Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/9/2017
05:51 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

GDPR: Broad, Complex & Coming Soon

GDPR will likely have an impact on your business very soon - whether or not you have a location in the EU.

At a recent "Are you GDPR ready?" event hosted at Red Hat's global executive briefing center in Boston, the Mass Technology Leadership Council (MassTLC) sought to help attendees identify how to make compliance with the European Union's General Data Protection Regulation (GDPR) more manageable in a world where more than enough complexities already exist.

"Security isn't just an industry anymore," said Sara Fraim, MassTLC's Director of Policy, as she presented a complex Venn diagram highlighting the interconnectedness of tech companies across 14 different verticals. "GDPR is something that is affecting all [14] of these industries."

And, indeed, GDPR is nothing if not far-reaching. Under the older regime of the EU's 1995 Data Protection Directive (a.k.a. Directive 95/46/EC) data-privacy and data-protection rules have generally reached multinationals only if they had sufficient economic activity and/or a sufficient physical presence in one or more member states. In today's increasingly globalized data economy, these considerations seem to have become less of a qualifier and more of a loophole from the perspective of the notoriously privacy-sensitive EU.

"GDPR [is] intended to be extremely broad in its applicability," Harriet Pearson, a partner at Hogan Lovells and head of the global law firm's cybersecurity practice, told attendees in her keynote of the event. Explaining that the traditional indicators of physical presence are now less relevant, Pearson described how GDPR's reach encompasses (1) any organization that offers goods or services to EU citizens, and (2) any organization that actually tracks or targets EU citizens and their behavior -- notwithstanding the geographic location of the organization in question.

Pearson went on to explain how this enhanced breadth is actually intended to simplify -- not complicate -- the data-protection regulatory regime in the EU -- motivated by a desire to enhance individual member-state regulatory bodies' enforcement powers. This in and of itself is complicated, however; Pearson noted that the goal of getting national regulatory agencies to be a "one-stop shop" for GDPR review and enforcement flies in the face of the traditional propensity for individual EU member-state regulators naturally preferring "to do their own thing."

Even beyond the potential for battles over jurisdictional interpretation, there are yet other areas of GDPR enforcement where not everything is clear cut. Pearson indicated that an organization whose sole data-tracking activities amount to little more than a website and/or an app, for example, represents a "close call" when it comes to GDPR's reach -- depending upon the specific facts of the scenario. Nonetheless, she was able to suggest that a good general rule of thumb comes down to methods and interactions.

Here, Pearson related the story of an unnamed nonprofit outside of the EU that had received unsolicited donations from EU citizens. The nonprofit was concerned about being subjected to GDPR, despite having no presence or real activities in the EU, because it had received unsolicited donations from EU denizens. Pearson related her own conclusion that, as long as the nonprofit did not track the donors, send them mailings or other correspondence (such as a "thank you" letter, an offer to subscribe to their newsletter, or the like), or otherwise actively solicit or track people in the EU, the nonprofit would likely have nothing to worry about.

Emphasis on "likely."

"There's very, very little actual settled law in this area," said Pearson of data-protection precedent in the EU -- particularly when it comes to matters like exceptions to consent requirements for gathering, moving, or using an EU citizen's PII. "It depends then on the risk appetite of the company that you're in."

On this point, Pearson observed what has long been regarded as best practice globally in the areas of appeasing cybersecurity and data-protection regulators -- that corporate compliance is often less about getting a perfect score and more about being able to say (and demonstrate) that you tried.

"If you guess wrong on something that hasn't been adjudicated, okay, you guessed wrong," said Pearson. "But that goes along way."

Either way, Pearson emphasized, "every single one of [your] policies needs to be updated to comply with GDPR" -- whether that takes the form a complete overhaul of all policies or instead means quilting "EU-flavor" patchworks as necessary.

The latter approach, however, can be dangerous -- particularly where the input of legal-compliance data-protection specialists is limited. Consider the current example of MailChimp. The automated email-marketing service alienated its EU customers a few weeks ago when it quietly announced that the company would default all customers' email newsletters to single opt-in -- as opposed to the "double opt-in" standard of double-checking with newsletter recipients to see if they actually do want to receive the customer organization's newsletter before MailChimp sends it to them. As security blogger Graham Cluley explains:

"What does that mean? It means that subscribers won't have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp's systems that you don't want and the onus will be on you to unsubscribe."

When enough European customers complained, citing GDPR and other compliance requirements, MailChimp backpedaled -- but only in regards to customers located in the EU. All other customers would still be required to manually adjust their settings -- impacting those customers' compliance postures (as well as, likely, MailChimp's own compliance posture!) where their EU email recipients are concerned.

This highlights another major issue surrounding GDPR compliance efforts: Third-party vendors -- despite facing their own GDPR liability -- may not understand your and your customer or user data as well as you do. On this note, Pearson suggested taking a prompt, proactive approach to considering and working with third-party data processors when it comes to GDPR compliance -- particularly because of how time-consuming vendor negotiations and compliance efforts can be. Otherwise, she cautioned, the organization may risk getting stuck with the vendor's own boilerplate agreement terms -- which could be a poor fit with the rest of the organization's business and policies (if not downright substandard).

After all, the clock is relentlessly ticking away toward May 25, 2018 -- the day when GDPR, replete with all of its costly penalties, goes into full effect.

Related posts:

Joe Stanganelli, attorney and technology journalist, special to Security Now.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.