I believe the best summary of the new law is directly from the GDPR Commission itself:
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
Only time will tell if their intended objective succeeds or not. In the meanwhile, businesses are being flooded with advertisements of “GDPR Consultants” and some lawyers are looking at ways to take advantage of unsuspecting businesses who don’t live up to the law’s expectations.
The new law addresses personal data privacy through six provisions:
- Lawfulness, fairness and transparency. Data is to be collected and use as agreed upon.
- Purpose limitation. Data shall be collected for specified, explicit and legitimate purposes.
- Data minimization. Data shall not be collected if there is no legitimate need.
- Accuracy. Reasonable steps must be taken to ensure that collected data is up-to-date and accurate.
- Storage limitation. Also known as the right to be forgotten.
- Confidentiality and integrity requiring physical and security controls to protect collected data.
While it looks simple in theory the devil is in the details regarding implementation and many companies have no clue on how to proceed. I recently attended a meeting about GDPR with a group of business executives and the meeting raised more questions than answers. The attendees were asking questions such as potential conflicts with data retention laws in the US vs. GDPR’s “right to be forgotten” provision or how does a company prove that it has legitimately “forgotten’ a former client? Another question raised was any potential impacts from the recent court case Microsoft Corp vs. United States for US companies that own data centers abroad. Does GDPR apply to those data centers even though they may hold data for US clients? The one agreement among all of the attendees was that business are worried of potentially running afoul of the new law even though some of the provisions are fairly vague. Questions were raised if companies should consider dropping business within the EU as a precaution.
There are many questions from the infosec field as well, certification being first. While, traditionally, it was possible to prove security skills without certification how do infosec professionals prove their privacy skills? GDPR requires knowledge of all three essential properties of the security CIA triad but extend into other areas that are not covered and does require a certain amount of legal knowledge. For example, a security professional may be an expert with encryption and access controls but neither control addresses accuracy, limitation and minimization.
ISSA Austin recognizes the importance of GDPR and its impact on US businesses. It will continue to pursue intelligence and education options to help its members be more knowledgeable in this new law to better serve their employers, consumers and clients.
ISSA Capitol of Texas Chapter