Earlier this week, I was fortunate enough to listen in to a webinar with Robin Basham, Bob Metzger, and Lisa Harchuck Popadic. This webinar highlighted the Global Data Protection Regulation (GDPR). GDPR is the newest privacy law regulating how custodians of Personally Identifiable Information (PII) of individuals residing in 28 partner countries should protect said PII.
The GDPR is a lengthy read but the Cliff Notes version is this, the way in which you are required to manage PII of any individual within the 28 countries that are defined is likely going to be problematic for U.S. business owners. Of particular interest was a topic that Ms. Basham brought up on the topic of data retention. If you have PII of Carlos Smith from Spain, you do not simply get to keep that data in perpetuity. There is a “Right to be Erasure” clause, which is an update to the former Safe Harbor agreement where a “Right to be Forgotten” existed as a result of a civil case “Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)”
Ms. Basham went on to describe a scenario where even if the PII was thought to be removed or “erased” from the custodian, if a breach took place and said record was one of the records disclosed because the business owner was not aware that an employee with BYOD permissions still had that specific record on the device, the company may look at a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6).
This issue is compounded by U.S. firms that are relying on cloud-based capabilities. Absent of signing up for very restrictive terms and conditions that ensure the data residing on an infrastructure as a service or “IaaS” on a specific asset, the ability to physically control where the record of Carlos Smith went is very problematic.
If you are a government contractor “GovCon” and you rely on European business partners, what types of data are you maintaining? If you answer, “well, I don’t”, think again. Do you have any of the following?
- business partner’s name
- banking details to allow for payments via ACH
Bob Metzger highlighted how GovCons now have to abide by recent changes to the Defense Federal Acquisition Regulations (DFAR) that directs GovCons to implement NIST SP800-171 “Protecting Controlled Unclassified Information on Non-Federal Systems”. The reason this added great value to the discussion is because the goals and objectives of GDPR and DFAR are very different. DFAR is designed to focus on security and GDPR is designed to focus on privacy. The point being made that while different objectives, similar outcomes are possible.
I recently had a discussion with an insurance carrier that was interested in HEMISPHERE’s cyber risk exams for applicants. One of the questions was, “does it focus on security or privacy”? While you can have cybersecurity without directly tying to privacy, you cannot reduce privacy risks without the implementation of cybersecurity best practices. So if a GovCon is able to demonstrate capabilities that align with the 110 controls currently in play, these same controls will likely have a significant impact in reducing the GovCon’s cyber risk exposure to a privacy violation under GDPR.
For more information as to how HEMISPHERE can help you meet you cyber, legal and insurance concerns, please contact us for a free consultation at (703) 881-7785 or email us at firstname.lastname@example.org .