Protecting Sensitive Data
As companies rely upon data to drive their businesses, protecting the confidentiality of that data is paramount to stakeholder and customer satisfaction and trust. The privacy officers, charged with protecting sensitive data are strategically important assets for companies especially as regulations start to emphasize consumer privacy.
Jeff Welgan, Head of Executive Training at CyberVista, sat down with Daniel J. Solove to talk privacy, and specifically about the the General Data Protection Regulation (GDPR). GDPR is an upcoming regulation passed by the European Union Parliament that they tout as “the most important change in data privacy regulation in 20 years.” The regulation is designed to strengthen and unify data protection for individuals within and doing business with the EU. (Jeff and Daniel’s interview has been edited for brevity and clarity.)
Jeff: GDPR will not only apply within Europe. Businesses outside the EU will have to comply with GDPR if they collect European personal data. How will this affect U.S. businesses?
Daniel: The GDPR will have an enormous impact on U.S. businesses. It is one of the strictest— if not the most strict—privacy regulations in the world. The GDPR has massive fines—up to 4% of worldwide turnover for certain violations. This is a huge unprecedented amount.
It remains unclear how the GDPR will be enforced. There is a lot of politics surrounding the GDPR, and DPAs [Data Protection Authorities] vary considerably in how aggressive they will be. Some might be staunch enforcers to make a name for themselves in politics. Some might be very academic and philosophical in their thinking and not as pragmatic as the way that leaders of businesses think. Others might be very pragmatic in their approach. The bottom line is that businesses must be ready for anything.
What can U.S. companies processing personal data of EU citizens do now to ensure compliance with the GDPR when it is enforced in 2018?
The best thing to do is to have a strong privacy program.
What makes a strong privacy program?
A knowledgeable and experienced privacy team, a solid corporate architecture where the team is involved in all relevant aspects of the business and has sufficient resources and authority, a clear understanding of the data, routine risk assessments, appropriate policies and procedures, and a robust workforce training program.
Tell us more about these elements of the privacy program.
In most larger companies, privacy is too important and complex to be handled by just one person – a team is needed. There should be ample resources for the privacy team to do their work.
The privacy team should be involved in important corporate decisions including product and service development. The GDPR requires data protection by design, not as an afterthought. The privacy team should be brought in early on in the development of new products and services to flag potential issues or problems and guide design around them.
The company should have a comprehensive set of policies and procedures about privacy. There should be a robust training program for the workforce – everyone – from top to bottom. There should be training on privacy as well as training on data security. The training must be meaningful and effective, not just check-the-box training for compliance.
A privacy program also involves knowing the data. All personal data collected by a company should be known and accounted for. Every repository of data should have an “owner” or “shepherd” who is responsible for that data. There should be robust documentation of all the things that are being done regarding privacy – this makes it much easier to respond when regulators come knocking. There should be routine risk assessments.
The GDPR enforces strict data protection and transparency rules for personal data. Companies are required to obtain explicit consent from data subjects in the EU in order to collect and process their personal data. How does this stipulation impact companies’ data collection and retention practices?
This is a big challenge because in the U.S., the predominant form of consent is opt-out consent, which is insufficient for the GDPR.
I think that it is always advisable to get as strong of a consent as possible in as many situations as possible. Not too long ago, Canada passed the Canadian Anti-Spam Law (CASL), which has a strict opt-in requirement for obtaining consent for commercial electronic messages. In some cases, implied consent can suffice, but even it expires after a few years. Strong, opt-in consent is the best thing to have in the long run.
Under the GDPR, businesses are required to notify of a breach within 72 hours if it puts personal data of EU citizens at risk. What does this mean for companies’ breach response and notification practices?
The impact here will be significant, but not in terms of a company’s breach response. Laws in the U.S. already have some short reporting periods.
I think that the big impact will be on what EU regulators learn when they start seeing all of the breach notifications. They will suddenly be seeing loads of dirty laundry, and it will be eye opening to them. I suspect it will affect the way they enforce as well as the way they approach data security regulation in the future.
In what ways, if any, can U.S. businesses influence the implementation of the GDPR and make it more pro-business?
My sense is that the EU policymakers are responding to a concern that there are so many powerful companies gathering data about EU citizens, and that there is a tremendous power imbalance when these companies are outside of the EU. EU policymakers want to be listened to and respected. They want to have a seat at the table and participate. They want companies outside of the EU to care about EU citizens. In other words, they want to have a meaningful stake in all this. If they are shown that respect, I think that’s a large part of the battle.
U.S. businesses think very practically and they try to comply with regulations as literally as soon as possible. The EU is less concerned with having a law that is practical. EU privacy law is partly aspirational. It’s hard to comply perfectly. I don’t think that EU regulators are looking for perfect compliance. They are looking for a serious effort.
The GDPR requires that the Board of Directors provide full support to the privacy team, including financial and staff resources. How can the board ensure that the adequate support is provided?
The Board should meet with and be briefed by the privacy officer at least several times a year, if not more often. Privacy programs are often underfunded. Compare this to data security, where the Board can better grasp the costs of data breaches. It is easier to come up with a big budget and throw lots of resources at the problem. With privacy, the costs are more intangible. It’s hard to put a dollar figure on privacy because it involves consumer trust.
In order to be up to date on the information security policies and procedures, the privacy team needs to maintain close relationship with the security team. What does the effective collaboration between these teams involve?
The privacy and security teams definitely must collaborate. For example, privacy professionals often have legal expertise and must advise the security team about the law of data security. The law specifies which security standards are required. What must be done to comply with the HIPAA Security Rule? The Gramm-Leach-Bliley Act Safeguards Rule? What are the cases holding regarding liability for data breaches? What are the various notification and reporting requirements? And so on.
On the reverse side, there are also many areas where the security team’s technical expertise is needed by the privacy team.
About Daniel J. Solove
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles. Professor Solove has more than 1 million followers at LinkedIn. He blogs about privacy and security issues at Privacy+Security Blog. He organizes The Privacy + Security Forum, a large annual event in Washington DC. You can follow Professor Solove on Twitter @DanielSolove.
Want to learn more?