Protecting Your Data
Facebook announced it will comply with the GDPR and so should you
- By Christian Morin
- Jul 11, 2018
Even if you don’t have a Facebook account, you have
undoubtedly heard the reports about how Cambridge
Analytica accessed the personally identifiable information
(PII) of up to 87 million users over a period of
several years. Starting in 2014, the British political consulting
firm began collecting data from the social media platform’s
users, the vast majority of whom reside in the United States, with the
alleged goal of using that data to influence voter opinions.
Essentially, Cambridge Analytica gathered and sold PII to help a
variety of politicians influence the public in both the United States
and the United Kingdom. While the ultimate scope of the influence
has not yet been determined, what is clear is that people everywhere
feel violated by the access. Given the nature of social networking applications,
it is not surprising that Facebook has faced a lot of harsh
criticism and has had to implement new strategies for dealing with
personal data.
One strategy that they have been open about is their decision to
implement the European Union’s General Data Protection Regulation
(GDPR) in all areas of its operations, significantly, not just in
the EU itself. In fact, during his testimony before Congress in April
of this year, Facebook’s founder and CEO Mark Zuckerberg said he
believed GDPR was a positive step for the internet.
“A lot of the things in there are things we have already done for
a long time; some are other things that I think would be good steps
for us to take,” Zuckerberg said. “I think it makes sense to do more
and it’s something GDPR will require us to do and it will be positive.”
Given the gravity of the Facebook/Cambridge Analytica scandal,
the swift response to it, and Zuckerberg’s support for the GDPR
in its aftermath, you would think that North American companies
would be eager to follow suit. However, and despite the fact that the
GDPR will be applicable to organizations worldwide, many have not
yet made the move.
North Americans Aren’t Ready
for the GDPR
A surprising number of North American companies are either uncertain
about or unprepared for the GDPR. Comp TIA, a leading
technology association, surveyed 400 U.S. companies in April of this
year, and the results were telling.
According to Comp TIA’s survey, 52 percent of the 400 companies
they looked at are either still exploring how the GDPR applies
to their businesses, have decided that it does not relate to their businesses,
or are unsure. In fact, they found that only 13 percent of the
companies say they are fully compliant while 23 percent feel they are
mostly compliant and 12 percent feel they are somewhat compliant.
Given that the regulation took effect on May 25, a little more than a
month after this survey, these numbers are concerning.
Does the GDPR Apply to
North American Companies?
So why are North American companies lagging behind on their
compliance? In large part, it is because they feel the GDPR does not
apply to them. This is understandable since the regulation was developed
to protect individual privacy as it relates to the data being
collected from citizens of the European Union.
The regulation stipulates that European citizens own the PII being collected from them and have the right to make decisions on how
it is used or distributed. PII includes an individual’s name, home
address, images, bank details, social networking posts, medication
information, IP addresses, mobile device ID and data collected
through the IoT.
Some in North America believe that, since they are not located
within the European Union, the regulation does not apply to their
operations. What these companies fail to recognize is that the GDPR
is applicable to any organization conducting business within the EU,
including those simply collecting data there. As soon as a European
citizen visits your website, you are subject to the regulations and fines
set out under the GDPR. Ultimately, if you are collecting PII from
people within the EU, your organization is going to be held accountable,
regardless of where you are based.
The Global Benefits of the GDPR
North American companies should not be nervous about complying,
particularly in light of the new reporting requirements around
breaches. We know that mitigating the risks associated with a system
breach requires early detection. We also know that, with the
increased connectivity between systems and the sharing of information
between organizations, a breach at one organization can
have a significant impact on others. As a result, when a company
reports a breach quickly, it goes a long way to reducing potentially
disastrous outcomes.
The GDPR states that, in addition to new record-keeping requirements
for collecting, managing, modifying, storing and analyzing
PII, companies must also abide by mandatory breach reporting rules.
This includes reporting a breach within 72 hours of detection. In this
way, the regulation, which is designed to help European citizens, will
also help protect our global networks as well.
