CIOs and other IT pros should not fear the new European data protection rules that are set to take effect on May 25—just a few months away.
Sure, the European Union’s new General Data Protection Regulation (GDPR) has sparked a ton of work and challenges to tackle but, to torture the words of Samuel Johnson, nothing concentrates the mind like a good crisis. And a challenge it has been, some might even say a crisis, for the many, many companies that collect, store, process, and use customer and other personal data. Urgency spurs action.
Generally, the rules give European individuals more say over what happens with their data than the EU’s current data protection provisions. In some cases, individuals can also rescind access to their data as needed and move their personal information from one repository to another. GDPR basically takes the “the right of erasure”, also commonly known as the “right to be forgotten,” to a new level. So, if you do not want your personal information “out there” you have more options when it comes to websites, social media and others handling your data.
It also clarifies what constitutes personal data in that it recognizes that online identifiers such an IP address, could potentially identify individuals.
With that in mind, here is a reminder of some things CIOs may want to think about as the May 25 deadline approaches.
First, the basics: This may be a European regulation, but it broadly applies to any company that collects data on even one customer or client in Europe. So that means virtually everybody.
Second, there will be penalties for non-compliance, potentially significant penalties. As in, failure to comply with GDPR could potentially cost a company up to 4 percent of its global annual revenue or 20 million Euros, (about $24.5 million) whichever is greater.
Did I mention focus? A 4 percent fine could mean the difference between profit and loss for the bulk of the world’s retailers.
Employee data counts
Now for some of the less talked about aspects of GDPR.
First, most of the noise thus far has been around the real and potential impact of these rules on consumer-oriented companies like Facebook, Google and Adroll, which offers ad-targeting services. But don’t forget that business-to-business companies also store a ton of personal information about their own employees, contractors, and partners.
This is something Constellation Research analyst Holger Mueller says must be hammered home to any company with a human resources department (i.e., all of them.)
All of that personal data needs to be safeguarded.
But things are not always black and white here. GDPR is awash in nuance. For example: When it comes to hiring and recruiting there is a gray area between consumer and employee data. “Once someone applies for a job on a web site, the lines blur,” Mueller says.
In addition, while GDPR lists requirements for erasing personal data, for example when it’s no longer needed, it also enumerates several exceptions to those rules, which are described in “The GDPR Guy” blog and podcasts.
There will be times when legal requirements demand that some data, even data a person may want removed, must be retained, for example. No one said this would be easy.
Most everyone can agree that a person’s social security number, home address, birth date, is personal data, but GDPR raises the prospect that an IP address, even a dynamic IP address, of a person’s PC can be considered personal information.
Beware of personal data stashes
For many companies, the biggest risk is not necessarily in their centralized systems, it’s the myriad spreadsheets and word processing files that sit on personal computers or workgroup file servers. The very popular tools that led the PC revolution could now pose one of the thorniest issues in data security.
Curt Monash, president of Monash Research, summed it up: “Always remember—Excel is a data store, and it’s usually one of the least secure ones.”
Speaking recently at an Oracle conference in New York, Mark Frissora, CEO of Caesars Entertainment, said up till recently, his company relied on 2,000 spreadsheets to close its books but has since moved all of that work to a more centralized accounting system. That’s about 2,000 less points of vulnerability. [Disclosure: I am an Oracle employee.]
Some experts say even in the wake of the massive Sony data breach three years ago, in which a spreadsheet holding salary information of thousands of Deloitte consultants was exposed, some companies are still struggling to get a good handle of what data is out there somewhere on their network. Now would be a very good time for them to look into data loss prevention technology because ignorance is definitely not bliss in this case.
This is not a knock on spreadsheets. It’s just that the same applications that give end users so much power often end up creating a hairball for those tasked with keeping data secure. And the issue is magnified if users don’t keep their software up to date and patched.
Prep but don’t panic
Those who study up on the GDPR’s data security rules, say one problem is that what most people refer to as a set of rules, is really more of a framework with lots of wiggle room and not a ton of prescriptive detail.
In general, the idea is to make companies assess their vulnerabilities and make good faith efforts to mitigate them.
And those scary fines? Many security pros acknowledge the prospect is sobering, but also present an opportunity for companies to embrace security and mitigate their risk exposure.