The pandemic caused individuals and companies alike to alter or check their normal security and data protection practices.
In 2019, I couldn't imagine providing my name and mobile phone number to restaurant hosts — that would then be written on a long and exposed paper list of other diners, too — to get a table inside.Nor could I have imagined logging, recording and sharing the health data of myself and others, to facilitate contact tracing.
On the corporate side, many organizations accelerated their journeys to the cloud, partially to enable their decentralized and hybrid or fully home-based workforce and customers. As we've watched the boundaries between home and work, personal and business, and even customers, employees, employers and vendors blur — and continue to — there are many unique security factors to consider.
The Global Impact of GDPR
At its heart, the European Union’s General Data Protection Regulation, GDPR, brings data protection to EU citizens. At the same time, it harmonizes distinct national rules and regulations into a single law that applies to the personal data of EU citizens, wherever they are from and wherever their data is stored. But GDPR came into effect in 2018, when most of us did not envision the amount of data that we’d be amassing daily in just a few short years.
The EU's GDPR has global reach because the broad terms of the regulation mean that any company offering goods or services — for example, cloud services developed by U.S.-based companies — to residents of the EU may be subject to the regulation merely because they are available to EU-based individuals. This is true even if the company is not "established" in the EU, and it applies to all organizations, regardless of size.
Additionally, the law imposes significantly greater fines for data breaches: up to 4% of annual global revenue, and requires businesses to not only conduct and implement a wide range of policies, procedures and controls (that will be jointly owned by Privacy, IT and Security), but also show evidence they have done so. While this was never going to be a small undertaking, it has only grown in complexity.
Related Article: Preparing for New Data Privacy Regulations? Learn From GDPR
A Potential Shift Towards Data Localization
With supply chains upended, vendors rapidly onboarded, and data quite literally everywhere, there is a widespread rush to protect organizations from significant fines, and reputational damage attached to GDPR. But more recently, onApril 9, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacked adequate privacy protections, including the United States.
The stop processing order is a remedy under GDPR that quite literally orders a company to cease cross-border data transfers — and in some cases, data processors. The Portuguese decision validates industry concerns that the EU is moving towards data localization, given that other countries were included in the service provider, Cloudfare’s, network.
How to Prepare for Stop Processing
For companies that depend on supply chains and providers, the idea of “stop processing” and data localization requirements may create a chilling effect, against which a 4% revenue fine pales. So, how can you best manage and protect your supply chain and global vendors?
In terms of your data, wherever it is created, collected, used or shared, you are quite literally now your partner’s keeper. You have an affirmative responsibility to limit the data you share with your partners and vendors to only that data you have permission to share. Then, in sharing, you have an obligation to proactively confirm that your partners and/or vendors understand and will make reasonable efforts to comply with the purpose limitation and appropriate protection of that data. While these obligations should be specified in your contracts, you may also find yourself in a position where you need to defend sharing data with a partner or vendor should something go awry under their care.
Given the stakes, a third-party vendor risk assessment takes on a whole new level of importance and priority. You should turn these assessments into regular proactive reviews and assure they are not simply check box exercises, but that you are crystal clear with third parties about their obligations to protect shared data. Failure to do so may result in their mistakes being costly for your company.
Start Your Security Efforts Internally
Finally, you cannot protect your organization against an infinite number of unknowns. But, if you implement data lifecycle management policies, you will by default limit and better understand the data that you need to protect. Similarly, if you appropriately move data from production to archive environments, and properly delete it as required under GDPR data minimization requirements, you will also reduce your risk.
I truly believe security must be everyone’s job. If you treat it as an afterthought, or leave it to the people in IT, or even to your CISO, then you have already failed. No matter how great the security team is that your organization employees, history has shown us that the adversaries are too much and too many. While security practitioners need to get our defenses right every time, hackers only need to be right once. Therefore, if security is the job of every single employee, you will have an army to protect your data.
Ultimately, GDPR, like most other privacy and security laws, simply reframes or reimagines the best practices that security-conscious companies have been implementing for many years. But the time is now to install effective policies, procedures and technical controls to ensure businesses of the future are lean, optimized and cyber-resilient.