U.S. companies have a lot of work do before May 2018, according to Justin Antonipillai, Founder and CEO of WireWheel and former Acting Undersecretary of the Department of Commerce, at the Wall Street Journal’s Cybersecurity Executive Forum in New York.
In May, the General Data Protection Regulation (GDPR) will go into effect in Europe, mandating much stricter controls on how data can be collected, analyzed and used. The GDPR has been heralded as a monumental shift towards protecting and valuing customer data privacy, and Europe considers it a huge win for strengthening citizen’s rights.
The privacy conversation is one that had been rapidly ascending into boardrooms and security operations centers, Antonipillai said. “Privacy is no longer a vitamin, or something you’ll see at the low end of a priority chain. It’s becoming an issue of trade and market, and a critical part of security portfolios.”
Ajay Arora, CEO and co-founder of data security company Vera, added that U.S. companies must expand their understanding of privacy.
“It is not just a change in technology or process, but is rather at direct odds with security goals.”
Once GDPR comes into play, Antonipillai hypothesizes that an array of U.S. companies could be significantly caught off guard by the new regulations, especially those operating in the financial, healthcare and advertising sectors.
“It’s not just that the fines [for noncompliance] are so massive,” he said. “Thousands of companies have no idea they’re directly covered by this law. Now, even if you’re offering a single mobile application in the European app store, you’re directly subject to these fines.”
In addition to the estimated 30,000 companies large enough to warrant an independent GDPR auditor, Antonipillai warns that small and medium-sized companies must not assume that the regulators will leave them alone in order to go after bigger players.
“We’ll absolutely see enforcement against smaller companies and startups – regulators know that if they leave them alone, there will be a belief that there’s a ‘pass’ until you get to a certain size.”
He added that company size isn’t the biggest indicator that regulators are likely to target for non-compliance. Small companies that conduct risky work with sensitive data are highly susceptible to regulatory monitoring.
In preparation for anticipated monitoring uptakes starting in May, small and large companies alike have to make special preparations to comply with the GDPR’s 72-hour breach notification requirement.
Arora explained that there is no cookie-cutter ‘knee jerk’ reaction that companies will have once they realize they’ve been breached.
“When that 72 hours begins, you ask yourself two questions: One: Are you mishandling data, and two: Are you mis-using data?,” he said.
The tricky part of these questions correlates with chain of command problems inside companies. According to the GDPR, whomever controls the data is ultimately responsible for compliance and paying fines when regulators deem it necessary.
“Here, data value chains become incredibly important,” clarified Antonipillai. “If you are the one that originally collects the data and you hand it down the chain of command, but you have the customer relationship, you’re ultimately responsible for making sure the entire chain can report a breach within 72 hours. That’s on you, not the regulators.”
This problem is magnified for companies that operate all over the world, as controllers have to be aware of individualized regulations in each zone. Even data that originates in California and touches German networks momentarily is fully covered by GDPR.
However, even if corporations hire auditors and take other measures to make sure they’re compliant, this 72-hour requirement is likely to prove problematic. There is no industry-wide ‘stamp of approval’ that designates sufficient compliance, let alone a standard for incident response, or even a clearly defined point of regulatory contact that companies should make when they assess they’ve been breached.