GDPR (General Data Protection Regulation) applies to all EU citizen, though there is no easy way for software companies to tell if an individual is an EU citizen or not, while dual citizenship further complicates the matter. No data processor/controller can afford to ignore the GDPR regulation for EU is such an important market. GDPR stipulates good and long-missing data privacy and security requirement; after all, we can never have enough security.

As of May 25, 2018 GDPR  outlines specific security and privacy controls that supersedes European Data Protection Directive, which is the foundation and guideline on data protection. Ultimately, GDPR is a better, clearer version of EU Data Protection Directive. So how does it affect us in the US?

In Summary:

–         US has weak general privacy law as compared to the EU or of any security/privacy professional

–         Most companies did not even bother to follow EU Data Protection Directive (the foundation of GDPR)

–         GDPR safeguards our entitled right of personal information

–         GDPR dictates security measures in place by default

–         GDPR requires notification of breach

–         GDPR holds corporations responsible to report to the supervisory authority 

–         The fine for violation is up to 4% on global revenue for noncompliant with GDPR

Introduction of GDPR Will Cause Sweeping Change in the US:

Out of the Global 100 Software leaders, only 27 are non-US based and merely 10 are EU based, excluding the UK.

The US only has industry-specific data privacy law, such as HIPAA of the healthcare industry, but lacks general regulation; this is why EU is concerned over how US companies handle data privacy. In addition, EU Data Protection Directive also prohibits the transfer of personal data to a jurisdiction of weaker privacy law, which is where the US falls under since there is basically none as of now.

Out of this concern, Safe Harbor was created, where US companies can voluntarily join and certify how they handle data privacy to have personal data in EU transferred to the US. In other words, the US company pledges to a tighter privacy law of the EU in the handling of personal data.

Fortunately, after a legal challenge, the EU Commission declared Safe Harbor invalid in October 2015.

Privacy Shield was then created to fill the gap since US companies handle personal data despite its loose privacy law. Without surprise, Privacy Shield was also challenged multiple times.

Now with GDPR rolling in, there is no alternative. The industry is going through sweeping change and nearly all online/software service providers that are US-based are updating their terms and condition to comply with the GDPR.

In a nutshell, the evolution of data privacy standards for US-EU:

Safe Harbor -> Privacy Shield -> GDPR

Some definition explained:

Data Controller (cloud customer)

–         For example, the company you work for where one of its purposes is to handle your personal data.

Data Processor (service provider)

–         Those that provide underlying services, such as a software vendor that process your HR activity (i.e. paycheck, tax preparation software, etc.)

Data Subject (you, me, all of us)

–         The aim is mainly for EU citizens, but it’s not feasible to have a different treatment for EU citizen vs. non-EU citizen as this would require an additional method to confirm the citizenship information of each Data Subject.

Why is GDPR a good disruption:

It gives users the right of:

–         Notification (article 34)

–         Erasure (article 17)

–         Correction (article 16)

–         Information (article 18)

Penalty to ensure Data Processors and Data Controllers do comply:

–         Up to 4% of global revenue (article 83)

Major mandatory responsibilities for processing of personal data:

–         Data Protection Officer (article 37)

–         Data Processing Agreement (not entirely described in article 6)  

–         Technical Organizational Measure (not entirely described in article 25)

–         Processor and Sub processor (article 28)

–         Security process/measure (across multiple articles, such as 32)

–         Breach Notification ( to supervisory authority article 33 , to data subject article 34)

–         Corporate with supervisory authority (article 31)

Major concerns with the enforcing of GDPR:

–         ALL data processors and data controllers that handle EU citizen’s personal data is affected

–         Significant fine (up to 4% of global revenue)

o  Worst case if you have 25 violations in a year, your company potentially worked for free the whole year.

–         Most US company were not aligned with EU Data Privacy Directive

o  If you cannot walk, how can you run? If a company was not familiar with the foundation, it is much harder to comply with a regulation like GDPR that is of even higher standard.

–         How easy is it to deliver the right of information, correction, erasure, notification?

o  All services that deal with personal data will have to develop an easy to consume feature (such as API) and document all the location of the data before they can be processed.

–         How will it be certified? 

o  Currently, no certification is available

o  There is no “best practice” or “checklist” to follow

Conclusion:

US does not have a strong privacy law, thus, to comply with GDPR, most companies have a lot of work to do. Sadly, if the law does not hold us to higher standards, no company will ever act so voluntarily.

EU’s market cannot be ignored, hence, complying with GDPR is the only way to avoid the significant fine of up to 4% of global revenue.

GDPR requires data protection by design and by default.

GDPR also gives a lot more concrete rights to the data subject, which is us.

Questions that every company should be asking:

–         Is your company ready to be GDPR compliant?

–         How do we map your security controls to relevant GDPR articles?

–         Which companies are more vulnerable to be the first to be fined?

The full GDPR legislation and official translation can be found here.