My curiosity was peaked when I received an invitation from the law firm of Mintz Levin to attend a seminar on the topic of GDPR – General Data Protection Regulation – a regulation that goes into effect in the European Union this coming May 25th. The panelists were experts in the field of cyber security regulation Cynthia LaRose, Chair, Privacy & Security Practice, Boston and Susan Foster, PhD, Member, Technology Transfer & Licensing Practice, London.
While there seems to be much uncertainty regarding compliance, Cynthia and Susan brought a great deal of clarity to the new regulation. Here are some key points:
1. Who needs to comply?
This is not just a European issue, it will affect many companies that don’t think of themselves as having European operations. What the regulators call a “stable presence” in the EU goes well beyond a physical presence. It could mean the use of a full-time consultant located in the EU. It could mean the offering of an app in the App Store that could be purchased by an EU consumer. This definition will undoubtedly be tested.
2. Why should companies comply?
The days of wrist slapping are gone. These are self-funded agencies. We are talking about 10M Euros in some cases and upward of 20M Euros that the Data Protection Authorities can demand. And with the regulators and courts strongly pro-consumer, disputes by consumers are likely to fall on sympathetic ears. If serious enough infringements occur, companies could be forbidden any data transfer.
3. What are the consumers’ rights?
A couple of important rules direct companies to communicate with consumers in a clear and straightforward way. Companies must make it quite clear what personal data is being gathered and how it is being used when asking for consent to do so. And companies can no longer withhold content if a customer does not give consent. It must be equally easy for consumers to see what data has been accumulated to date and it’s use.
4. What about contracts?
A far reaching aspect of GDPR is contracts. Regulators will insist that a risk assessment be done with any vendor. In other words, it’s not just about the company but also every vendor they deal with.
The implications of this last point are significant. The outsourced risk assessment industry will boom. Every company will want that “Good Housekeeping” seal of approval. Proof to the regulators that their vendors have been adequately vetted. These assessments will need to go beyond the technology platform and policies and procedures. It will need to cover the people problem. What are companies doing to keep their employees from being the porous gateway to data breaches?
Regulators will need to start looking into qualitative aspect of employee cyber training. They will need to go beyond a “check the box” assessment. Research shows that this is an enormous problem in the US with fully half of employees not prepared for today’s cyber world. What’s out there doesn’t seem to be working very well. To get the “risk assessment seal of approval” companies will need to prove that their training methods do, indeed, bring about long-term behavior change and for that, they will need to look in new directions.
For a much more thorough review of General Data Protection Regulation, here is a link to Mintz Levin’s eight-part series of extremely valuable information.