Ready or not Europe’s General Data Protection Regulation (GDPR) goes into effect May 2018, and naturally we’d prefer that you’re ready for this. The GDPR will become the EU’s primary data protection law and is a replacement to the 1997 Data Protection Directive (“Directive”). There are a few reasons why the GDPR has arrived at the perfect moment.
The Directive is 20 years old now, and the technology landscape has changed. Information technology is integrated with everyday life. However, as a directive, this also meant that it was a minimum standard and member states often developed in consistent policies when it came to cyber security. With the EU operating as a unified market this presented a problem. The GDPR is a full regulation that will be implemented in full across all member states as a one policy. This helps to correct the imbalance experienced where some member states had more stringent security policies than others.
Globally the information security sector will be impacted. So lets talk about what the GDRP is and what exactly some of those impacts will be.
What is the GDPR
The GDPR is a cyber security regulation that was agreed upon in May 2016 after four years of development. The regulation is intended to protect EU citizens’ personal data. It expands the rights of EU citizens and affects any organization that engages any member state of the EU for business. There are some critical components to this legislation which should be emphasized because they no doubt have impact on the information security sector.
Unlike the directive, the GDPR applies to any company that markets to any EU citizens. In effect, much of the world is subject to the GDPR, regardless if they hold offices or assets in the EU or not. More information can be found in Article 3.
The GDPR imposes a fine of 4% of global revenue if a company violates specific chapters of the regulation. This includes a violation of principles, rights of the data subjects, and responsibility of data controllers/processors.
Rights of Data Subjects:
The chapter on rights for EU citizens is extensive. Some important ones to note however are the right to data portability, right to rectification, right to erasure, right to restriction of data processing, and right to object automated processing. This regulation was crafted with the protection of EU citizens in mind.
Data Protection Officers (DPO)
Companies whose core activities include processing of GDPR defined “special categories” of data must appoint a DPO to ensure compliance is met and data secure. The special categories of data include anything uniquely identifying such as race, sexual orientation, biometric data, political leanings, and many others. Refer to article 9 for specifics.
Under the GDPR companies are required to report a breach to the appropriate authority within 72 hours. This is not universal however and depends on role and context. Rules apply differently to controllers and processors in the event of a breach. For specifics on the requirements for each, refer to Article 31.
Impacts on Information Security Sector
Do you feel the impacted already? If you’re a European based information security firm, you likely have already had a few discussions or even calls about the GDPR. Impacts on the information security sector will centered around product development, regulatory strategy, and staffing.
Much of what is included in the GDPR is what information security experts have been lobbying for years over. The GDPR has put into legislation the best practices from the privacy by design and security by design frameworks. So much of the legislation should not be anything new for those in the information security sector. However, it does change what offerings are made to clients and what their needs are.
Prior to this legislation globally security products were designed around security first, however this does not inherently mean that privacy was also first. GDPR standards will now need to be built into any products developed by cyber security vendors, or else they will be pushed out the market. Existing deployments will need reviews and to be updates if they already are not in compliance with the GDPR. For cyber security consultants, their services will now require a fluent understanding of the GDPR and how it applies to their potential and existing clients.
Cyber security professionals by the nature of their work need to always be one step ahead of the their customers and clients in regards to regulation and directives. Maintaining a strong understanding of the GDPR will allow cyber security professionals to not just aid European based companies maintain compliance by also help companies outside of Europe understand what it takes to engage the European market. For experts who work internationally it will also be important to know how to help clients meet the GDPR and regional security requirements. As information becomes more central to the markets it will be increasingly important for cyber security experts to develop proficiency in policy analysis to remain competitive.
The requirement for the DPO will be a new concept to many companies outside of Europe. The GDPR will require at least 75,000 DPO positions to be filled worldwide according to a study by the International Association of Privacy Professionals (IAPP). Many are doubtful that organizations outside of Europe will be able to fill the position in time, mainly due to not enough trained professionals for the role. Once the GDPR is active, information security professionals may find themselves in a position where their clients may ask for qualifications in alignment with that role. In effect, the GDPR will incentivize a greater emphasis on privacy and a need to train one of their managers to fulfill the role of DPO.
The GDRP has already sent shock waves throughout the information security sector. As the deadline to be in compliance draws near, private companies will be expecting information security professionals to help them meet it, in a narrow window of time. It is best to prepare now for an influx of work.