A new Dell One Identity Solutions study reveals more than 80 percent of businesses outside of the European Union say they know close to nothing about the General Data Protection Regulation (GDPR) coming into effect in May of 2018. Only three percent of IT and business professionals actually have a working plan of action in place. This survey reinforces the global lack of understanding of GDPR and should serve as a warning for clients to educate themselves on the workings of GDPR compliance in order to avoid eye-watering penalties of up to four percent of global revenues. We encourage clients to contact us for further guidance on this extremely important issue. Click here for more information.
The EU-US “Privacy Shield” Is Not a Good Fit for Most U.S. Businesses
There was an almost audible sigh of relief upon the agreement of the new EU-US Privacy Shield framework. Reading the average press report one might mistakenly think that personally identifiable information can now flow between the EU and the US without further ado. The tap does not just turn on automatically, however. Most US businesses still will need to implement their own arrangements to ensure European personal information can be used in their US operations.
Why? First, Privacy Shield is a voluntary arrangement with some heavy-duty obligations. Second, it is not a mechanism for avoiding EU data regulations — quite the contrary. Privacy Shield requires US applicants to implement and continuously adhere to EU regulations. Applicants must register with and certify compliance to the US government, annually. Once registered, the Department of Commerce and Federal Trade Commission can monitor, investigate, and bring enforcement actions against the registrant.
It is interesting to note that in 15 years of operation, only about 4,000 US companies have signed-up to the now-defunct Safe Harbor regime.
Safe Harbor worked essentially in the same way as the new Privacy Shield – internal implementation of EU regulations followed by registration with the US Government for public enforcement. The majority of US businesses decided not to sign-up for the government oversight, opting instead to work out the legal logistics by direct contractual arrangements with their European counterparts.
I predict the contractual option will remain the preferred route for most US business.
The Privacy Shield will be most helpful for those multinationals who process personal data routinely in connection with their central business model. For example, eBay, Amazon, Google, and telecommunications and cloud storage providers are likely to sign up to the Privacy Shield regime because there is a business case for doing so.
Whether the average US business opts for the Privacy Shield or ad hoc contractual arrangements, compliance with the EU data privacy regulations has recently become harder with the passage of the General Data Protection Regulation, known as GDPR. I just spent a week attending a summit about the implementation of GDPR. My next two alerts will highlight the practical ramifications and changing compliance obligations for American businesses under the GDPR.
In Spite of the “Privacy Shield” U.S. Businesses Will Still Seek Data Protection Guidance
You will probably be seeing reports that the European Union (EU) & the United States (US) agreed on a new mechanism to replace the old Safe Harbor, effectively titled the “Privacy Shield.”
The details are hazy and a formal written policy has not been released, but as far as I can glean, the new mechanism and requirements for American companies should not be all that different from those previously wanting to benefit from a self-certifying mechanism administered by the Federal Trade Commission (FTC). Under the previous regime, safe harbor and model clauses between an EU data controller and a US data processor/controller were merely a private affair: now, the US government becomes a third-party protector by including written guarantees limiting how the American intelligence agencies collect data on Europeans.
The whole framework has to be approved by the data protection regulators in the 28 member states. France and Germany have already expressed reservations. France’s privacy chief is also the chair of the Pan-European committee that will review the proposal, and her initial remarks indicate that she wants more significant undertakings from the US. An outspoken German member of parliament, who helped bring the General Data Protection Regulation (GDPR) into existence, has called the whole thing “a joke.” All of this leads me to believe that this issue is not going away anytime soon.
The future of intra-company, model clauses is still not clear at all and there has been little discussion about how these developments intersect with the new GDPR. In order to get a better grip on the future of intra-company agreements, I am attending a summit in Brussels on GDPR in two weeks. I will report to clients on what I learn.
An Agnostic View on Cybersecurity
The Federal Trade Commission (FTC) has taken an agnostic view towards cyber security as of late. The FTC’s chairwoman Edith Ramirez has called for a “culture of security” whereby she encourages companies and start-ups to make the appropriate investment for security when they first conceive a product. However, there is a distinct disconnect between the FTC’s desired intentions and their pursuing of companies for inadequate security. The FTC has set up few clear standards on cyber defense construction and management for companies to follow in the first place. The FTC’s alternative is to “encourage companies to share best practices at a series of forums across the country” to stay one step ahead of hackers. Their urging start-ups and other companies to invest in cyber security is another example of the uncertainty of the commission’s cyber security policing down the road. Head over to the Financial Times to read more on this topic.
The Importance of Employee Training: Hands-On Experience vs. Advanced Skills
Advanced skills are not necessary to penetrate totally woeful security arrangements. Many government contractors, military and intelligence agencies and other companies are not eyeing people with cybersecurity degrees. Rather, hands-on work experience is becoming increasingly valuable within the computer profession. They first identify people with natural ability and related technical skills, and then introduce them to formal on-the-job training aimed at adapting them to security-related roles. This real-world experience will prove more valuable than a collection of degrees or certifications.
Ira Winkler of Computerworld makes a strong point in her article by arguing, “unless you have a program to identify competent professionals within your organization and offer them jobs and training that will arm them with security expertise, you are creating your own cybersecurity skills shortage.” This method of hiring ties in to what Sequel has been saying for a while: employee education and training is critically important when it comes to preventing costly cybersecurity issues down the road. An employee’s “willingness to expand their skill-set” will translate to a stronger security program for you at the end of the day.