GDPR – Why Being Compliant Is Aiming For The Wrong Target

Unless you’ve been hiding out on a hermitage for the last year, you’ve at least heard of the European Union’s General Data Protection Regulation, or GDPR.  Like many, you may have thought that it really wasn’t a concern for your organization because you’re based in the United States.  Or perhaps you’ve decided that it will affect your business, but it’s just another regulation whose checkboxes you need to hit.  In this post I’ll discuss why both of those views are potentially dangerous to your organization.

SOX, HIPAA and PCI…Oh My!

If your organization isn’t affected by the Sarbanes-Oxley Act, you may not have experienced the panic-induced insomnia that kept so many people awake in the early 2000s pondering all of the steps that need to be taken to achieve compliance.  While not specifically an information security or privacy regulation, it did have downstream effects on an organization’s IT and security organizations, even if only to implement the tools the organization will use to track and report compliance.  Unfortunately, SOX did little to improve actual security.

While it will be left to historians to determine whether or not SOX achieved its intended goal, what we can see today is how businesses chose to tackle the regulation.  What SOX gave IT and security teams was a set of hoops to jump through, with carte blanche given on how to achieve it.  This made SOX a purely compliance-based regulation for those teams, and if they were able to show that they’ve made it through the hoops, they’ve succeeded.  This same line of thinking has typically been applied to HIPAA, FERPA, PCI and other regulations (or private standards), purely seeking compliance so audits can be passed.  Unfortunately, this trend has led many of the organizations I’ve spoken with to approach GDPR from a minimum compliance perspective.

Data Privacy vs. Data Privacy

An important point to note is that regulations, up to this point, have viewed data privacy from the aspect of the data holder.  Regardless of the content, data held by an organization is treated as the property of that organization.  While an organization can suffer penalties for failing to meet the existing government regulations (or the private PCI DSS), remediation steps for individuals whose information was used illegally or disclosed is not defined in these regulations.  This is apparent in the recently publicized Equifax information disclosure event.  The individuals whose information was disclosed have little recourse beyond a private lawsuit which may provide some compensation, but can’t repair the damage done.  Given the nature of the information disclosed, the effects of this breach could last for the lifetime of the individuals affected.

It is clear through GDPR that Europeans have a very different, and arguably better, view on data privacy.  In short, GDPR says that data about an individual is owned by that individual.  Further, any organization that has information about an individual is considered only a holder of that information and potentially a processor of that information for business purposes.  With minimal exception, an organization only may hold this information if it has been given permission by the individual, and only information that is necessary for the specific purpose for which it was gathered.  Once the business purpose has been exhausted, the organization is then obligated to erase the information it holds.  An organization is also obligated to erase any information about an individual upon request of the individual.

This individual-focused approach should create some concern in United States-based organizations who are affected by it.  If an organization has employees or customers in the European Union, it is most likely covered by GDPR.  These organizations need to immediately start asking themselves some important questions.  What data do we hold, and why do we hold it?  Do we have permission from the individual to hold this information and use it?  Who has access to this information, why do they have it, and for what business reason are they using the data?  If an individual contacts the organization to have their information be “forgotten,” can we prove that we have erased all of the information we have on this individual from all locations?  Many organizations have asked these questions internally in advance of a regulation requiring them to take action, but with no clear business value in the effort it would take to answer all of the questions, the discussion has largely been academic.

Shifting Out of Compliance Mode

If you’re still thinking that this sounds like a big deal, but not something that affects you, you may be correct…but probably only in the short term.  The United States generally has been slower to adopt regulations than Europeans around data privacy and security, and the regulations that have been adopted in the United States have been neither as robust nor aggressive as those in Europe (see Directive 95/46/EC from 1995).  Add to this the increasing quantity of data breaches in United States-based organizations and the severity of those breaches, and you may be thinking that it’s unlikely that the United States will make any significant changes any time soon.  Keep in mind, however, that state governments can adopt their own regulations independently of the federal government.  It isn’t hard to envision a state like California enacting, at least in part, some of the same types of articles found in GDPR.  Also consider that China already has their own version of GDPR, and given the relationship that Canada and Australia have with Britain, how likely are they to adopt GDPR in whole or part?  We are going to see this new view on data privacy sweep across the world, and potentially internally through the states, all of which will drive the United States Federal Government to align.  Realistically, it’s not a question of “if” but “when” you will be affected.

