By Andrew Elvish
I have been talking about the European Union’s General Data Protection Regulation (GDPR) for almost two years. The regulation sets out a single set of rules for all companies operating in the EU. These rules were developed to provide people with greater control over their personal data and incentivize organizations to make meaningful changes to how they collect, process, and store that data. The GDPR is also the reason why you received so many emails last spring from sites that you visit and newsletters that you subscribe to.
Before it came into effect, people in and out of the security industry were curious about how the GDPR would impact them and what, if anything, was about to change. Prior to May 25th, 2018, the discussions often focused on the potential fines. After all, the penalties for non-compliance are up to $20 million euro or 4% of global annual turnover.
When you consider the potential cost, this is not surprising. For example, if the high-profile data breaches at Equifax, Yahoo, or eBay had occurred when the GDPR was in full effect, their fines could have been up to $124 million, $160 million, and $264 million respectively.
While we have yet to see a case involving a giant multinational organization make its way through the court, they are coming. Regardless, the conversation itself seems to be changing.
These days, one of the questions I get asked frequently is whether the GDPR will have an impact on North America and other regions of the world. The short answer is: yes. The longer answer is that yes it will have an impact on people and organizations outside of Europe for a variety of reasons.
How Will GDPR Impact North America?
One of the main reasons the GDPR will have an impact on non-European organizations is that the vast majority of business today is conducted on a global scale. Since the regulation includes anyone collecting Personally Identifiable Information (PII) on a European citizen within the EU, regardless of where their head office is, an Asian, Central American, or North American company that gathers information on the continent will have to comply.
But a second impact is that the regulation is asking us to question how we think about our data. In many ways, there is a great congruity between the GDPR and the North American mindset. People here are getting serious about what kind of data trail they’re leaving and how that data is being used. We’ve seen how our own information can be used to influence elections, and we are increasingly apprehensive about its influence in general.
Given that the GDPR is designed to protect individual privacy and make our data more secure, many organizations are already getting on board. The EU’s powerful framework for managing data responsibly will soon be exported to other forward-thinking jurisdictions.
Who Is Already Following Suit?
On June 29th, just a month after the EU’s regulation went into full effect, California passed its own version of the GDPR. California’s law comes online in January 2020 and will give residents the right to know what information organizations are collecting about them, why they’re collecting that information, and who they’re sharing it with. In addition, Californians will also be able to tell organizations not to sell or share their PII or to delete it entirely.
While the fines under California’s regulation may not be as steep as the EU’s—consumers will be able to sue organizations for up to $750 when their data has been breached—the impact could nonetheless be far-reaching.
Organizations will have to decide whether it is more expedient to develop targeted data management practices to comply within the state or to change the way they collect, manage, and store data overall. This is what we are seeing in reaction to the European regulation as well.
In the end, there is only one viable option and that is we must evolve to comply with these types of regulations and to address the increasing concerns that people everywhere have about their personal data.
How Can We Keep Pace With New Regulations?
The first step is to shift our understanding of data security to focusing on privacy-by-design rather than as an afterthought. And this is something the GDPR itself makes clear. According to the regulation, organizations will have to make privacy the default when collecting data.
You can think of it this way. Privacy by default means that organizations and their personnel should not be required to perform additional tasks to ensure privacy in the collection and storage of their data. It also means that companies that develop solutions that collect data cannot simply apply an add-on or band aid fix.
To comply with the standards set out by the GDPR, organizations will have to select vendors who build privacy into their offerings from the ground up. One of the benefits of this is that these organizations will be working toward ensuring privacy even before they fully appreciate the intellectual or organizational shift that needs to occur.
Take, for example, companies mounting booths at security tradeshows all over the world. Many organizations, including my own, include cameras as part of their booths. The feeds from the video can be used in all manner of ways, including video management system (VMS) and unified platform demonstrations. This means that we are all collecting vast amounts of PII, specifically tradeshow attendees’ images.
If an organization does not have a clear policy on privacy and the use of PII at the show, a video privacy tool that can dynamically blur or anonymize video data, such as KiwiVision Privacy Protector, or the ability to share PII easily through a video sharing tool like Genetec Clearance, they could fall short of the regulation.
So, what does this mean for you? It means that, in today’s global economy, regulations have a global reach. It also means that, no matter where you are located, you’re going to have to think about the data you collect, manage, and store. Fortunately, many of us have been doing just that for years. And the solutions to protect privacy and secure information are not only available but are being built to keep pace as our understanding of data evolves.