The General Data Protection Regulation (GDPR): Impact on US Organizations and software development
By Ron McFarland, Ph.D.
Introduction to the GDPR
The General Data Protection Regulations (GDPR) in the European Union took effect on May 25th, 2018. The formation of the GDPR regulations started in January 2012 when the European Commission proposed a comprehensive reform to existing data protection rules. Even though GDPR was invoked over 6 months ago, a recent survey conducted by Sage found that 91 percent of US businesses lack awareness surrounding the details of the GDPR, and 84 percent don’t understand the GDPR’s implications for their business (Harris, 2018). While the US is not directly regulated by the GDPR, the GDPR has a pervasive impact on the security strategy for every company, CEO, and CISO in the United States, and will impact software development shops, as a result.
Who does the GDPR protect?
The GDPR provides protection for the processing of personal data and the fluid movement of personal data. The over-arching objective of GDPR is to give control to EU citizens over their personal data. Because GDPR is so wide-reaching, it simplifies the regulatory environment for business by providing on a consistent set of rules across the EU member states. In essence, the GDPR is a set of regulatory rules and measures that must be complied with and implemented by any organization that controls or processes any form of personal data related to EU citizens. To-date, the GDPR is the largest reform in the past 20 years on data protection that directly impacts the EU and tangentially the United States. Certainly, the GDPR has implications for US organizations and their software development shops.
What is Personal Data as it pertains to the GDPR
GDPR interprets personal data in a broad manner. Personal data pertains to any information related to an individual, whether it is private, professional or public life information. Also, personal information can be anything from a name, a picture, financial records, an email address, posts on social media, a computer’s IP address, and many other pieces of data broadly noted in the GDPR. PricewaterhouseCoopers notes that compliance by US multinationals can be addressed by updating their Information Security incident-response playbook in at least 10 areas to address compliance (PricewaterhouseCoopers, 2016). These 10 areas include:
- Definition of a data breach: GDPR defines it broadly as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data” compared to the United States definition of “unauthorized access or acquisition”.
- Risk of harm threshold for reporting: “Only those that pose a risk of harm to individuals’ “rights and freedoms” must be reported, a concept mostly nonexistent in US data-breach laws.”
- Safe harbor for strong security measures: “In the US model, the safe harbor for non-reporting is generally limited to data that is encrypted in storage and transit”
- The timing of the notifications: “In the United States, companies experiencing a notifiable data breach must generally notify affected individuals in an expedient manner, with a small handful of jurisdictions requiring definite timetables ranging from five to 30 days”
- Recipients of the notifications: “The US model centers on the notification of affected individuals, with many state attorneys general and federal agencies adding mandatory notification of them”
- The content of the notifications: “Several US states and some federal agencies specify what companies should and shouldn’t include in data-breach notification letters. The GDPR establishes a common standard that doesn’t exist in the United States”
- No credit-monitoring expectation: “While US laws don’t require companies to offer remedies such as credit monitoring to individuals affected by a data breach”
- No “walls of shame” yet: The US maintains a public-facing website that includes the data breaches that are reported. The GDPR does not require similar websites.
- Obligations for processors to notify: “In the US model, the burden of holding third parties accountable for providing timely notification of breaches to their clients falls largely on the clients’ contracting and vendor-management processes
- Post-mortem documentation: “US privacy incident-response playbooks often include a post-mortem process for continuous improvement as a matter of best practice” (PricewaterhouseCoopers, 2016).
In particular, the stipulations in the GDPR include provisions that allow customers to see and delete any data that concerns them, provide transparent data policies that allow for the average person to understand risks, the provision of customer notice of data breaches within a 72-hour time-frame, and following “privacy by design” principles. Privacy by design is a systems engineering approach developed by the Netherlands Organization for Applied Scientific Research in 1995 and adopted by GDPR. Privacy by design is a framework that takes into account privacy considerations for data throughout the entire software development process (Hes, 1998). Further, the GDPR stipulates that any use of customer data by organizations requires consent by the customer, in most cases (Roberts, 2018). Also, Roberts (2018) notes that the GDPR rules include the following aspects of data privacy, which can be addressed by good software development processes. The aspects of GDPR includes:
- The allowance of customers to view and delete any data that concerns them,
- A notice sent from the organization of data breaches within 72 hours of the breach,
- Clarify data policies and ensure the language is transparent and understood by an average person,
- The organization should hire a Chief Data Officer (or similar function) as a point of responsibility,
- Follow “privacy by design” principles in software design, which pairs secure software methods side-by-side with traditional development methods.