If it isn’t already clear, GDPR is a privacy-first regulation.  This means that approaching the regulation from a purely compliance perspective is dangerous, and will almost certainly leave the organization short in their approach.  Simply shifting an organization’s view from being a data owner to just being the holder of data owned by an individual is a huge change for most United States-based organizations.  Add in all of the specifics of GDPR, and it should be clear that a major shift in how organizations collect, store and use information is needed.  In short, the requirement is privacy, and achieving privacy will get you to a compliant state, an approach that won’t work the other way around.

Balancing security with the needs of the business is a subtle art that security professionals have been mastering and refining for as long as the concept of information security has existed.  Often times, security policies and procedures create a level of inconvenience for end users, leaving security professionals arguing the necessary evil of the security effort against the impact on the business.  This has led to the demand for minimizing impact on the end users which, in turn, leads to the minimal implementation of end-user affecting security efforts.  While we, as security professionals, certainly don’t want to impede the business, propagating behavior that risks an organization’s security posture is also undesirable, and so the cycle continues.  The United States Federal Government is acutely aware of the impact that heavy-handed regulations would have on businesses in the United States so, in order to minimize the effect on the end-user, they’ve pushed forth regulation with the least impact possible to achieve the goal.  In other words, they’ve provided that list of checkboxes for compliance.

Can we continue down that same path in light of regulations like GDPR?  Our somewhat lax behavior as a society brought us to this point, and with each new regulation, United States-based organizations will find it harder and harder to patch together a solution that allows business to continue to run the same way and not fall outside of the law.  Organizations should be asking themselves how they intend to position themselves in order to be prepared for this next generation of data privacy regulations.  Fortunately, there is an approach that will not only bring an organization up to standard, but will future-proof them against whatever comes next: security and privacy first.  An organization that has mature and appropriate security and privacy policies, procedures, tools, people, etc. will put itself into a compliant position, by default, for today’s and tomorrow’s regulations.

If this approach sounds familiar, it’s likely very similar to a message you’ve heard (or delivered yourself) since the advent of HIPAA in 1996 and SOX in 2002.  It’s not an easy pill to swallow, though.  Such a fundamental change in approach is difficult to envision and will almost certainly have an impact to the business, at least in the short term.  In light of GDPR’s penalty of 2-4% of an organization’s global turnover per incident, though, what is the value of a properly implemented security/privacy program?  What about the penalties for the next round of regulations?  As a country, we are at an ideal time for making this shift, and approaching security and privacy in a more robust and healthy way.  It will take time, though.  While the vision may change quickly, the actual implementation must account for the continued success of the business it is protecting.

I strongly recommend a holistic assessment of an organization’s security and privacy program, providing both visibility to the current state as well as a roadmap of both tactical and strategic efforts for an organization to make meaningful strides towards this new ideal.  This service can always be performed in-house, but a third-party provides a neutral view and often will discover things that may not be revealed due to things like internal politics.  I am admittedly biased towards the services of my employer, but there are a number of companies who can perform such an assessment for you and, hopefully, partner with you to drive the success of your program.  If you have questions or would like some help figuring out how to move forward, please reach out!

Jeremy Carrier

Jeremy Carrier

jcarrier@est-grp.com

Jeremy is the Senior Solutions Architect for Security and Identity sales at EST Group.His love for coffee (unleaded only) is only eclipsed by his passion for problem solving, especially in the security space.
Jeremy Carrier

Latest posts by Jeremy Carrier (see all)