GDPR: Broad, Complex & Coming Soon

GDPR will likely have an impact on your business very soon – whether or not you have a location in the EU.

At a recent
Are you GDPR ready? event
hosted at Red Hats global executive briefing center in Boston, the
Mass Technology Leadership Council
(MassTLC) sought to help attendees identify how to make compliance with the European Unions General Data Protection Regulation (GDPR) more manageable in a world where more than enough complexities already exist.
Security isnt just an industry anymore, said Sara Fraim, MassTLCs Director of Policy, as she presented a complex Venn diagram highlighting the interconnectedness of tech companies across 14 different verticals. GDPR is something that is affecting all [14] of these industries.
Image source:
MassTLC 2016 State of the Technology Economy Report
And, indeed, GDPR is nothing if not far-reaching. Under the older regime of the EUs 1995
Data Protection Directive
(a.k.a. Directive 95/46/EC) data-privacy and data-protection rules have generally reached multinationals only if they had sufficient economic activity and/or a sufficient physical presence in one or more member states. In todays increasingly globalized data economy, these considerations seem to have become less of a qualifier and more of a loophole from the perspective of the notoriously privacy-sensitive EU.
GDPR [is] intended to be extremely broad in its applicability,
Harriet Pearson
, a partner at Hogan Lovells and head of the global law firms cybersecurity practice, told attendees in her keynote of the event. Explaining that the traditional indicators of physical presence are now less relevant, Pearson described how GDPRs reach encompasses (1) any organization that offers goods or services to EU citizens,
and
(2) any organization that actually tracks or targets EU citizens and their behavior -- notwithstanding the geographic location of the organization in question.
Pearson went on to explain how this enhanced breadth is actually intended to simplify -- not complicate -- the data-protection regulatory regime in the EU -- motivated by a desire to enhance individual member-state regulatory bodies enforcement powers. This in and of itself is complicated, however; Pearson noted that the goal of getting national regulatory agencies to be a one-stop shop for GDPR review and enforcement flies in the face of the traditional propensity for individual EU member-state regulators naturally preferring to do their own thing.
Even beyond the potential for battles over jurisdictional interpretation, there are yet other areas of GDPR enforcement where not everything is clear cut. Pearson indicated that an organization whose sole data-tracking activities amount to little more than a website and/or an app, for example, represents a close call when it comes to GDPRs reach -- depending upon the specific facts of the scenario. Nonetheless, she was able to suggest that a good general rule of thumb comes down to methods and interactions.
Here, Pearson related the story of an unnamed nonprofit outside of the EU that had received unsolicited donations from EU citizens. The nonprofit was concerned about being subjected to GDPR, despite having no presence or real activities in the EU, because it had received unsolicited donations from EU denizens. Pearson related her own conclusion that, as long as the nonprofit did not track the donors, send them mailings or other correspondence (such as a thank you letter, an offer to subscribe to their newsletter, or the like), or otherwise actively solicit or track people in the EU, the nonprofit would likely have nothing to worry about.
Emphasis on likely.
Theres very, very little actual settled law in this area, said Pearson of data-protection precedent in the EU -- particularly when it comes to matters like exceptions to consent requirements for gathering, moving, or using an EU citizens PII. It depends then on the risk appetite of the company that youre in.
On this point, Pearson observed what has long been regarded as best practice globally in the areas of appeasing cybersecurity and data-protection regulators -- that corporate compliance is often less about getting a perfect score and more about being able to say (and demonstrate) that you tried.
If you guess wrong on something that hasnt been adjudicated, okay, you guessed wrong, said Pearson. But that goes along way.
Either way, Pearson emphasized, every single one of [your] policies needs to be updated to comply with GDPR -- whether that takes the form a complete overhaul of all policies or instead means quilting EU-flavor patchworks as necessary.
The latter approach, however, can be dangerous -- particularly where the input of legal-compliance data-protection specialists is limited. Consider the current example of MailChimp. The automated email-marketing service alienated its EU customers a few weeks ago when it quietly announced that the company would default all customers email newsletters to single opt-in -- as opposed to the double opt-in standard of double-checking with newsletter recipients to see if they actually do want to receive the customer organizations newsletter before MailChimp sends it to them. As security blogger
Graham Cluley explains
:
What does that mean? It means that subscribers wont have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimps systems that you dont want and the onus will be on you to unsubscribe.
When enough European customers complained, citing GDPR and other compliance requirements, MailChimp
backpedaled
-- but only in regards to customers located in the EU. All other customers would still be required to manually adjust their settings -- impacting those customers compliance postures (as well as, likely, MailChimps own compliance posture!) where their EU email recipients are concerned.
This highlights another major issue surrounding GDPR compliance efforts: Third-party vendors -- despite facing their own GDPR liability -- may not understand your and your customer or user data as well as you do. On this note, Pearson suggested taking a prompt, proactive approach to considering and working with third-party data processors when it comes to GDPR compliance -- particularly because of how time-consuming vendor negotiations and compliance efforts can be. Otherwise, she cautioned, the organization may risk getting stuck with the vendors own boilerplate agreement terms -- which could be a poor fit with the rest of the organizations business and policies (if not downright substandard).
After all, the clock is relentlessly ticking away toward May 25, 2018 -- the day when GDPR, replete with all of its costly penalties, goes into full effect.
Related posts:
GDPR Pressure Begins on US Multinationals
Will GDPR Be the Death of Big Data?
Are You Ready for GDPR?
—
Joe Stanganelli, attorney and technology journalist, special to Security Now.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
GDPR: Broad, Complex & Coming Soon