The European Union General Data Protection Regulation or GDPR goes into effect May 2018, making 2018 a watershed year globally in the battle over the future of privacy. Soon, the United States’ “let the user beware in the digital world” principle to privacy will be tested in a battle of political wills in which the financial stakes could not be higher. An entire generation of U.S. headquartered companies have built specific privacy assumptions into their business models that generate trillions of dollars of shareholder value.
These privacy assumptions will be challenged by GDPR and are already being challenged by EU and UK citizens. For example, Google now faces a class action lawsuit with the potential to pay out over 5 million UK citizens for unlawfully collecting their data and personal information. This is a remarkable beginning of what will likely be a wave of legal action against these data giants, with a message from citizens that they will, in fact, fight for their privacy rights.
To understand what’s at stake, it is important to have a basic understanding of the privacy rights GDPR will enable as applied to the digital world:
- Consent – Explicit permission to collect personal information about me with special considerations if I am a minor
- Authorization – Explicit permission to use my personal information for a well-defined and clear purpose
- Disclosure and Notification – The right for me to receive a disclosure that my personal information was breached, altered or otherwise compromised while in your possession. And the requirement for you to notify the appropriate data protection authorities if this has occurred
- “Right to Know” and “Information Accuracy” – The right for me to know all the personal information you hold about me, and the right for me to easily correct this information if it is inaccurate
- Right to be Forgotten – The right for me to “opt-out” of your services and have all the information you have about me expunged
- Consequences – If you collect my information and fail to uphold these basic rights, then there will be appropriate consequences implemented by the applicable data protection authority
- Definition of Breach, Other – There are other important legal considerations like the definition of a breach, the harm standard, notification requirements, disclosure requirements and others, but these are the core rights.
The U.S. “Let the User Beware” Principle Concerning Privacy
In the United States, the Fourth Amendment provides us what is called a “Right to Privacy” but legally the amendment has largely been upheld as a right to privacy against government authorities including police and has been weakly upheld, if at all, in relation to commercial enterprises. In effect, your home may be your castle, but your digital identity has been up for grabs.
The United States, in fact, has no over-arching, clear legal “Rights to Privacy” for its citizens, particularly in the digital world. Privacy protections for U.S. citizens have come through a patchwork of state laws as well as industry laws like HIPAA and the Fair Credit Reporting Act which has left gaping holes in our rights to digital or electronic privacy overall.
In the United States, commercial enterprises have been able to operate under the “let the user beware” principle, with all of our personal information which can be typed in, gathered or otherwise accumulated and deemed as fair game for virtually any commercial use imaginable. Consent has been obscured through obtuse legal agreements as has permitted use. As the saying goes, “If you are not paying for the product, you are the product”.
This has enabled a generation of companies to harvest our personal information and monetize it for trillions of dollars of wealth. Google, Facebook and Amazon have amassed fortunes of nearly $2 trillion dollars for their shareholders alone. Other companies like Equifax sell information about us to third parties as another simple example as to how companies have monetized our data.
There are truly positives in this caveat emptor model, we have received valuable services which while we all bemoan and claim we barely use, these services none the less useful in many ways, and I stay in touch with childhood friends as well as my younger friends around the world through Facebook who do not hesitate to use their full range of services including messaging and voice calls. Further, these titans are headquartered in the U.S.
However, there have been drawbacks to the loss of privacy including the emergence of emotionally charged and divided politics, fake news, extreme income disparity which is accelerating, manipulation of children online, as well as, privacy abuses involving stalking, cyber-bullying and even contribution to physical brutality.
The EU’s Fight for Privacy
One could argue that this motion to implement GDPR is in response to corporations with headquarters in the United States who have treated the latest privacy rights as a speed bumps in their way of profiting from data of citizens across the world. The European Union, with fewer conflicts of interests with most US companies, simply wants to bring control over personal data back to the hands of its citizens – not corporations.
With the EU’s history of privacy sensitivity dating to at least World War II as to how a loss of rights can jeopardize a nation’s citizens and even a continent’s population, they have acted and the “General Data Protection Regulation” Act or GDPR goes into effect in May of 2018. However, the EU is already taking a clear stance against large data-driven corporations. Recently, European antitrust officials fined Google a record $2.7 billion for favoring some of its own services against competitors in search results – the ruling has even further implications than just the sizeable fine, but opens the conversation as to whether these organizations should be monitored and regulated for such activity.
GDPR is pretty much the opposite of the United States’ approach to privacy in general and offers the world an alternative view on citizens’ rights and economic models with potentially political ramifications that will spring forth from GDPR’s implementation. Those of you in healthcare may feel right at home for the most part.
The rights and consequences that GDPR grants to EU citizens put at right risk the privacy assumptions core to business models, which helped build a generation of US companies. Governments around the world are watching how this will play out and many are putting new privacy laws into effect as they react to cybercrime, ransomware and privacy loss of their citizens from aggressive business models.
Unless there is explicit consent for an explicit use, it is likely that personal information held on EU citizens cannot be used for marketing purposes. This fundamentally changes how businesses contact customers, marketplaces are formed and has the potential to introduce new players in the world of social media and e-commerce.
It’s Not Too Late to Start Your Path of Compliance
GDPR not only impacts businesses in the EU, but any company that processes, stores, or transmits personal data of EU residents. GDPR will impose hefty fines on noncompliant organizations of up to £20 million ($26 million) or 4 percent of global annual turnover, whether inside the EU or not. Enforcement will begin on May 25th 2018. Preparing for GDPR means gaining control of your data. Below are a few steps to take on your journey to GDPR compliance:
- First, conduct a Risk Assessment to get a comprehensive view of where your organization currently stands in relation to GDPR compliance.
- Appoint a Data Protection Officer (DPO) to drive the vision of your privacy posture and take ownership of communicating and organizing your new strategy. GDPR requires that you assign a DPO to oversee your data protection strategy and ensure compliance with requirements. You can find a list of DPO responsibilities here as outlined in GDPR article 39.
- Identify and classify your current data. You can’t adapt and govern your data if you don’t know where and what it is. You should know where your most sensitive data is located and implement a plan to safeguard it.
- Have strategy and prepare to fulfill the Rights of Data Subjects. Implement a process for handling data subject requests requests such as the right of erasure, data portability, right to know, right to be forgotten, authorization, and consent.
- Insider Threat Detection and Breach Motivation. Under article 31 of GDPR, high risk-incidents of a data breach require notification of data subjects without delay. In order to detect and prevent such breaches, your organization should implement monitoring technology such as FairWarning for Cloud Security.
- Create and Document an Incident Response Plan (IRP). Set in place an incident response plan when a security incident does occur. Test and test again. As your organization grows and changes over time, you must update your IRP. Maintaining a current IRP can help contain a security incident from becoming a full-blown breach.
GDPR marks the beginning of a new era, where citizens gain control back of their data. As we enter this new era where security and privacy are heavily enforced and championed, use it to your advantage. GDPR offers organizations the chance to gain control of their own data in the process of compliance, streamline their security and privacy posture, and generate increased trust between themselves and their customers.
Kurt J. Long