GDPR: Broad, Complex & Coming Soon

At a recent "Are you GDPR ready?" event hosted at Red Hat's global executive briefing center in Boston, the Mass Technology Leadership Council (MassTLC) sought to help attendees identify how to make compliance with the European Union's General Data Protection Regulation (GDPR) more manageable in a world where more than enough complexities already exist.

"Security isn't just an industry anymore," said Sara Fraim, MassTLC's Director of Policy, as she presented a complex Venn diagram highlighting the interconnectedness of tech companies across 14 different verticals. "GDPR is something that is affecting all [14] of these industries."

Image source: MassTLC 2016 State of the Technology Economy Report

And, indeed, GDPR is nothing if not far-reaching. Under the older regime of the EU's 1995 Data Protection Directive (a.k.a. Directive 95/46/EC) data-privacy and data-protection rules have generally reached multinationals only if they had sufficient economic activity and/or a sufficient physical presence in one or more member states. In today's increasingly globalized data economy, these considerations seem to have become less of a qualifier and more of a loophole from the perspective of the notoriously privacy-sensitive EU.

"GDPR [is] intended to be extremely broad in its applicability," Harriet Pearson, a partner at Hogan Lovells and head of the global law firm's cybersecurity practice, told attendees in her keynote of the event. Explaining that the traditional indicators of physical presence are now less relevant, Pearson described how GDPR's reach encompasses (1) any organization that offers goods or services to EU citizens, and (2) any organization that actually tracks or targets EU citizens and their behavior -- notwithstanding the geographic location of the organization in question.

Pearson went on to explain how this enhanced breadth is actually intended to simplify -- not complicate -- the data-protection regulatory regime in the EU -- motivated by a desire to enhance individual member-state regulatory bodies' enforcement powers. This in and of itself is complicated, however; Pearson noted that the goal of getting national regulatory agencies to be a "one-stop shop" for GDPR review and enforcement flies in the face of the traditional propensity for individual EU member-state regulators naturally preferring "to do their own thing."

Even beyond the potential for battles over jurisdictional interpretation, there are yet other areas of GDPR enforcement where not everything is clear cut. Pearson indicated that an organization whose sole data-tracking activities amount to little more than a website and/or an app, for example, represents a "close call" when it comes to GDPR's reach -- depending upon the specific facts of the scenario. Nonetheless, she was able to suggest that a good general rule of thumb comes down to methods and interactions.

Here, Pearson related the story of an unnamed nonprofit outside of the EU that had received unsolicited donations from EU citizens. The nonprofit was concerned about being subjected to GDPR, despite having no presence or real activities in the EU, because it had received unsolicited donations from EU denizens. Pearson related her own conclusion that, as long as the nonprofit did not track the donors, send them mailings or other correspondence (such as a "thank you" letter, an offer to subscribe to their newsletter, or the like), or otherwise actively solicit or track people in the EU, the nonprofit would likely have nothing to worry about.

Emphasis on "likely."

"There's very, very little actual settled law in this area," said Pearson of data-protection precedent in the EU -- particularly when it comes to matters like exceptions to consent requirements for gathering, moving, or using an EU citizen's PII. "It depends then on the risk appetite of the company that you're in."

On this point, Pearson observed what has long been regarded as best practice globally in the areas of appeasing cybersecurity and data-protection regulators -- that corporate compliance is often less about getting a perfect score and more about being able to say (and demonstrate) that you tried.

"If you guess wrong on something that hasn't been adjudicated, okay, you guessed wrong," said Pearson. "But that goes along way."

Either way, Pearson emphasized, "every single one of [your] policies needs to be updated to comply with GDPR" -- whether that takes the form a complete overhaul of all policies or instead means quilting "EU-flavor" patchworks as necessary.

The latter approach, however, can be dangerous -- particularly where the input of legal-compliance data-protection specialists is limited. Consider the current example of MailChimp. The automated email-marketing service alienated its EU customers a few weeks ago when it quietly announced that the company would default all customers' email newsletters to single opt-in -- as opposed to the "double opt-in" standard of double-checking with newsletter recipients to see if they actually do want to receive the customer organization's newsletter before MailChimp sends it to them. As security blogger Graham Cluley explains:

"What does that mean? It means that subscribers won't have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp's systems that you don't want and the onus will be on you to unsubscribe."

When enough European customers complained, citing GDPR and other compliance requirements, MailChimp backpedaled -- but only in regards to customers located in the EU. All other customers would still be required to manually adjust their settings -- impacting those customers' compliance postures (as well as, likely, MailChimp's own compliance posture!) where their EU email recipients are concerned.

This highlights another major issue surrounding GDPR compliance efforts: Third-party vendors -- despite facing their own GDPR liability -- may not understand your and your customer or user data as well as you do. On this note, Pearson suggested taking a prompt, proactive approach to considering and working with third-party data processors when it comes to GDPR compliance -- particularly because of how time-consuming vendor negotiations and compliance efforts can be. Otherwise, she cautioned, the organization may risk getting stuck with the vendor's own boilerplate agreement terms -- which could be a poor fit with the rest of the organization's business and policies (if not downright substandard).

After all, the clock is relentlessly ticking away toward May 25, 2018 -- the day when GDPR, replete with all of its costly penalties, goes into full effect.

Related posts:

— Joe Stanganelli, attorney and technology journalist, special to Security Now.