What is (EU) 2016/679 and Why US Companies Should Care - A LOT - About It?

By Simon Puleo

(EU) 2016/679 is the ‘General Data Protection Regulation” or GDPR. GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).

Some in the US see it simply as another compliance regulation like HIPAA, FISMA or NERC, but it is so much more as it expands digital privacy rights that will help us securely share scientific research, open borders to commerce, and provide an evolutionary process for participating organizations working with European nations. You can find the GDPR in pdf, html and multiple languages hosted here by the European Union. If you are more technically oriented like me, you may be surprised to find the absence of a technical outline. There is no exact requirement for multi-factor authentication, log management, or network security protocols. GDPR is designed to be open-ended so that professionals in technology, security and compliance create innovative leading-edge controls and reports to uphold the policy of GDPR. Do you learn best in context?

Let's start at, “what is GDPR and how do we understand it in US terms?”  

European Civics Lesson and GDPR

To understand GDPR let's take a quick European civics lesson.  Following World War II in 1950, the Council of Europe drafted a treaty called the European Convention on Human Rights (ECHR) to provide unity among European nations through the respect of human rights and freedoms. The treaty has several articles which are basic citizens’ rights similar to the US Bill of Rights.

Article 8 provides the right to respect one's "private and family life, his home and his correspondence." While Article 8 sounds simple, over time each country in the EU developed their own privacy laws which created a fragmented, complex legal and difficult environment for businesses and organizations wishing to share data across country borders. There was unity in 1995 when the Data Protection Directive was developed, as it provided a general framework that served as a guide to EU nations in crafting similar privacy laws. However, it wasn’t enforced by a central authority; instead EU member countries created country specific supervisory authorities. Standardized EU compliance may have been difficult to achieve as the strength of the supervisory authorities varied from country to country.

Patchwork of Data Privacy in Europe

Over time, a "patchwork carpet" of laws and regulations evolved as noted first hand by Christoph Stoica, Germany Manager at Micro Focus. This created a difficult environment for international business and communication within the European Union.

For example, a major Italian auto manufacturer set up a new office in France and was blocked by French laws to transfer information about French citizens back to its Italian offices.   In another case, cancer researchers from France were blocked in sharing patient data with researchers in neighboring Belgium. If you are interested in learning about the details check out

Building Transnational Civil Liberties (Newman).  It is hard to imagine in the USA, but what if the state data privacy laws were so strict in the US that it was hard for retail or restaurant chains to do business in every state, or if your medical records could not be shared across state borders?

No Safe Harbor for US Business

Europeans not only love American style music they also love American style internet technology. In 2000, the European Commission developed the Safe Harbor Privacy Principles as a way for US business to conduct digital business in Europe and uphold the privacy laws of the Data Directive. These laws were designed to ensure the protection of personal data for EU citizens under a set of 7 principles including notice, choice, transfer, security, integrity, access and enforcement.

This law held up with 4,000 self-certified businesses in the US for 15 years until Lawyer Max Schrems argued and won a case against Facebook, which caused courts to strike down Safe Harbor. The case brought to light that Facebook may have been sharing data with the US Government as Edward Snowden leaked the PRISM (surveillance program). In response, the EU Council replaced Safe Harbor with the amended EU-US Privacy Shield effective July 2016.  Max is still at odds with the EU decision and litigation is still ongoing in 2017.

US Strategies in dealing with Post Safe Harbor - pre GDPR

While not exactly the most efficient route, many US companies avoid transferring or processing any EU citizen data back to the US by setting up in-country data centers or working within country cloud providers to maintain data sovereignty. In Europe, Cloud 28+ is an open consortium of service providers that help businesses find and support regionally based services.

Are you ready for May 2018?

While GDPR is effective May 2018, there is still work being done between the EU Council, the US Government and US Businesses on defining the gap between the current EU-US Privacy Shield and GDPR.  Ask leaders in your organization these questions to test your readiness:

  • How are we preparing to deal with increased fines of up to 4 percent of the annual global turnover or Euro 20 million?
  • Do we have the right controls and processes in place to notify regulators of data breaches within 72 hours of the incident?
  • GDPR includes the "Right to erasure." How will our organization be able to identify and erase records from multiple data sources like AD, Oracle and other SaaS-based applications?
  • Will we need to hire an additional staff like a DPO Data Protection Officer to be the focal point for GDPR requirements?

The good news is that many organizations doing business with Europe may already be on their way to compliance if they are following current US-EU Privacy Shield standards or are complying to other regulations such as ISO 27001 or HIPAA. The key will be finding the gap between these regulations and GDPR. GDPR will take a project-based approach, so if you have not already; appoint a leader now as the clock is ticking to May 2018!

About Simon Puleo

Simon Puleo CEH (Certified Ethical Hacker) is an educator/trainer by day and a security researcher at night.  In his role as a Global Enablement Specialist at Micro Focus he educates employees and customers on identity powered security with an emphasis in access control including multi-factor authentication.

More About Simon