Q&A: Time to get GDPR compliant, CSPi's Gary Southwell says

Europeans take their personal data privacy seriously -- that's why last year the EU adopted the new General Data Protection Regulation to replace the Data Protection Directive 95/46/EC regulation, which began regulating the processing of personal data in 1995.

The new GDPR privacy regulation includes requirements for protecting personal information to ensure it stays private and giving individuals the right to verify and control their own data, up to and including granting the "right to be forgotten."

Gary Southwell, general manager at CSPi, the network and IT security company based in Lowell, Mass., spoke with SearchSecurity about the challenge of becoming GDPR compliant as companies around the world now have less than a year before the EU begins enforcing its new GDPR privacy regulation.

See the second part of this Q&A here.

This interview has been edited for length and clarity.

With just one year before GDPR enforcement begins and companies doing business with people in the EU must become GDPR compliant -- experts are still saying awareness of the new privacy regulation is low, even in Europe. Are you finding that as well?

Gary Southwell: The European groups tell me that. The larger companies are [aware], but a lot of the mid and smaller companies have not been paying attention. They just kind of assume it won't impact them, but it does.

How about in the United States?

Southwell: I would say it's very low. It's starting to percolate up. People are making it a major topic in a lot of these security-oriented events. So a lot of the organizations that have CISOs and people that just focus on security, they are aware of it, I would say. They're still trying to figure out how this impacts them. A lot of them are myopic, thinking, 'Well, it doesn't matter because I do business here. I process everything here. Doesn't it only matter if I do work in the EU?'

Gary Southwell

GDPR says no. If you process anybody's personal information anywhere in the world, you are covered by these rules and you can be fined as you do business here in the EU if you don't follow these regulations.

How do you expect enforcement of GDPR will look once the regulation goes into effect?

Southwell: Usually with EU directives, they start and then they have additional amendments to them. So they'll add what I call clarifications to them. The other problem is that they intended that it would be across the EU, but now France in particular is starting to create some of their own rules. They're saying, 'As we enforce this, we can do these things.' The EU doesn't stop them from doing that, but the intent was to try to make it more uniform so you wouldn't have this problem with, 'Okay, I've got to figure out every authority, and I have to deal with them separately,' because then it becomes a real operational challenge for you to figure out how to administer this if you're a company.

Can you give an example of a part of GDPR that could prove problematic for a company to comply with?

Southwell: There's a very tight [breach] notification window now -- 72 hours -- you're supposed to notify if there's been a breach.

The problem with that is once you start to do that notification process, [there are] other ramifications on the company, because that can trigger other compliance rules if you're following HIPAA or whatever else. They start to come into play.

Okay, you've notified something. Now you have to follow those rules and be in compliance. And then if you've bought insurance for protection against breaches, then they start to have requirements that you have typically a 30-day window to make sure you've gone through all these requirements if you're going to qualify for any form of reimbursement.

Suddenly, it's this trigger where you might've said, 'Oh, I can wait and make sure I got my act together.' But that's been the recommendation of a lot of these firms, 'Get your act together internally before you declare a breach.' Well this says you'd better do it in 72 hours. You've got to have good systems and practices in place ahead of the time or else you will be struggling to deal with all these ramifications.

Will the need to become GDPR compliant help move security and privacy practice forward for everybody, even beyond the EU?

If you process anybody's personal information anywhere in the world, you are covered by these rules and you can be fined as you do business here in the EU if you don't follow these regulations.

Southwell: I think it'll be a force for good for everybody. What's interesting is it puts a little more detail around some of the best practices that are out there today. The state of California has had online privacy laws since 2003, but they don't have all the painful enforcement fines associated with it. But what happens in the state of California or the U.S. is because they have this here, if you do violate it, you could be sued or someone could come in and create a collective bargaining and say, 'Now we're going to sue on your behalf.'

The GDPR is going to let that happen, so this will be the first time you could actually have collective lawsuits in the EU by groups of citizens who have had their records [exposed]. So in addition to the fines, they could be now subject to this. That's kind of been a U.S. phenomenon that the Europeans didn't really embrace before, but this is really the first time we're hearing that this would be another stick to make sure that you're following this compliance. I think it codifies a lot of what good practices has been done and I think there will be other countries outside the U.S. that will probably adopt similar things.

What about within the U.S.?

Southwell: It depends on the political climate and the administrations. I think you'll see it being left to the states to decide for right now. And then there may be additional directives coming out of the current administration -- the Obama administration was starting to go down that path, but they didn't get really into putting in legislation to create something like this. I don't think there was any appetite to do that. I don't see that happening in the U.S. other than at the state level.

Microsoft announced in February it would be GDPR compliant in its cloud offerings by May 25, 2018, and AWS followed suit in April. How much of the GDPR compliance task for an average enterprise would be accomplished by going to the right vendors and saying 'Fix me up'?

Southwell: I think going to the right vendors, they can do a lot.

What [Microsoft] did say, which was very interesting, was that they're going to go through the GDPR compliance and they're going to offer up best practices. So we'll let you see what we've done to be compliant ourselves.

So I think that's probably the biggest benefit. People say here's what they had to go out and do, if they're really going to be open about how they did that, which would be great then. Now, other vendors are trying to help more in the, 'How do you protect your own data and how do you know when you have a breach and how do you verify?' Because it's not only do you have a breach, it's about which records were impacted, who are the people I have to notify, because that's where the fines start to go.

They say, 'If you don't have a good system in place, 2% of your turnover is ...' And if you've done a really bad job, 4% of your turnover, your revenue, could be fined, or 20 million euros, whatever is greater.

That gets alarming because those could be high fines, and 2% on a small company doesn't sound like a lot, but it could really impact their bottom line.