By Mo Cashman
With May 25 looming, preparing for compliance with the European Union (EU) General Data Protection Regulation (GDPR) is an unavoidable necessity for businesses – and an important act of social responsibility.
The GDPR provides data privacy protections for all EU citizens and broadens the definition of data to not just personal data as we know it – name, physical address, date of birth, email addresses and phone numbers – but also to what defines us as individuals (things like genetic, medical, economic, cultural and social data).
The underlying tenet of GDPR is that personal data belongs to the citizen, not to any commercial or non-commercial organization.
Ultimately, the GDPR is good for society as a whole because data privacy is something that affects everyone. If we consider our own personal data and that of our families – especially data that cannot easily be changed, such as health, age, sexual orientation, politics and religion – we would want everyone to handle our data with care.
As business owners, we are obliged to follow the golden rule of privacy: treat everyone whose data you hold the same way you would expect your own data to be treated.
Like most laws and regulations, the GDPR intends to persuade business owners to do the right thing. It’s much like speed limit laws, which are meant to enforce rules that help protect the safety of everyone – drivers and pedestrians alike.
The GDPR will not only change the way we protect personal data, it will also change the way we share it. When it comes to our personal data, our feelings around sharing it are not so different from our feelings around loaning out our car. “Can I borrow your car?” are words that make most people cringe – even if a trusted, long-time friend with a valid reason makes the request. Whether you drive a midsize SUV or a high-performance Koenigsegg sports car worth upwards of $2 million, the idea of lending out your car is uncomfortable and considered unwise. What if the borrower inadvertently scratches it as they back out of a parking space, or that friend, in turn, lends it to someone else who gets involved in a fender bender or worse?
In effect, every time we engage with an organization or business, we’re “loaning” our data to them, and we expect them to treat it respectfully. People want to do business with organizations they trust and, if your shortfalls in the area of data privacy become public, that trust gets quickly eroded.
Last year’s Equifax breach compromised the personal records of 145.5 million Americans. Because of the size and scope of the breach, it underscored the criticality of protecting personal data. A recent report published by IBM Security reveals that growing awareness of headline-grabbing breaches and identity theft incidents has led to a change in attitude among business and consumer users.
For the first time ever, users rank security as a top priority – over convenience and ease of use. For example, when it comes to financial accounts:
74 percent of those surveyed said they would take extra measures to protect this valuable data, and consumers are increasingly expecting businesses to follow suit.
Even if your business doesn’t handle the personal information of EU citizens, attention to data privacy is essential. GDPR is likely the most comprehensive data protection law at this point in time, but it’s not the only law tightening up the rights of individuals.
GDPR is a clear marker of the direction of many jurisdictions based on the key principle that users own their own data. Preparing for GDPR compliance can help your business conform to other regulations in the future. An analysis by the University of New South Wales [opens in PDF] in Sydney, Australia shows that, on average, non-European privacy laws include seven out of the 10 principles that appear in the European regulations. Countries like Japan, Canada, India, Australia, South Korea, Mexico and many more have implemented stringent privacy regulations.
While the U.S. has yet to enforce such sweeping privacy regulations, there are certain laws already in place that align with GDPR requirements. The U.S. Children’s Online Privacy Protection Act of 1998 (COPPA) prohibits “unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the internet.” The U.S. Health Insurance Portability and Accountability Act (HIPAA) already protects personal health data, though the GDPR is much stricter and broader in scope.
Canadian businesses are required to comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), which has some notable similarities to GDPR. Under both GDPR and PIPEDA, citizens have the right to access and view personal data held by organizations and “the right to erasure,” or the right to be forgotten, which means that businesses and other entities can be required to delete personal data if requested by an individual.
In addition to taking steps to ensure the data privacy of everyone we do business with by investing in the latest security technologies and enforcing best practices, educating your employees is another important aspect of data protection.
If your employees are sharing the personal data in your care with anyone, leaving it unprotected, uploading it to high-risk cloud services or using it with unauthorized applications, you are ultimately responsible.
Proper training for everyone at your organization who touches personal data is essential. Employees should handle it as if it were highly valuable which, in fact, it is for the person who owns it. Tools are available to help maintain accurate data records and track data use by employees, both on-premise and in the cloud.
By understanding the value of data protection, employees will treat customers better and companies will find it easier to conform to GDPR and similar regulations. This will create positive results for business, as customers are more inclined to engage with companies whom they trust with their data.
So, as the clock ticks toward the GDPR enforcement date, rather than seeing compliance as a burden, think of it as an act of goodwill and reciprocal respect: do unto the data of others as you would have them do unto your data.
About Mo Cashman
Mo Cashman is a passionate cybersecurity leader. As a principal engineer at McAfee, Mo inspires our next-generation security professionals, helps drive company technical strategy and advises our largest global customers on cybersecurity strategy and business resilience. Mo’s mission is to change the way we think about, measure and operate security systems. Fueled by that passion and more than 20 years of experience, Mo leads solution architects as well as development efforts in security effectiveness testing, value measurement and integrated security system design. In previous roles at McAfee, Mo was the Chief Security Officer for the Global Public Sector. Prior to joining the company, he led a large computer security incident response team, detecting and responding to sophisticated cyberthreats across the world.