Risks to US Companies
Whenever a company wants to trade or do business with one or several of the EU member states, it will have to prove adequacy — in other words, its data protection standards would have to be equivalent to the EU’s GDPR. This virtually makes GDPR a global, worldwide regulation affecting organizations and businesses around the globe. By implication, most US businesses that have EU ties must follow GDPR standards. Additionally, US businesses and organizations that have employees and customers in Europe must comply with the complex series of GDPR rules. For example, GDPR applies to the US companies who have websites made available for individuals in the EU. A manager in the US who operates in an international business and collects data central from EU applicants and employees will have to implement the GDPR protection within the organization’s software to avoid complicated legal and fiscal risks. The GDPR even applies to charities and nonprofit organizations that collect information from applicants in the EU (Harris, 2018).
With the rapid adoption of cloud services, there is a heightened concern with regard to the readiness of these applications and services that the software development groups within organizations must contend with. For online businesses and cloud service providers, GDPR compliance means adherence to the previously noted principles of “Privacy by Design” during the design, development, implementation and deployment of web applications or services, and any components or services associated with them. This will have a significant impact on software development shops in organizations in terms of additional technical resources and human resources needed to address GDPR.
But there is a significant gap in GDPR compliance for US companies that use cloud-based services. A recent study conducted by Symantec/Bluecoat shows that 98% of today’s cloud applications do not even come close to being GDPR-ready. Most businesses will face the urgent need for increased protection on published applications and services. Leading providers of cloud and on-premise web application and API protection services, as well as on-demand, always-on cloud, and hybrid Denial-of-Service mitigation services provide an adequate solution for this acute need. A fully managed WAF and DDoS cloud service provide a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy (Coyne, et. al, 2018).
GDPR non-compliance penalties
There are significant financial risks for non-compliance to the GDPR. For EU companies, punitive actions for non-compliance include fines of up to €20,000,000 when an organization faces a breach related to the stipulated GDPR data protection rules. The GDPR additionally stipulates provisions that promote accountability and governance, which specifies that organizations can be audited for noncompliance. The GDPR also stipulates penalties for organizations outside of the EU that handle customer information For US Businesses that do business with the EU and that do not properly comply with GDPR, fines of up to 4% can be levied on an organization’s global annual revenue. In addition, organizations can be levied additional administrative fines of up to $15,000,000 USD or an additional whopping 2% of annual worldwide revenue for the given year (Lohrmann, 2018).
GDPR is a hot mess
As Lohrmann (2018) states, “The right to your digital footprint is a human right in Europe, but not in the U.S. This law is going to make a mess sooner rather than later”. The biggest companies are well-equipped to deal with GDPR, but the small companies will be harmed the most (Lohrmann, 2018). According to Handley (2018), the task of compliance with the GDPR will be easier for the existing heavily-regulated business-to-business sectors, such as the banking and insurance industry.
GDPR is a hot mess for organizations and their software development shops. Handley (2018) notes that a “storm” is brewing for retailers and other businesses and organizations that deal directly with consumers, due to the potential impact of non-EU organizations that do business with EU clients and customers. For example, the pharmaceutical sector traditionally sold to doctors. With the advent of eCommerce, pharmaceutical companies that market directly to consumers and collect personal information will need to comply with the new GDPR regulations. Further implications of the GDPR include social media companies, like Facebook. Because Facebook has global reach, Facebook is notifying users to verify privacy settings to comply with the GDPR mandates.
In order to comply with GDPR and to avoid stiff penalties, many large companies are hiring additional personnel to decipher the regulation’s complex layers. Many US-companies have fully embraced the GDPR regulations and have spent resources on addressing compliance (Brinkmann, 2018). As an alternate approach, some companies now redirect EU users to a special EU landing page. The EU landing page doesn’t contain the usual trackers and advertisements that could present a data-compliance issue (Brinkmann, 2018). The side-effect of the special EU landing pages, as also noted by Brinkmann (2018), is that the page loads much faster due to the lack of additional scripts and third-party scripts. In contrast, instead of adherence to the GDPR regulations or the provision of a special EU landing page, some US-based companies have decided to block users who reside in the EU, instead of forgoing the expense of providing GDPR compliance.
The Future of a GDPR-syle US regulation
If companies can be fined 4% of their revenue, according to Robert Hackett on Fortuante, these changes are “No longer a slap in the wrist, it is a slap in the face” if organizations miss the GDPR mark (Roberts, 2018). But the appetite for a GDPR-style of regulation in the US is limited. As such, there is no equivalent of the GDPR in the United States, and it is highly unlikely that there will be anything like it in the near future. US regulators have noted the consumer is protected by a composite of varied state and federal rules, which govern the same issues as the GDPR (Hawkins, 2018). However, there is no central authority that enforces the many layers of compliance in the US, similar to the GDPR. The closest entity that acts as a central authority for data protection and privacy compliance is the Federal Trade Commission (FTC) (Hawkins, 2018). However, according to Hawkins (2018), the FTC has little to no oversight over a wide range of businesses and industries including universities, non-profit organizations, airlines, and banks. It is also highly unlikely that Congress will pass any GDPR-style legislation. There are several bills up for consideration following the highly publicized Facebook-Cambridge/Analytica issues, but the proposed bills face dramatic resistance from a powerful tech lobby. Additionally, though the public has expressed concerned in general about data breaches, there hasn’t been strong public interest in a data privacy overhaul in the US (Hawkins, 2018).