Now That You’re Convinced,
What Can You Do?
The first step on your road to compliance with the GDPR is to talk
with the experts. If your company has a compliance department,
reach out to them. They are probably already working on it and will
have many of the answers to your questions.
What questions should you be asking? Typically, you are going
to have to look at all the data you are collecting to see if you need
to comply. Once you determine whether or not your company will
be subject to the regulations, you have to see what, if any, additional
controls you will need.
To help organizations build a solid foundation for continued compliance
over the long-term, the regulation stipulates that, in order
to meet its requirements, organizations cannot simply deploy add-on
options. You must use solutions that implement privacy by design.
This means that organizations are going to have to work with vendors
who, in addition to understanding the importance of keeping systems
and networks secure, focus on providing the tools and features that
can continue to make this possible.
Specifically, solutions that implement privacy by design allow
companies to leverage the latest technologies to encrypt their data—
both in motion and at rest—keeping it hidden from prying eyes. They
also allow for a high level of identity assurance by authenticating user
access in order to make sure that everyone—app, user, server—is who
they claim to be.
At the same time, organizations are going to have to ensure that
they control access to personal data. This is particularly important as
companies grow in size and reach and as they share data with stakeholders
outside their organizations. A company must allow enough
access to ensure that people can do their jobs effectively without putting
anyone’s PII at risk.
How to Protect Individual Privacy
Under the GDPR, video surveillance is considered a high-risk processing
operation. As a result, companies will have to implement controls
that allow them to protect individual privacy in video streams both as
they are being captured and then once they are shared or stored. There
are a variety of methods of protecting privacy in video surveillance,
including permanent masking, redaction, and dynamic anonymization.
The most basic method is through permanent masking. This involves
permanently anonymizing individuals in video footage. Because
the masking cannot be removed, this method is not ideal in situations
where a person’s identity might be relevant for future investigations.
Redaction, which is usually done after the fact, involves hiding
the identity of selected people in video footage. This is typically done
in instances where an organization is sharing video with law enforcement.
But it does not protect individual privacy in live streams.
The most effective method of anonymization, especially for organizations
conducting video surveillance of public spaces, is dynamic
anonymization. Using this approach, VMS monitors actions and
movements and automatically anonymizes individuals in live and recorded
streams. Then authorized personnel can unmask the video in
the event of an investigation. In this way, dynamic anonymization
both ensures individual privacy and supports law enforcement in
their efforts to keep citizens safe.
How GDPR-compliance
Might Impact Workflows
Finally, North American companies are also going to have to think
about how to handle the increased pressure on their workflows as
they move toward compliance. Under the GDPR, EU citizens have
the right to obtain confirmation as to whether or not their data is
being processed, where it is being processed, and for what purpose.
In addition, they also have the right to request and receive, free of
charge, a copy of their individual PII.
This means that companies need to have systems in place to recognize
requests, assess their validity, and provide the information. How
is a company going to find an individual’s PII within the vast amount
of data they are collecting and how are they going to protect the privacy
of other individuals when fulfilling these requests?
The answer is to work with a solution that facilitates workflow by
providing assets back to the requester in a secure fashion. When it
comes to sharing video assets, for example, a solution must be able to
redact any other individuals in order to protect their privacy.
In Benefits vs. Cost There is No Contest
Ultimately, regardless of your location, if your company or organization
is conducting any form of business in the EU, you are going
to have to determine what you will need to do to comply with the
GDPR. You are going to need to look at how you keep the data you
are collecting private and how you can continue to share that data
securely. As a result, you’re also going to have to think about the way
you store, access, and transmit that data.
While it can seem like a daunting task initially, complying with
the GDPR will help keep our global networks more secure as it
increases personal privacy. And, if you are wondering what will
happen if you do not comply, the answer is that it will cost you.
The penalties for non-compliance are steep with
fines of up to $20 million euros or four percent
of global annual turnover—whichever is higher.
It is no wonder that Facebook has been working
to get on board.
This article originally appeared in the July/August 2018 issue of Security Today.