GDPR: Still Plenty of Lessons to LearnRSA Conference Panel: Organizations Worldwide Face Long List of Challenges
As the one year anniversary of enforcement approaches in May, the European Union's General Data Protection Regulation continues to challenge businesses of all sizes worldwide, creating new concerns and responsibilities for the security and legal teams charged with ensuring compliance with the privacy law designed to protect Europeans' data.
At this week's RSA Conference 2019 in San Francisco, attorneys and security experts participating in a panel reflected on the first 10 months of GDPR, including what lessons companies - and their legal teams and CISOs - should draw from how European regulators have applied the law so far and what these first actions could foretell about what's to come.
Where's the Data?
One particular issue that appears again and again is that companies keep discovering more data as they go through the GDPR compliance process, said Francoise Gilbert, an attorney with the international law firm Greenburg Traurig who's an expert on the European privacy law.
She pointed to one company where the CEO was surprised that the firm had clients in Australia. That data came to light as Gilbert and her firm were helping to ensure GDPR compliance. Gilbert noted that once this type of customer data is discovered, whether on premises or in the cloud, the company needs to decide whether it should be stored, reclassified or scrubbed.
"Everything is budget," Gilbert told Information Security Media Group in an interview after her presentation. "Whether it's me or someone else in the room, you have to say, 'You have this data and what do you do with it? How do you secure it and how do you monitor it?' The answer comes down to whether they have the budget or not. I sometimes recommend to get rid of it, but then sometimes the marketing people come in and say 'Oh, we might need that one day.'"
Watching Google and Facebook
"As a practitioner, these cases are very important because by telling us what Google did wrong and what Facebook did wrong, I can apply that to my clients and I can go back to them and say, 'This is what the regulators said and we need to be careful with this, this and this,'" Gilbert said. "In the Google case, they complained about transparency, for example, and I can go back to my client and look at areas where we were not that transparent and see what we can do to fix that."
By the Numbers
During the RSA panel, security expert Ariel Silverstone reported that as of the end of January, there were 41,000 breaches reported under GDPR that fell within the 72-hour notification window. Additionally, there have been about 250 investigations by the various data protection authorities.
Silverstone noted that while GDPR involves all 28 countries of the EU, variations in how each country is implementing the law mean companies could face different penalties. For instance, he described that Germany's interpretation of the law makes a violation nearly a criminal case, while other nations have been reducing fines.
Silverstone also pointed out that the California Consumer Privacy Act, which adheres to some of the same principals as GDPR, is offering some of the same consumer protections that Europeans now enjoy.
Difficult But Not Impossible
Mark Weatherford, the global information security strategist at Booking Holdings, told the audience that while complying with the GDPR rules is difficult, it's not impossible. Before his current job, he worked at a startup that needed to come into compliance.
The firm hired lawyers in Europe to help advise on the law and the company was ready for May 25, 2018, when GDPR enforcement kicked in. Almost immediately, a German citizen demanded that his name be removed from all systems under the "right to be forgotten" provision. The difficulty there, Weatherford explained, was finding the man's email address and any other personal identifiable information across various internal systems, which included Salesforce, Marketo and numerous internal customer databases.
But in the end, the company found that it could follow all the GDPR rules. "It raised the bar for us and it lets us do the things we should have done all along," Weatherford said.
Another panelist, Harvey Jang, the Global Data Protection and Privacy Counsel at Cisco, acknowledged that privacy is a fundamental human right - although it's not an absolute right.
"It has to be balanced against the rights of others, as well as businesses that have the right to conduct their business fairly," Jang said. "If you take it from that perspective, GDPR is asking for transparency. It's looking for fairness and it's looking for accountability in terms of the way you handle data. So you have to know what data you are collecting, what you are doing with it and where it's going."
Speaking from his experience with Cisco, Jang noted that the biggest concern is slowing down the sales cycles when questions arise about where data is and what's it's being used for within the company. Once those questions are answered, however, GDPR actually helps to ensure that the company is protecting customers, he said.
"It's asking for things you should be doing anyway," Jang said.