Eventually, the GDPR privacy-hammer was going to fall on American tech firms.
On January 21, France’s privacy watchdog used the European Union’s General Data Protection Regulation (GDPR) to levy a 50-million Euro ($57 million) fine against Google, noting that the company’s practices did not “sufficiently inform” users about how their data was being used by the company. (The search engine giant is already planning an appeal.)
Since the European regulations became official in May 2017, most of the fines have been small-bore, with a couple of regulatory actions reaching into mid-six figures. However, many believed it was only a matter of time before the law was aimed at one of the Silicon Valley tech giants, with Google and Facebook being the most obvious choices.
While it’s easy to dismiss GDPR as a Euro-centric regulatory issue, the nature of data, especially consumer data that can move across boundaries thanks to any number of cloud services, means that security pros on both sides of the Atlantic (as well as across the globe) need to start paying close attention to how a new crop of regulation and compliance rules are changing the nature of their jobs.
It’s also not limited to Europe.
In Asia, Vietnam has implemented a data protection law that also has U.S. tech firms in its crosshairs. Russia has several regulations to protect that country’s consumer data, and China is following suit.
And in the U.S., the California Consumer Privacy Act of 2018, which offers some modest fines for privacy violations, will become law on Jan. 1, 2020. Taken together, these new rules and regulations prompted Gartner analysts to list privacy as one of five major digital transformation strategies that CIOs and IT executives will need to focus on this year, along with more technical issues such as augmented intelligence (i.e., using software to augment human intelligence).
And what happens in California, home of Silicon Valley, could reverberate through the U.S., as other states weigh different measures. If the federal government comes under the control of one political party again, and manages to push its vision of data regulation, it’s likely that a unifying law of privacy protection could then supersede state rules.
“GDPR has significantly raised the profile of privacy since going into effect,” Paul Sonntag, the practice director for Global Privacy at Coalfire, a provider of cybersecurity advisory and assessment services, noted in an email to Dice.
“Increasing public awareness, the threat of enforcement, and the regulatory focus on documenting data processing activities and privacy-by-design principles mean that privacy concerns have moved beyond the purview of legal to affect pretty much every aspect of operations, Sonntag added: “The impact will grow as additional privacy regulations arrive, which is happening at an increasing pace in the U.S. and around the world.”
Those sentiments were echoed by Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based security vendor. He notes that good data protection and privacy policies should form the basis of an enterprise’s whole cybersecurity plan. This means that security-minded tech pros, and the CISOs that lead them, can’t ignore government regulations just because they are based outside the U.S.
“Every security professional needs to be able to identify what data an organization is generating, collecting, storing, sharing, and using,” Morales noted in an email. “This means an essential skill set will be knowing how to establish a data classification policy, a data dictionary, and a data governance policy. These policies define data into specific classifications, such as public, proprietary, sensitive, personal data, and more. The impact should be better data governance for not just GDPR but for any compliance regulation like PCI, HIPAA, etc.”
With so many data privacy laws coming into focus, and changes to other rules and regulations being debated daily, how can the security team keep up?
Nathan Wenzler, the senior director of Cybersecurity at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, noted there are three simple, but important steps CISOs should encourage their staff to adopt.
Read International News Publications
While the EU’s GDPR made a huge splash across media publications last year, it’s not the only regulation outside the U.S. that has to do with data privacy and security. A number of these regulations are being used to influence U.S. legislation in many ways, and may even be the blueprint for laws to be passed in the next few years. Keeping tabs on the news publications that are based outside the U.S. can give security teams visibility on the kinds of laws that may be coming down the pipeline.
Visit the Regulating Body’s Site
This may sound too simple, but since these regulations tend to be so complicated, nearly every governing body now includes summaries, “What’s New” documentation, comparison charts for key changes with related regulations or previous versions, and much more. These types of documents can give security pros a quick bit of insight into whether or not the new laws may pertain to your organization, before spending a ton of time going through the details of the full regulation itself.
Use Your Social Networks
Whether it’s LinkedIn, information security community groups like OWASP, or any other means of connecting with your fellow InfoSec professionals, keeping in touch with others dealing with regulatory matters is a sure-fire way to be in the know for when new laws are coming into effect. And like with news and media, stay tuned to your contacts in other parts of the world, as those same regulations may become relevant to your organization in the near future (if they’re not already).
“Keeping up with the latest regulations and laws can be tough, even if you’re a dedicated compliance officer,” Wenzler added. “The rules are constantly changing, and it’s often difficult to know whether or not one regulation or another applies to your particular InfoSec program efforts.”