There is an evolving solution to the GDPR mess. Dante Disparte (2017) is the founder and CEO of Risk Cooperative and serves on the board of the American Security Project. He suggests that the US consider an organization similar to the Federal Deposit Insurance Corporation (FDIC) for cybersecurity (Disparte, 2017). He notes that “Eventually the economic costs of cyber risk will have to be defrayed — or mutualized — across multiple stakeholders and market segments.” A cyber-like FDIC regulation board that incorporates a certain share of losses, will spur better threat information sharing between the organization (Disparte, 2017, p. 63).
In summary, whenever a US company wants to trade or do business with one or several of the EU member states, it will have to prove adequacy — in other words, its data protection standards are equivalent to the EU’s aggressive GDPR approach to personal privacy. The CISO, CEO, and Board of Directors at many US companies that do business with EU constituents will need to ensure compliance, while software development will need to adhere to privacy by design principles.
Brinkmann, M. (2018, May 29). Fun facts about GDPR and its effect on the Internet — gHacks Tech News. Retrieved December 3, 2018, from https://www.ghacks.net/2018/05/29/fun-facts-about-gdpr-and-its-effect-on-the-internet/
Coyne, L., Dain, J., Forestier, E., Guaitani, P., Haas, R., Maestas, C. D., … & Vollmar, C. (2018). Ibm private, public, and hybrid cloud storage solutions. IBM Redbooks.
Disparte, D. (2017). A Cyber Federal Deposit Insurance Corporation?: Achieving Enhanced National Security. PRISM, 7(2), 52–65. Retrieved from https://www-jstor-org.db03.linccweb.org/stable/26470518
Handley, L. (2018, May 23). US companies are not exempt from Europe’s new data privacy rules — here’s what they need to do. Retrieved October 22, 2018, from https://www.cnbc.com/2018/04/25/gdpr-data-privacy-rules-in-europe-and-how-they-apply-to-us-companies.html
Harris, N. (2018, May 16). A practical guide to the European Union’s GDPR for American businesses. Retrieved December 3, 2018, from https://www.recode.net/2018/5/16/17360944/
Hawkins, D. (2018, May 25). The Cybersecurity 202: Why a privacy law like GDPR would be a tough sell in the U.S. Retrieved December 3, 2018, from https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/05/25/the-cybersecurity-202-why-a-privacy-law-like-gdpr-would-be-a-tough-sell-in-the-u-s/5b07038b1b326b492dd07e83/?utm_term=.870a0b76b62b
Hes, R., & Borking, J. (1998). Privacy Enhancing Technologies: the path to anonymity. ISBN, 90(74087), 12.
Lahiri, K. (2018, March 27). U.S. Businesses Can’t Hide From GDPR. Retrieved December 3, 2018, from https://www.forbes.com/sites/forbestechcouncil/2018/03/27/u-s-businesses-cant-hide-from-gdpr/#4b8434cd52c8
Lohrmann, D. (2018, October 21). Where Next With Cloud Security? Retrieved December 3, 2018, from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/
PricewaterhouseCoopers. (2016, December). Data breach notification: 10 ways GDPR differs from the US privacy model. Retrieved December 3, 2018, from https://www.pwc.com/us/en/services/consulting/cybersecurity/library/broader-perspectives/gdpr-differences.html
Roberts, J. J. (2018, May 25). The GDPR Is in Effect: A Plain English Guide for US Companies. Retrieved December 3, 2018, from http://fortune.com/2018/05/24/the-gdpr-is-in-effect-should-u-s-companies-be-afraid/
About the author
Dr. Ron McFarland, CISSP, PMP is the Dean of Applied Technologies at the College of the Canyons in Valencia, California on temporary assignment as the Cyber Security Program Manager working to support a regional cybersecurity educational initiative for the South Central Coast Regional Consortium (SCCRC) in California. He is a post-doctoral scholar for the University of Maryland University College. He received his doctorate from Nova Southeastern University’s School of Engineering and Computer Science and a post-doc graduate certificate in Cyber Security Technologies from the University of Maryland University College. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications. He is a guest blogger at Wrinkled Brain Net (http://www.wrinkledbrain.net), a blog dedicated to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC email: firstname.lastname@example.org