Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/9/2017
05:51 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

GDPR: Broad, Complex & Coming Soon

GDPR will likely have an impact on your business very soon - whether or not you have a location in the EU.

At a recent "Are you GDPR ready?" event hosted at Red Hat's global executive briefing center in Boston, the Mass Technology Leadership Council (MassTLC) sought to help attendees identify how to make compliance with the European Union's General Data Protection Regulation (GDPR) more manageable in a world where more than enough complexities already exist.

"Security isn't just an industry anymore," said Sara Fraim, MassTLC's Director of Policy, as she presented a complex Venn diagram highlighting the interconnectedness of tech companies across 14 different verticals. "GDPR is something that is affecting all [14] of these industries."

And, indeed, GDPR is nothing if not far-reaching. Under the older regime of the EU's 1995 Data Protection Directive (a.k.a. Directive 95/46/EC) data-privacy and data-protection rules have generally reached multinationals only if they had sufficient economic activity and/or a sufficient physical presence in one or more member states. In today's increasingly globalized data economy, these considerations seem to have become less of a qualifier and more of a loophole from the perspective of the notoriously privacy-sensitive EU.

"GDPR [is] intended to be extremely broad in its applicability," Harriet Pearson, a partner at Hogan Lovells and head of the global law firm's cybersecurity practice, told attendees in her keynote of the event. Explaining that the traditional indicators of physical presence are now less relevant, Pearson described how GDPR's reach encompasses (1) any organization that offers goods or services to EU citizens, and (2) any organization that actually tracks or targets EU citizens and their behavior -- notwithstanding the geographic location of the organization in question.

Pearson went on to explain how this enhanced breadth is actually intended to simplify -- not complicate -- the data-protection regulatory regime in the EU -- motivated by a desire to enhance individual member-state regulatory bodies' enforcement powers. This in and of itself is complicated, however; Pearson noted that the goal of getting national regulatory agencies to be a "one-stop shop" for GDPR review and enforcement flies in the face of the traditional propensity for individual EU member-state regulators naturally preferring "to do their own thing."

Even beyond the potential for battles over jurisdictional interpretation, there are yet other areas of GDPR enforcement where not everything is clear cut. Pearson indicated that an organization whose sole data-tracking activities amount to little more than a website and/or an app, for example, represents a "close call" when it comes to GDPR's reach -- depending upon the specific facts of the scenario. Nonetheless, she was able to suggest that a good general rule of thumb comes down to methods and interactions.

Here, Pearson related the story of an unnamed nonprofit outside of the EU that had received unsolicited donations from EU citizens. The nonprofit was concerned about being subjected to GDPR, despite having no presence or real activities in the EU, because it had received unsolicited donations from EU denizens. Pearson related her own conclusion that, as long as the nonprofit did not track the donors, send them mailings or other correspondence (such as a "thank you" letter, an offer to subscribe to their newsletter, or the like), or otherwise actively solicit or track people in the EU, the nonprofit would likely have nothing to worry about.

Emphasis on "likely."

"There's very, very little actual settled law in this area," said Pearson of data-protection precedent in the EU -- particularly when it comes to matters like exceptions to consent requirements for gathering, moving, or using an EU citizen's PII. "It depends then on the risk appetite of the company that you're in."

On this point, Pearson observed what has long been regarded as best practice globally in the areas of appeasing cybersecurity and data-protection regulators -- that corporate compliance is often less about getting a perfect score and more about being able to say (and demonstrate) that you tried.

"If you guess wrong on something that hasn't been adjudicated, okay, you guessed wrong," said Pearson. "But that goes along way."

Either way, Pearson emphasized, "every single one of [your] policies needs to be updated to comply with GDPR" -- whether that takes the form a complete overhaul of all policies or instead means quilting "EU-flavor" patchworks as necessary.

The latter approach, however, can be dangerous -- particularly where the input of legal-compliance data-protection specialists is limited. Consider the current example of MailChimp. The automated email-marketing service alienated its EU customers a few weeks ago when it quietly announced that the company would default all customers' email newsletters to single opt-in -- as opposed to the "double opt-in" standard of double-checking with newsletter recipients to see if they actually do want to receive the customer organization's newsletter before MailChimp sends it to them. As security blogger Graham Cluley explains:

"What does that mean? It means that subscribers won't have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp's systems that you don't want and the onus will be on you to unsubscribe."

When enough European customers complained, citing GDPR and other compliance requirements, MailChimp backpedaled -- but only in regards to customers located in the EU. All other customers would still be required to manually adjust their settings -- impacting those customers' compliance postures (as well as, likely, MailChimp's own compliance posture!) where their EU email recipients are concerned.

This highlights another major issue surrounding GDPR compliance efforts: Third-party vendors -- despite facing their own GDPR liability -- may not understand your and your customer or user data as well as you do. On this note, Pearson suggested taking a prompt, proactive approach to considering and working with third-party data processors when it comes to GDPR compliance -- particularly because of how time-consuming vendor negotiations and compliance efforts can be. Otherwise, she cautioned, the organization may risk getting stuck with the vendor's own boilerplate agreement terms -- which could be a poor fit with the rest of the organization's business and policies (if not downright substandard).

After all, the clock is relentlessly ticking away toward May 25, 2018 -- the day when GDPR, replete with all of its costly penalties, goes into full effect.

Related posts:

Joe Stanganelli, attorney and technology journalist, special to Security Now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28487
PUBLISHED: 2021-01-22
This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.
CVE-2021-21260
PUBLISHED: 2021-01-22
Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf ...
CVE-2021-21270
PUBLISHED: 2021-01-22
OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patc...
CVE-2020-4766
PUBLISHED: 2021-01-22
IBM MQ Internet Pass-Thru 2.1 and 9.2 could allow a remote user to cause a denial of service by sending malformed MQ data requests which would consume all available resources. IBM X-Force ID: 188093.
CVE-2021-21259
PUBLISHED: 2021-01-22
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. In HedgeDoc before version 1.7.2, an attacker can inject arbitrary JavaScript into a HedgeDoc note, which is executed when the note is viewed in slide mode. Depending on the configuration of the instance...