The State of Data Security: GDPR Q&A with Principal Consultant Brian Roybal
We recently had an opportunity to sit down with Brian Roybal, Principal Consultant – Cloud and Operations, to ask him a few questions about the EU’s new General Data Protection Regulation (GDPR) and its impact on business and technology around the world.
Q: What is personal information as defined by GDPR? Is that the same as “PII”?
PII and GDPR’s definitions for personal information are not synonymous. Personally Identifiable Information (PII), is a term recognized more in the United States, which increased in usage after being formally defined by the National Institute of Standards and Technology (NIST). PII is any information that can be used (even if in conjunction with other data) to identify an individual. Generally, anything that is PII is also personal information by GDPR standards, but GDPR also includes sensitive categories of data like criminal background history and purchasing history. To comply with GDPR, you need to be prepared to consider protections for IP addresses, mobile device identifiers, biometric identifiers, and geotagging information. This is because the types of data that can identify a person have surpassed government identifiers (like name, address, and social security number), phone numbers, and email addresses.
Q: Let’s say I’m in Information Security. What should I be most concerned with regarding GDPR?
GDPR is unique in that it impacts more business units than traditional regulations. At its core, GDPR requires significant change for Marketing, Privacy, Procurement, and Legal teams. However, Information Security, should not be overlooked as there are both breach notification requirements and data protection clauses that will require attention. Specifically, policies and procedures will need to be updated to notify the proper EU Data Protection Agency (DPA) within 72 hours of a suspected breach. The DPA may also request a prompt notification to impacted users. If you have encryption and the breach has not been successful in overcoming the encryption, then you will not have to disclose the breach to customers. But if the breach has overcome encryption, then you will have to make that a public disclosure. 72 hours to potential public disclosure is very concerning to companies and will prompt many to increase their use of encryption and other data protection controls.
Q: Speaking of encryption, what standards or levels does GDPR require?
GDPR does not prescribe any particular standard for encryption, but rather expects companies to take a risk-based approach for data protection, which may or may not include encryption. To avoid excessive fines in the case of a breach, you should at a minimum have enforced policies & standards relating to these data protection controls and be able to show that these controls are effective. For data-at-rest encryption, self-encrypting hard drives and similar technologies provide minimal protection on their own, whereas application-level encryption that is embedded at the code level offers the best protection. We suggest classifying your application and file stores by criticality and selectively applying the level of encryption according to the protection required, as well as a review of the other security controls that supplement encryption. For data-in-transit encryption, we suggest following the industry lead from PCI and removing the ability to use TLS 1.0 and SSLv3 for data encryption over the public internet.
Q: What are some of the most impactful regulations that the GDPR will put into place when it comes to protecting consumer data?
The “right of erasure” will be specifically challenging for companies. Most systems and processes have been architected to replicate and propagate data, not minimize or remove it on-demand. Oftentimes, once a customer hits the submit button, 10 or more systems are instantly updated, many with that customer’s personal identifiers for tracking. The customer, however, only sees the mobile app, website, or kiosk.
Q: It seems like this regulation could help protect consumers, but are there any possible negative effects for consumers that the EU is overlooking?
Modern conveniences often come at the price of your data. Most of us have an email address from a free service and don’t think about how our data is being used in exchange for that service. The industries that will be impacted the most are those that utilize artificial intelligence and machine learning functions. I believe these functions will continue to thrive, but the industry may be hobbled somewhat in that they may not achieve potential breakthrough customer experiences as readily as they may have before GDPR. This will, in turn, limit our ability to consume increasingly better conveniences. As the customer must consent to a company’s use of their data, building and sustaining a trusted brand will create a competitive advantage for companies.
Q: What sort of impact will the GDPR have on American companies doing business in Europe? Should we expect less, the same, or more investment?
GDPR has already proven to have significant global impact, irrespective of those that do business in Europe as investments in privacy and data protection controls are increasing for most global companies. Moreover, if an EU resident signs up for a US company hosted blog, or an EU resident is on vacation and transacts in a system in the US, the US company is subject to the regulation. Many businesses are taking a proactive approach to prepare for a ‘new-normal’ of privacy and breach protection laws at the city, state, and federal level. Many localized laws have already been implemented, and some are actually stricter on data protection than GDPR.
Q: Do you see a law like the GDPR being adopted in the US? What sort of pushback could we expect from companies in the US?
There are already multiple data breach notification acts currently in review in Congress. Additionally, 48 states have data breach notification laws. However, in addressing data privacy, the US faces competing government and corporate interests, which make a GDPR-like law (with the data subject’s interests at the core) less likely, unless a wave of consumer outcry eventually demands it. The challenge for companies is the potential to need to serve a customer one-way and another customer a separate way. I believe that, in time, the industry will normalize to a GDPR-baselined privacy standard and find new ways to drive competitive advantage.