Risk & Compliance EU’s General Data Protection Regulation Is Right to Be Tough

European flags in Strasbourg

European data privacy became global news in 2014, when a man in Spain sued Google for “the right to be forgotten,” or RTBF. (That lawsuit is still not over.) RTBF is part of the European Commission’s (EC) General Data Protection Regulation (GDPR), a data protection framework for the European Union (EU) that “will bring in sweeping changes and place new obligations on any business that handles the data of EU citizens, independent of where the business is located.”

In fact, GDPR has been in development for years. It is a complex regulation that addresses a broad range of issues related to data protection and privacy, including:

  • Consent
  • Data breach notifications
  • Penalties for breaches
  • Obligations for data processors
  • RTBF and much more

Deloitte Netherlands has published a straightforward overview of GDPR; here’s another overview from a law firm that is more qualitative. If you’re looking for quick-and-dirty, this highlights blog from Stanford Law School’s Center for Internet and Society is a good, short read.

Data Governance Toughens Up

GDPR will take effect in April 2018, after a two-year transition period. This is to allow companies time to do the requisite overhaul of corporate data governance frameworks and procedures. And I do mean overhaul.

In my opinion, the fear of massive fines that will be assessed on companies breaching data protection regulations––per GDPR, up to 4% of worldwide annual turnover––will genuinely transform data governance. And that’s a good thing.

Today, companies often treat data almost casually, as a commodity to move back and forth between databases and data lakes, to chop up, aggregate, analyze, create derivative data, and import and export out of Hadoop. Many of these same companies don’t have established data governance programs in place; with Big Data, challenges get, well, bigger.

Instead, I believe that GDPR will catalyze the rise of corporations as data fiduciaries. This concept is borrowed from the financial world; a fiduciary is “a person who holds a legal or ethical relationship of trust with one or more other parties.” Typically, a fiduciary prudently takes care of money or other financial assets, but regulations like GDPR illustrate the shift of customer data from a generic commodity to a valuable asset.

Cybersecurity: Time Is of the Essence

Today, trust is often in short supply in the data world, particularly when a breach occurs. Companies are typically unaware of data breaches for weeks or months after the fact, and then may wait months or years to notify individuals, fearful of the repercussions or unaware of the extent of breach. When customers finally are notified of a breach, it is often after the story broke first in the news media. This results in the loss of customer trust and typically a company’s profit.

As an example, a couple of weeks ago I got an email from LinkedIn about a data breach that occurred in 2012, which––surprise!––turned out to be a lot bigger than they’d thought. This is just one example that doesn’t make me feel comfortable about breaches being reported in a timely fashion.

Such a corporate “uh-oh” will no longer suffice under GDPR. The regulation says that “data controllers must notify most data breaches to the Data Protection. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met.” The aforementioned crippling fines are a big stick, to be imposed upon companies that do not comply.

But more than the threat of heavy fines, GDPR presents a tremendous opportunity for companies to re-think everything about data governance and data protection, right down to the cybersecurity approaches they use to protect their networks. I recently blogged about FICO’s partnership with iboss Cybersecurity:

“Our partnership will bring FICO artificial intelligence (AI) analytics to the iboss web security platform, creating the first cyber threat score that measures the likelihood of malware infection, phishing attacks, insider threats and data breaches. Through the cyber threat scores, FICO and iboss customers will now be able to more accurately quantify cyber threats and remediate them in real-time, to stop catastrophic infection and data loss before it occurs.”

Targeted technology like the cyber threat score presents a radical departure from the cacophony of generic alarms and false positives that overwhelm most security teams. In today’s environment, the majority of events typically are not investigated. By giving the security operations center real-time analytic threat scores to stop catastrophic data breaches before they happen, FICO is helping companies worldwide to restore customers’ trust while protecting their data.

I’m looking forward to seeing how preparation for GDPR unfolds over the next two years. I’ll be talking more about GDPR on Twitter @ScottZoldi. Follow me.

1 Comment