The EU adopted the General Data Protection Regulation (GDPR) in 2016, which is scheduled to go into effect on May 25, 2018. It is very similar to US-based state cyber regulations in some ways, but diverges significantly in others. Any company doing business with citizens of the EU (a “data subject”) must comply with the law. The EU will have the right to audit firms and levy fines up to 4% of a company’s revenue for non-compliance.
Companies must be able to provide Europeans copies of their personal data if requested. This implies that the companies, also known as “controllers” of the data, must know exactly where the data is stored in databases and how it is used in software applications. Today, as a recent article in Insurance Journal points out, the personal data tracking is mostly being done manually on spreadsheets and is prone to human error. The data protection law requires the “controller” to know who has access to the data. GDPR also defines the role of “processor” of the data which has different sets of responsibilities for the data and processes data on the behalf of “controllers.” A company can be both a processor or controller depending on the circumstances. Your obligations under the law depend on what role you are performing in the context of your activities.
I worked in the EU and the UK for several years. The area that I dreaded the most in the GDPR was related to Article 17, the “right to be forgotten.” Essentially under certain circumstances that include the personal data no longer being needed or a person withdrawing consent to hold the information, the data must be deleted anywhere it exists. This is very difficult to comply with because data could be replicated to many locations via a cloud, data backup, or for data transformation between systems.
The NY State regulations and the NAIC model law are in some ways broader than the GDPR. They address policies, security controls, such as multi-factor authentication and encryption at rest, security incident responses, including maintaining audit trails and preserving information for investigations, and accountability via remediation plans and tracking of remediation progress. The NY State regulations also require a named CISO and oversight of third parties.
The US state regulations do not create the roles of data subjects, data controllers, and data processors. Additionally, the right to be forgotten is not embedded into any US cybersecurity regulations. The closest standard in the US to GDPR is ISO 27001.
Transferring data from the EU to areas outside the EU, like the US, brings a number of complexities, since US state regulation and GDPR compliance must be concurrently implemented. And the problem of cybersecurity compliance in the US will only get worse. Some states will base their cyber regulations on NY state. Others will base their cyber regulations on the NAIC model law, which has some differences. Overlaying these considerations is GDPR as well when a carrier is concurrently handling personal data from Europe.
The global regulatory framework will continue to get more complex. Brexit means the UK will have its own set of cybersecurity standards as well, which will further complicate things. Stay tuned!
Add new comment