For reasons going back in history, the EU has established itself as pioneer in data protection legislation and 2016 is no exception.
In April 2016, after years of preparation, the new General Data Protection Regulation (GDPR) was adopted to harmonize patchwork directives across EU member states and safeguard the rights of citizens in the digital economy. It comes into effect on May 2018, and being a regulation rather than a directive, will apply regardless of any approbation by individual member states. Its noble goal has been to simplify the task of compliancy and ultimately reduce its cost. But the GDPR comes with a massive sting in its tail
. According to a recent global study
, what 80% of IT professionals fail to recognize is the international reach of this EU regulation, and the eye-watering penalties of failing to comply.
Whether your organization is based in the US, UK or anywhere else in the world, insufficient provision for protecting EU citizen data runs the risk of fines of up to 20 million EUR or 4% of your turnover worldwide (whichever is higher).
Organizations can amass personal data on EU citizens unwittingly through common techniques such as profiling, loyalty cards, online shopping and the like. The final text of the GDPR even references “monitoring the behavior” of EU residents by tracking their digital activities. The GDPR cannot get much broader, given that nearly every website in the world does exactly that.
So what actually constitutes personal data, and how can you comply? Any data that pertains to a person’s online ids, credit card information, IBANs, any type of banking information, as well as health information, even location data and biometric/genetic data is considered personal. The GDPR requires that you take both organizational and technical precautions to prevent the transfer of data to a non-compliant body, prohibit use outside its intended purpose, and anonymize data where necessary. It also demands notification of a data breach within 72 hours (welcome news in the wake of the Yahoo debacle where it took nearly 2 years to disclose one of the biggest customer security breaches on record). Note to self: why not take a stand against Facebook’s attempt to share Whatsapp user data across its services, in direct contravention of its promise when it bought the app?
What is also new with the GDPR is the notion of “privacy by design and default”. In choosing to include these as key principles, the legislator has acknowledged that privacy cannot be ensured by means of legislation alone, but it must be incorporated in the design and maintenance of information systems. Under Article 25 of the GDPR, a data controller is required to implement protective measures both at the “time of determination of the means for processing, and at the time of the processing itself”. Such measures include data anonymization, pseudonymization or other privacy-enhancing technologies.
You might be forgiven for thinking that as a US or UK-based company who avoids soliciting EU business that data protection is not your problem. But there are many reasons to take it seriously.
Case Study #1 – USA
Take the U.S. for example. Although there is no single, comprehensive federal (national) law regulating the collection and use of personal data, each congressional term brings proposals to standardize laws at a federal level. A mixture of federal and state laws and regulations sometimes overlap, match and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.
Yet attitudes to data privacy in the US and EU have historically been considered as polar opposites. EU attitudes towards data privacy, which favor the rights of the individual, contrast with those of the US under the US Patriot Act which favors the rights of the state. So how can we reconcile data privacy and public security in a world where terrorism is striking at the heart of our democracies? Wherever you stand in this debate, the impact of these regulations will be non-negligible.
Some of the most prominent US federal privacy laws include the Federal Trade Commission Act (FTC Act), Financial Services Modernization Act (Gramm-Leach-Bliley Act – GLB), Health Insurance Portability and Accountability Act (HIPAA), Security Breach Notification Rule, Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act, Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. The president-elect has already said that with regard to cyber security, data retention, data transfer and compliance, some of the existing regulations will be changed, potentially even replaced with some new, stricter regulations.
So like it or not, data privacy is a force to be reckoned with in 2017. Compliance with the most stringent GDPR is a safety net in transatlantic business. The old “Safe Harbor” mechanism in the US has now been replaced by the “Privacy Shield”, effective from August 2016 and endorsed by the European Court of Justice. Any US company can self-certify
for Privacy Shield to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under US law. It is said that the new framework will underpin over $250bn of transatlantic trade in digital services annually by facilitating cross-border data transfers with the EU.
Case Study #2 – UK
Yes, but Brexit! More than likely, as it happens… But UK national laws already apply. Independently of the EU, all organizations in the UK that collect, process or store personal information must comply with the UK Data Protection Act 1998 (DPA), or face fines of up to £500,000 in the event of a data breach. And given that Brexit cannot actually come into effect before Spring 2019 (assuming Article 50 of the EU Lisbon treaty is triggered in March 2017), this leaves a full year in which GDPR punitive measures will apply to the UK just like in any other EU member state. And even post-Brexit, the “Great Repeal Bill”, intended to come into effect immediately on exit from the bloc, would directly incorporate all EU law into UK law. During an unspecified period it will then be possible to “amend, repeal or improve any law after appropriate scrutiny and debate”.
Whether Brexit culminates in something resembling a Norwegian or Swiss model, or a far less EU-friendly alternative – even the hardest Brexiteers would probably agree that instead of a freestyle deal, maintaining equivalent data protection regulations with the trading partner that consumes over 50% of your exports would not be such a bad idea. The Information Commissioner’s Office (ICO) states in basic terms: “if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
According to PwC, the new compliance journey will require organizations to map and classify all their personal data; perform risk assessments; design privacy protections into all new business operations and practices; employ dedicated data protection officers; monitor and audit compliance; and document everything they do with data. Clearly GDPR compliance will become a major advantage over rivals.
Case Study #3 – Tech companies and IT departments
One of the fundamental changes with the GDPR is that companies that provide services to other companies – known under the legal term of “data processors” – will also face the same hefty fines, which will affect technology service providers in particular.
An independent survey
of large company CIOs showed that 52% of US companies possess data on EU citizens, making them subject to the GDPR. Primary concerns for these companies are the ability to know where customer data is at all times, and proper concealment of customer data used in testing.
Interestingly, the vast majority of this customer data actually resides on back-end systems. In this context, test data privacy solutions will place a major role in compliance.
Other key findings from US respondents to this survey include:
83 percent use live customer data in test systems when testing applications, because they believe the use of live data ensures reliable testing and accurately represents their production environment
83 percent provide customer data to outsourcers for testing purposes and 78 percent agree that outsourcing makes it more difficult to pinpoint instances of customer personally identifiable information (PII)
71 percent believe the emergence of mobile technologies is one factor making it more difficult to track customer data as it moves through the enterprise
The adoption of DevOps and agile approaches and their reliance on continuous testing actually increases the criticality of test data protection, as the pace and frequency of software rollout is increased.
With more modern 3-tier applications (particularly mobile) ultimately connecting through the back-end application, test data anonymization tools (such as DOT-Anonymizer
, which is both platform and database agnostic) are an effective solution to mask sensitive customer data throughout the application testing process.
Olenka Van Schendel
VP Business Development at ARCAD Software group
With 28 years of IT experience in both distributed systems and IBM i, Olenka started out in the Artificial Intelligence domain and natural language processing, working as software engineer developing principally on UNIX. She soon specialized in the development of integrated software tooling including compilers, debuggers and source code management systems. As VP Business Development in the ARCAD Software group, she continues her focus on Application Lifecycle Management (ALM) and DevOps tooling with a multi-platform perspective including IBM I.