The General Data Protection Regulation (GDPR) came into effect in May 2018, but it won’t be until 2019 that we’ll see the first fines for non-compliance handed out. While organizations continue to try to meet GDPR in the coming year, they’ll also wrangle with how to meet the flux of competing and siloed data security regulations. This is my seventh prediction in the blog series 10 predictions for 2019: What's in store for Windows and Office 365 pros.
Sam Seaborn was right: or what the GDPR is doing about data security
Sam Seaborn’s poignant monologue to President Bartlett in The West Wing still gives me chills because of the accurate foresight the writers had almost twenty years ago in predicting the biggest issue facing us today: privacy and data security.
The next two decades are going to be privacy. I'm talking about the Internet. I'm talking about cell phones. I'm talking about health records and who's gay and who's not. And, moreover, in a country born on the will to be free, what could be more fundamental than this?
Regulations similar to GDPR (like the California Consumer Privacy Act of 2018) espouse the Seaborn manifesto, enforcing sweeping consumer privacy laws across the globe. This means companies must re-evaluate the personal data they collect, store, distribute and, above all, protect.
After all, what is more fundamental to the human experience than our identity?
And laws like GDPR and the California Consumer Privacy Act have been made to protect our right to privacy. Regulators will do this by reviewing complaints, working with offending organizations on a remediation plan, and levying fines against those unwilling or completely egregious in protecting consumer data. Thus far, the Information Commissioner’s Office (ICO) has only used fighting words — “notices” — with companies like AggregateIQ.
It took over a year for the ICO to level a fine against Heathrow Airport following a data security incident that occurred in 2017 (pre-GDPR), so we can expect it’ll take just as long for GDPR fines to be handed out.
Conflicting obligations: The data security regulation showdown
2019 is also the year you’ll want to get out your drama-watching popcorn for the real battle between GDPR and competing regulations like the U.S. Government’s CLOUD Act and various financial regulations across the globe (like FFIEC, FCA, and MiFID II).
Financial firms and U.S.-based cloud-providers may find themselves in the unfortunate bind of conflicting obligations in regards to GDPR’s “right to be forgotten,” data transfers and regulatory records retention.
Let’s break this down:
- Stuffed inside the March 2018 $1.3 trillion spending bill, and buried on page 2,201 is the Clarifying Lawful Overseas Use of Data (CLOUD) Act that grants U.S. law enforcement (and qualifying foreign governments) the right to request customer and subscriber data be preserved and transferred for their purposes.
- The Federal Financial Institutions Examination Council (FFIEC), the U.K.’s Financial Conduct Authority (FCA) and the E.U.’s Markets in Financial Instruments Directive Two (MiFID II) are financial regulations designed to protect consumers and investors from financial malfeasance by requiring communications to be reviewed and archived.
Any of these regulations listed above can bring an organization into potential conflict with GDPR, specifically Articles 44-49 that dictate how to handle data transfers and Article 17 that outlines a consumer’s right to have their information deleted.
So, in the case of the financial regulations, let’s pretend that Susan is a financial advisor for ACME Bank living in the U.K., and she has a client named Matt who is a U.S. citizen living in France. Susan comes under investigation by the FCA for alleged financial wrongdoing, so ACME Bank has to produce and save all communications involving Susan. Matt hears that Susan is under investigation and decides to take his business to another bank and he requests that all of his information with ACME Bank be erased. Which regulation does ACME Bank comply with?
Now, what if Matt were under investigation himself by the U.S. Department of Justice for money laundering for a big drug cartel. Matt’s communications stored in Microsoft Office 365 hold the key to bringing down the cards around the cartel. Matt also gets wind of this investigation and requests that his information under GDPR be deleted by Microsoft, but Microsoft has a request from the DOJ to preserve and transfer all of Matt’s communications stored in their French data center. What does Microsoft do?
Microsoft has a fully staffed legal department, but do you? Do you have the resources and time to test these competing regulations that have yet to be seriously tested and interpreted?
Navigating competing regulations while ensuring data security
These competing regulations will only increase as the flux of data protection silos pop up within regions and even within U.S. states. Organizations need to be absolutely certain of the data they store, where its stored, and who has access to it to begin to even make sense of their legal obligations.
Here are some helpful hints to get started:
- Discover and classify sensitive data across your Windows environment, including file servers, NAS devices, SQL Server, Active Directory, SharePoint and Office 365.
- Assess who has access to any personal data stored in any of those environments and perform an attestation of that access against a least privilege model.
- Monitor for suspicious activity against any access to someone’s personal data and alert your data protection officer immediately to investigate the root cause and scope of the breach.
- Archive event log data to both prove adherence to GDPR and forensic analysis if a breach is discovered.
All four of those recommendations will go a long way towards assessing your environment and proving compliance with many data security regulations. Time and the courts will tell how conflicting regulations will reconcile in the years to come. In the meantime, learn more about protecting consumer data in this white paper: Key Strategies for Meeting GDPR Compliance Requirements