The Impact of GDPR Outside the EU

On 25 May 2018, the General Data Protection Regulation, or GDPR[1], takes effect in the European Union.  The regulation mandates strict protection requirements over personal data concerning EU citizens.  Governments and companies inside the EU have been preparing, but many companies outside of the EU may yet be unaware of how this regulation will affect their businesses.  GDPR applies to any organization that holds or processes data on EU citizens, regardless of where it is headquartered.  This includes companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organizations. The penalties for non-compliance can be as high as 4% of global revenue.
User consent is a cornerstone of this new law.  GDPR defines personal data as physical address, email address, IP addresses, age, gender, locations, health information, search queries, items purchased, etc.  Many companies today freely harvest this data, use it, share it, and sell it under the auspices of their ever-changing, usually unintelligible click-through “privacy policies”.  In a post-GDPR world, users must issue explicit consent for each attribute collected and for each use or transfer of these attributes.  If an organization’s privacy policy or data sharing agreements change, users must consent to the changes before they take effect.
Moreover, organizations collecting this data must allow users to take their data with them or delete it entirely if requested.  Compliance audits will become regular events.  GDPR mandates privacy by design and by default.  A quick interpretation means that users must “opt-in” rather than “opt-out” of data collection schemes.
Data minimization, purpose and storage limitations are important principles in the new regulation.  Simply put, don’t collect more information than necessary, don’t use it for purposes other than what you state, and store it only as long as needed.  Exceptions do exist for health, public safety, and national security reasons.
Within each EU member state, the GDPR establishes the position of Supervisory Authority, a government official responsible for overseeing the implementation and enforcement of the regulation.  When organizations detect a breach of EU citizens’ personal data, they are required to report it to the Supervisory Authority in each affected Member State within 72 hours.  The use of encryption on PII can be a mitigating factor in data breaches, which may obviate the need for disclosure to data subjects.
Ideally, data about EU citizens should be housed within the EU.  GDPR has provisions for data transfers outside the EU, and the best way to avoid being subject to these conditions is to keep it local.  One weakness of GDPR is that it doesn’t adequately define the term “third country”.  This will likely cause additional legal debate.
In cases where regular transfers of EU subject data are expected to occur between Member States and other countries or international organizations, the EU Commission may make “adequacy decisions” which facilitate these exchanges.  One such example is the EU-US Privacy Shield[2].  The EU-US Privacy Shield framework replaced the former Safe Harbor, which was ruled invalid by the European Court of Justice.  Companies may apply and self-certify that they meet the criteria contained therein.
With a little over a year to go before GDPR implementation, now is the time to prepare. To help customers comply, software vendors, e.g. IAM, IaaS, SaaS, and marketing solutions providers, need to:

• Build fine-grained consent options into their UIs
• Provide granular data encryption capabilities
• Automate privacy policy change notifications and re-consent prompts
• Respond to personal data export and data deletion requests
• Where appropriate, allow parents or guardians to control the use of children’s PII
• Develop GDPR compliance auditing and reporting tools

Organizations that have European operations or do business with EU citizens will need to:

• Inventory all data
• Conduct data privacy impact assessments
• Encrypt PII data at rest and in transit
• Modify privacy policies, data collection processes, and data handling procedures
• Develop rapid data breach notification processes
• Add mechanisms to customer portals so that users can provide consent to data usage
• Possibly migrate and prune PII from systems
• Apply for EU Commission approved transfer adequacy programs, e.g. EU-US Privacy Shield

GDPR will certainly enhance EU citizen privacy, but the fines for violations could be substantial.  Make sure your IT systems and processes are ready.
[1] http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
[2] https://www.privacyshield.gov/PrivacyShield/ApplyNow
About the author
John Tolbert is a senior analyst at KuppingerCole, with internationally recognized expertise in cybersecurity and identity management. John has consulted for national governments, and has 20 years of experience working in Aerospace, Defense, Manufacturing, and Financial industries. John was honored as an OASIS Distinguished Contributor in 2014, and as an Associate Technical Fellow at Boeing in 2011. In addition to working with OASIS, he has also participated in Kantara Initiative, Transglobal Secure Collaboration Program (TSCP), the FIDO Alliance. He has numerous technical security publications, and is a frequent speaker at cybersecurity and identity management events