Global Data Protection Regulation...It's time.
By Michael Carr, JD, CISSP, CIPP, Director, Global IT Security & Compliance, Hillenbrand
For a couple of years now, I have read quite a few articles and have heard quite a few speakers refer to GDPR as the GLOBAL Data Protection Regulation. Those of us in the Information Security and Privacy profession know that the “G” in GDPR really stands for “General” and not “Global” but perhaps it is time we changed that.
Many organizations that are headquartered in the USA are having to comply with the General Data Protection Regulation either because they have employees that live in the European Union (EU) or because they “purposefully avail” themselves of the privilege of conducting activities that may result in the collection and analysis of an EU citizen’s Personal Data (in other words, the company does business with or would like to conduct business with EU “data subjects”). These companies have had to modify their HR and marketing processes to ensure that proper consent has been requested and explicitly given. They have had to conduct Privacy Impact Assessments (PIA) for all applications and systems that collect, process, store or transmit the Personal Data of EU data subjects. They have had to draw up and execute international data transfer and data processing agreements even if the entity that processing this Personal Data is a corporate entity (or “sister” company) that provides a shared service to a subsidiary based in the EU; and they have had to assess their security controls so as to satisfy an EU-based Data Protection Officer (think “Chief Privacy Officer”) who may or may not have experience or background in information assurance. Just when these multinational companies think they have their respective GDPR acts together, they realize that they also have to be nimble enough so that when a data breach does occur, they can notify the appropriate EU Data Protection Authority within 72 days. Of course, this is all in addition to having to comply with other countries’ security and privacy regulations in addition to US state data breach notification laws and depending on its industry, GLBA, PCI DSS, and/or HIPAA (and, no, HIPAA is not spelled with two “P”s).
“Those of us in the Information Security and Privacy profession know that the “G” in GDPR really stands for “General” and not “Global” but perhaps it is time we changed that”
Meanwhile, a company that does not collect or process the Personal Data of any EU data subjects may only have to comply with US state data breach notification laws and depending on its industry, also comply with GLBA, PCI DSS and/or HIPAA.
Despite the current lack of qualified information security and privacy officers and the demand for these professionals that a GLOBAL Data Protection Regulation would create, it seems that it’s time for the playing field to be leveled. Why should GDPR-applicable companies have all the fun?
A GLOBAL Data Protection Regulation might help all company leaders realize that the world has, in fact, changed and that unlike Y2K, the purposeful and legal collection of Personal Data (that the company does not own) that must be safeguarded and returned (or deleted) when no longer needed is not a passing fancy but rather a collective cry that “We’re mad as hell and we’re not going to take this anymore!” that must be truly integrated into the work culture.