Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/9/2017
05:51 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

GDPR: Broad, Complex & Coming Soon

GDPR will likely have an impact on your business very soon - whether or not you have a location in the EU.

At a recent "Are you GDPR ready?" event hosted at Red Hat's global executive briefing center in Boston, the Mass Technology Leadership Council (MassTLC) sought to help attendees identify how to make compliance with the European Union's General Data Protection Regulation (GDPR) more manageable in a world where more than enough complexities already exist.

"Security isn't just an industry anymore," said Sara Fraim, MassTLC's Director of Policy, as she presented a complex Venn diagram highlighting the interconnectedness of tech companies across 14 different verticals. "GDPR is something that is affecting all [14] of these industries."

And, indeed, GDPR is nothing if not far-reaching. Under the older regime of the EU's 1995 Data Protection Directive (a.k.a. Directive 95/46/EC) data-privacy and data-protection rules have generally reached multinationals only if they had sufficient economic activity and/or a sufficient physical presence in one or more member states. In today's increasingly globalized data economy, these considerations seem to have become less of a qualifier and more of a loophole from the perspective of the notoriously privacy-sensitive EU.

"GDPR [is] intended to be extremely broad in its applicability," Harriet Pearson, a partner at Hogan Lovells and head of the global law firm's cybersecurity practice, told attendees in her keynote of the event. Explaining that the traditional indicators of physical presence are now less relevant, Pearson described how GDPR's reach encompasses (1) any organization that offers goods or services to EU citizens, and (2) any organization that actually tracks or targets EU citizens and their behavior -- notwithstanding the geographic location of the organization in question.

Pearson went on to explain how this enhanced breadth is actually intended to simplify -- not complicate -- the data-protection regulatory regime in the EU -- motivated by a desire to enhance individual member-state regulatory bodies' enforcement powers. This in and of itself is complicated, however; Pearson noted that the goal of getting national regulatory agencies to be a "one-stop shop" for GDPR review and enforcement flies in the face of the traditional propensity for individual EU member-state regulators naturally preferring "to do their own thing."

Even beyond the potential for battles over jurisdictional interpretation, there are yet other areas of GDPR enforcement where not everything is clear cut. Pearson indicated that an organization whose sole data-tracking activities amount to little more than a website and/or an app, for example, represents a "close call" when it comes to GDPR's reach -- depending upon the specific facts of the scenario. Nonetheless, she was able to suggest that a good general rule of thumb comes down to methods and interactions.

Here, Pearson related the story of an unnamed nonprofit outside of the EU that had received unsolicited donations from EU citizens. The nonprofit was concerned about being subjected to GDPR, despite having no presence or real activities in the EU, because it had received unsolicited donations from EU denizens. Pearson related her own conclusion that, as long as the nonprofit did not track the donors, send them mailings or other correspondence (such as a "thank you" letter, an offer to subscribe to their newsletter, or the like), or otherwise actively solicit or track people in the EU, the nonprofit would likely have nothing to worry about.

Emphasis on "likely."

"There's very, very little actual settled law in this area," said Pearson of data-protection precedent in the EU -- particularly when it comes to matters like exceptions to consent requirements for gathering, moving, or using an EU citizen's PII. "It depends then on the risk appetite of the company that you're in."

On this point, Pearson observed what has long been regarded as best practice globally in the areas of appeasing cybersecurity and data-protection regulators -- that corporate compliance is often less about getting a perfect score and more about being able to say (and demonstrate) that you tried.

"If you guess wrong on something that hasn't been adjudicated, okay, you guessed wrong," said Pearson. "But that goes along way."

Either way, Pearson emphasized, "every single one of [your] policies needs to be updated to comply with GDPR" -- whether that takes the form a complete overhaul of all policies or instead means quilting "EU-flavor" patchworks as necessary.

The latter approach, however, can be dangerous -- particularly where the input of legal-compliance data-protection specialists is limited. Consider the current example of MailChimp. The automated email-marketing service alienated its EU customers a few weeks ago when it quietly announced that the company would default all customers' email newsletters to single opt-in -- as opposed to the "double opt-in" standard of double-checking with newsletter recipients to see if they actually do want to receive the customer organization's newsletter before MailChimp sends it to them. As security blogger Graham Cluley explains:

"What does that mean? It means that subscribers won't have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp's systems that you don't want and the onus will be on you to unsubscribe."

When enough European customers complained, citing GDPR and other compliance requirements, MailChimp backpedaled -- but only in regards to customers located in the EU. All other customers would still be required to manually adjust their settings -- impacting those customers' compliance postures (as well as, likely, MailChimp's own compliance posture!) where their EU email recipients are concerned.

This highlights another major issue surrounding GDPR compliance efforts: Third-party vendors -- despite facing their own GDPR liability -- may not understand your and your customer or user data as well as you do. On this note, Pearson suggested taking a prompt, proactive approach to considering and working with third-party data processors when it comes to GDPR compliance -- particularly because of how time-consuming vendor negotiations and compliance efforts can be. Otherwise, she cautioned, the organization may risk getting stuck with the vendor's own boilerplate agreement terms -- which could be a poor fit with the rest of the organization's business and policies (if not downright substandard).

After all, the clock is relentlessly ticking away toward May 25, 2018 -- the day when GDPR, replete with all of its costly penalties, goes into full effect.

Related posts:

Joe Stanganelli, attorney and technology journalist, special to Security Now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...