user of personal data? Maybe there’s some other competitive advantage to be gained.

Scott Petry: You said something that’s really important earlier, which is – I’m paraphrasing – that GDPR seems to put the power back in the hands of the individual.

So let’s take a diversion from the IT thread for a bit and talk about that.

Steve Durbin: Yes, I think really what is at the heart of GDPR is this position that says: As an individual, I own my data, it is mine. So I have rights, I have a right to know where that data is being used.

I have a right to know how it is being collected. The gdpr refers to a concept called “Privacy by Design.” That means that anybody who is collecting my data must have designed in the security of it, the privacy of it from the beginning.

GDPR – for me anyways – is all about the right of an individual to understand where the data is collected, how it is being used. And there is a thing in the GDPR that is called the Subject Access Request.

At any time, for instance, I could go to somebody who’s holding my data and request of them to let me know how they’re using my information. There’s also something else called the “right to be forgotten.”

So I may have gone through that process. I may decide, for instance, that I don’t exactly like how my data is being used. Or I want an organization to stop using it. I can request that they do so.

They then have to honor that request. More importantly, they have to demonstrate to me that they have removed my data. All of these sorts of things need to be set out in processes, in policies, in approaches that can be audited effectively by the Information Commissioner in different European countries, should it come to a situation where there is either a dispute or indeed – more likely, I think – where there is potentially a breach or or a loss of data.

I think organizations really have had to alter the way in which they view the gathering, collection and use of that information to take that into account.

Scott Petry: Yes – and this is particularly interesting because obviously, the companies need to change their internal processes for how they collect process, store et cetera the data. Are American companies prepared for that?

Steve Durbin: In my experience, it’s been a challenge for most organizations to understand that you need to be that responsive to an individual.

And let’s face it, there are some concerns that have been expressed, along these lines: “What if we’ve got somebody who’s just a troublemaker? What if we’ve got somebody who’s a disgruntled customer or employee?” And all those sorts of things.

Scott Petry: Steve, let’s take a turn and talk about the data itself. What data is GDPR-relevant, and what types of companies might be touching that data, even if they’re in the U.S. Let’s talk about the data of EU citizens or employees.

Steve Durbin: It’s all the data from which an individual can be identified. It data that might have a very sensitive nature – Social Security numbers, passport numbers, medical information… And it doesn’t matter whether you are the person who’s collected that data and they’re sharing it or whether you are somebody with whom that data has been shared.

A very simple example: I’m an EU citizen. I live in the UK. Yet I travel very frequently, as you know, to the United States. I tend to make my hotel bookings so I may use a Sabre system, for instance, to book a hotel.

So I am providing information into a hotel booking system that is then sharing that information with the hotel. Now we’ve got two entities that are involved already.

Scott Petry: So if I am an email marketer who’s providing services to that travel agent you booked your travel through, a U.S.-based company capturing EU data, and I launch an email marketing campaign for that travel agent, I’ve got your data and I’m subject to these requirements as well.

Steve Durbin: Absolutely, yes.

Scott Petry: So if all that data is impacted by GDPR – it’s your email address, or it could be your IP address from your system, or it could be your traffic that gets spam-filtered by an email provider, or data like that – I would imagine, if an organization is collecting web log data, that browser logs are also identifiable information and covered by the GDPR requirements?

Steve Durbin: *Yes, that’s right. And it gets us into this interesting issue of “consent”. Here we begin to see that the GDPR is overlapping with areas like employment law, local regulations, and so on.

So the browser stores information, we understand that piece, and yes, it is subject to GDPR.

Scott Petry: Would companies be well served to segregate data for different classes of users and process it and handle it differently?

Steve Durbin: We are certainly seeing organizations that have taken that view, that said “okay, look – the bar is set so very high for personal data, let’s just meet that requirement across all the ways in which we gather and store data.

Now, that is very easy to say – and very difficult to do.

The first stage in any GDPR program – for me, anyway – is all about preparation. It’s about discovery. It is about understanding what information you are actually gathering and storing and so on.

From there you can then begin to determine your compliance status. Are you a million miles away from the bar, or are you pretty pretty close? And preparation is then the second step.

Scott Petry: … and for that preparation, I would think, we will also have to comprehend the business process burden of responding to the subject access requests. That’s something that I think is going to be a surprising reveal, as many U.S.-based companies weave their way through the requirements, because this is not something that they’ve typically planned on.

Steve Durbin: No – I think that’s right.

Scott Petry: Working with the Information Security Forum to help us as an organization better understand GDPR and its ramifications has been really helpful. I’d say for anybody who’s interested, check out https://www.securityforum.org. The Information Security Forum has been a really good partner for us.

Steve Durbin: Fantastic, and thanks for inviting me. I really enjoyed it.

*

The Silo Sessions is the official podcast of Authentic8, maker of Silo, the cloud browser. Listen to industry experts on the issues the cybersecurity industry is facing today. You can find the live recording on YouTube or SoundCloud.