GDPR- So What’s “Compliant,” Anyway?
tl;dr: While GDPR doesn’t yet have a formal, certifying body, it can be part of a robust compliance program for those processing European data.*
Do you remember the “Y2K Bug?” It was everywhere in 1999; on TV news, in the paper, I even remember a novelty stuffed “Y2K Bug” toy. The fear that a truncated “2000” date — appearing as “00” in systems — would crash every computer as we knew it loomed through the year, and it wasn’t until January 1, 2000 (or honestly, probably January 2) that we realized we’d dodged a collective bullet. Things rolled on with minimal hiccups, and the novelty toys ended up in the trash.
Let’s fast forward nearly 20 years, to 2016. I’m in a status call with my CEO, CTO, VP of Sales, and a couple key folks from development. We’re staring at a mishmash of General Data Protection Regulation content, trying to figure out how we can rapidly iterate our product — which is pretty popular in Europe- to be GDPR compliant before May 2018, the month the data privacy regulations take effect. Although the date seems far away, the scope of GDPR means we’ll have to make sweeping changes to the way the software and the business work.
I left that company before May 2018, but my former coworkers reported that nothing really happened on May 25, 2018; GDPR just quietly came to be, and whether they were truly compliant or not remained a mystery. My coworkers thought they were, but no one called to say one way or another, there were no badges to put on the website, and no audits to do. Much like the Y2K Bug, much ado was made about nothing, and life rolled on.
…but not quite.
In January of 2019, a European data regulator fined Google €50,000,000 (a little over $55.6M USD) for lack of transparency and consent in advertising personalization. This was the first GDPR fine for a US company, as well as the first major fine for a company that conducted business in the US, as well as the EU. Other companies with ties to the US were soon facing action, as well; Marriott International (€99M for the November 2018 data breach) and British Airways (€183M for the September 2018 breach) are two recent and very large examples. It’s now clear international companies with ties to Europe face scrutiny and punishment from EU data regulators.
What, exactly, does this mean for organizations that fall under GDPR regulation? Without a formal certifying body, it’s difficult to say whether or not your company is actually GDPR compliant. With fines levied against even the smallest of companies, it’s not in any organization’s best interest to ignore GDPR in hopes of not being noticed. How can a company develop a compliance program that considers GDPR effectively? Let’s look at a few options.
Understand the key concepts. Like any compliance framework, GDPR is long and complicated. Luckily, the European Commission provides plenty of resources, including some very clear and concise Q&As, to help covered entities navigate the requirements. It’s worth every company’s time to review these, whether or not the company thinks the regulation is applicable. Even if a business doesn’t fall under the GDPR umbrella, it’s not far-fetched to think US regulations could follow suit in the coming years.
Have a modern-day security and compliance program. Let’s be honest; everyone should have this, whether they fall under GDPR or not. Protecting intellectual property, customers’ data and personal information, and organizational reputation are critical to any business, in any location, in any industry. The easiest way to do this is to have active, up-to-date policies and procedures that your entire organization adheres to.
Consider industry certifications. Considering the negative press and fines that breached companies endure, it’s no surprise that consumers are more aware of data security and privacy issues than ever. Pursuing and obtaining certifications are an excellent way to build confidence in a product and company; not only does it actively demonstrate a commitment to security and compliance, but it can differentiate an organization from the competition. A few useful certifications that address GDPR items are:
ISO 27001- the standard for information security, this certification systematically examines risks, risk treatments, security controls, and management processes. While the ISO 27001 certification doesn’t directly imply or certify GDPR compliance, the two encompass similar aspects of privacy and information security.
TRUSTe - this certification’s framework is built around multiple international standards, including GDPR, OECD Privacy Guidelines, and the APEC Privacy Framework. While not as broadly recognized as ISO 27001, it does guide organizations on developing a system that supports international data flow concerns.
EuroPriSe - “new” in the compliance space, the European Privacy Seal (EuroPriSe, for short) was introduced in 2009 to address rapidly evolving EU privacy laws. Developed by data protection authorities across Europe and now focused primarily on GDPR, this is an excellent option for entities based within the EU. It’s certainly useful for other organizations, but since it’s not an easily-recognized certification quite yet, it may not be the first choice for some.
Having these things alone won’t protect against breaches or other negative events, but they are a solid fountain for a well-developed security and compliance posture. Company culture must reflect an emphasis on security, and ensuring there’s buy-in across all levels of an organization is critical to lasting success. If GDPR is a concern, use it as a launching pad for an improved program, protecting the data- and reputation- that really matters.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.