[BreachExchange] How to make sense of the changing data legal landscape, from state laws to GDPR

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 26 19:48:43 EST 2018


>From virtual assistants to pillows that put the smart home to bed, CES 2018
was yet another showcase of how tech — and data — fuel modern life.

Each day, consumers become more dependent on devices that revolve around
data: harnessing it to deliver services, as well as capturing valuable
insights companies can use to streamline activity.

But lately there's been increasing recognition that with high data-flow
comes responsibility, and legislation is shifting to implement greater

Alongside state-level developments, far-reaching laws such as the General
Data Protection Regulation (GDPR) are setting out stricter data privacy and
security rules. And to meet these new standards, watertight internal
polices, usage and vendor selection will be essential.

So how exactly is the legal landscape changing — and what can companies do
to adapt?

The evolving shape of data law

CIOs know there is no universal federal law outlining how data should be
gathered, deployed and stored. Instead, America is divided into a patchwork
of state-level legislation, and many pieces of that patchwork are currently
undergoing alteration.

To add to the confusion, this patchwork is woven together by governmental
agency and industry group guidelines. While these recommendations are not
enforced by law, and are merely self-regulatory "best practices," they have
elements of accountability and enforcement components.

As a result, recommendations are being used as tools for enforcement by
regulators more and more.

Last year, 21 privacy bills were proposed in 11 states — including
Illinois, Washington, Minnesota, Massachusetts and Montana — largely in
response to the scrapping of plans for national online privacy rules.

Meanwhile, California continues to be a standout data safety champion.
After becoming the first state to enact a security breach law back in 2002,
it has now introduced a proposed ballot measure: the Consumer Privacy Act
of 2018. If translated into law, the initiative would require businesses to
inform consumers of data collation and sales activities, and offer clear
opt-in or opt-out choices.

The latest Californian proposal has much in common with data laws that will
soon have a significant worldwide impact: the GDPR.

Set to go into effect in May 2018, the regulation will be the first
consistent legislation that applies to all businesses processing the
personal data of EU citizens, regardless of where they are based — which
means it impacts U.S. and global firms.

Essentially, the key aim of the GDPR is to restore order by creating
standards everyone can follow, while giving consumers more control and
protection. Its most significant requirement is the consent provision:
companies must ask for permission to access individuals' personal data (any
insight that could identify them) via simple requests, which explain why
the data is needed and how it will be used.

It also enshrines several rights such as the right to be forgotten, demand
data erasure and receive a copy of the data companies hold. Moreover, there
are further stipulations, such as privacy by design and data minimization.

Failure to comply could see companies faced with substantial fines: €10
million ($11 million) or 2% of total annual turnover — whichever is higher
— for smaller transgressions, and up to €20 million ($22 million) or 4% of
turnover for major breaches.

Why the change is good

Initially, the arrival of stringent local and international data
regulations might seem negative, particularly with such heavy repercussions
for non-adherence. But making the adjustments needed to achieve compliance
will actually help companies prosper.

Right now, confidentiality is a major issue — 78% of U.S. internet users
worry about privacy and 84% fear data hacks — and, as a result, trust in
companies is diminishing. Yet, by driving companies to enhance data
security and transparency, these new laws may offer the ideal solution.

In fact, with its emphasis on openly communicating why, how and where data
is used, the GDPR could strengthen relationships between companies and

Furthermore, the process of bringing data processes in line with
legislation is also likely to boost efficiency. For instance, to meet GDPR
requirements (such as providing or removing information on request)
companies will need fast access to every scrap of data they hold on
specific individuals.

This means they must get data into optimal shape by bridging silos created
by storing cross-channel data separately, and centralizing storage — a move
with many benefits.

Not only does consolidation ensure compliance and improve data quality, but
it also enables companies to create a complete view of individuals and
their journeys that can be used to deliver more relevant, marketing

How should companies be preparing?

Despite the benefits of updated data legislation, it can't be denied that
managing an array of complex state-specific and global laws will be

For U.S based companies, there is consequently only one way to guarantee
compliance: raising the bar for data safety and privacy so high it exceeds
the requirements of all regulations.

To do so, there are a few vital steps companies must take in addition to
amalgamating data:

1. Highlight every alteration

Transparency is an essential part of the emerging legislative landscape, so
companies must clearly communicate how procedures have changed to adhere
with data laws. Externally, privacy notifications and digital policies
should be updated to reflect adjustments.

Of course, with the GDPR, companies will also need to create mechanisms for
requesting, receiving and demonstrating proof of consent — as well as
issuing new requests if they want to use data for a purpose other than that
originally stated.

Internally, it's important to make sure everyone understands the new rules,
and works to uphold them. So, providing in-depth training about alterations
and what they mean is key, as is offering support.

For instance, companies might set up a dedicated task force to oversee
regulation implementation, document data management and monitor security.

Indeed, in the terms of the GDPR, it's mandatory for companies with more
than 250 employees to hire a Data Protection Officer (DPO), whose primary
function will be to meet those three objectives.

2. Get to grips with data flow

Keeping a firm grip on data will necessitate a comprehensive understanding
of information flow, including where it's stored and deployed, and who has

In particular, companies should create a detailed record of the vendors
they use and assess their activities to check they're in compliance with
relevant laws and legislation.

After all, GDPR places responsibility on both data controllers — those who
set up structures for how data is used — and processers: those who handle
data on behalf of controllers. This means they could be held liable if
vendors fail to comply with data regulations or implement sufficient
security measures.

3. Consider extra precautions

At the heart of most upcoming data legislation, including the GDPR, is
protecting the identity of individuals — and to offer maximum assurance
that personal information is safe there are several techniques companies
can leverage.

For instance, they might use pseudonomization, which swaps fields in data
records that could identify individuals with artificial identifiers.
Visitor stitching is used to recognize multiple identifiers belonging to
one individual.

By correctly identifying cross-device users, it bridges the gap between
silos and allows data handlers to easily access all insights held on a user.

The majority of CIOs likely began their GDPR preparations long ago. But
with a few months left on the clock, it's a safe bet many still have a lot
of work to do — and with several state-level laws pending, they'll soon be
revising policies and procedures once more.

Yet, as convoluted as today's legal landscape might appear, the changes do
make sense. Consumers want more control over their information and they
want to understand how and why it's used.

By enshrining data clarity and security into law, regulators are putting
companies on the path to regaining consumer favor and keeping their
businesses alive. Plus, unified data processing will do a lot for
experience optimization and targeting too.

Instead of bemoaning the coming slew of bills and protection acts, it's
time to embrace them and harness the opportunity they really present for a
better age of data management.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180226/2c477f14/attachment.html>

More information about the BreachExchange mailing list