Protecting Your Data

Protecting Your Data

Facebook announced it will comply with the GDPR and so should you

Even if you don’t have a Facebook account, you have undoubtedly heard the reports about how Cambridge Analytica accessed the personally identifiable information (PII) of up to 87 million users over a period of several years. Starting in 2014, the British political consulting firm began collecting data from the social media platform’s users, the vast majority of whom reside in the United States, with the alleged goal of using that data to influence voter opinions.

Essentially, Cambridge Analytica gathered and sold PII to help a variety of politicians influence the public in both the United States and the United Kingdom. While the ultimate scope of the influence has not yet been determined, what is clear is that people everywhere feel violated by the access. Given the nature of social networking applications, it is not surprising that Facebook has faced a lot of harsh criticism and has had to implement new strategies for dealing with personal data.

One strategy that they have been open about is their decision to implement the European Union’s General Data Protection Regulation (GDPR) in all areas of its operations, significantly, not just in the EU itself. In fact, during his testimony before Congress in April of this year, Facebook’s founder and CEO Mark Zuckerberg said he believed GDPR was a positive step for the internet.

“A lot of the things in there are things we have already done for a long time; some are other things that I think would be good steps for us to take,” Zuckerberg said. “I think it makes sense to do more and it’s something GDPR will require us to do and it will be positive.”

Given the gravity of the Facebook/Cambridge Analytica scandal, the swift response to it, and Zuckerberg’s support for the GDPR in its aftermath, you would think that North American companies would be eager to follow suit. However, and despite the fact that the GDPR will be applicable to organizations worldwide, many have not yet made the move.

North Americans Aren’t Ready for the GDPR

A surprising number of North American companies are either uncertain about or unprepared for the GDPR. Comp TIA, a leading technology association, surveyed 400 U.S. companies in April of this year, and the results were telling.

According to Comp TIA’s survey, 52 percent of the 400 companies they looked at are either still exploring how the GDPR applies to their businesses, have decided that it does not relate to their businesses, or are unsure. In fact, they found that only 13 percent of the companies say they are fully compliant while 23 percent feel they are mostly compliant and 12 percent feel they are somewhat compliant. Given that the regulation took effect on May 25, a little more than a month after this survey, these numbers are concerning.

Does the GDPR Apply to North American Companies?

So why are North American companies lagging behind on their compliance? In large part, it is because they feel the GDPR does not apply to them. This is understandable since the regulation was developed to protect individual privacy as it relates to the data being collected from citizens of the European Union.

The regulation stipulates that European citizens own the PII being collected from them and have the right to make decisions on how it is used or distributed. PII includes an individual’s name, home address, images, bank details, social networking posts, medication information, IP addresses, mobile device ID and data collected through the IoT.

Some in North America believe that, since they are not located within the European Union, the regulation does not apply to their operations. What these companies fail to recognize is that the GDPR is applicable to any organization conducting business within the EU, including those simply collecting data there. As soon as a European citizen visits your website, you are subject to the regulations and fines set out under the GDPR. Ultimately, if you are collecting PII from people within the EU, your organization is going to be held accountable, regardless of where you are based.

The Global Benefits of the GDPR

North American companies should not be nervous about complying, particularly in light of the new reporting requirements around breaches. We know that mitigating the risks associated with a system breach requires early detection. We also know that, with the increased connectivity between systems and the sharing of information between organizations, a breach at one organization can have a significant impact on others. As a result, when a company reports a breach quickly, it goes a long way to reducing potentially disastrous outcomes.

The GDPR states that, in addition to new record-keeping requirements for collecting, managing, modifying, storing and analyzing PII, companies must also abide by mandatory breach reporting rules. This includes reporting a breach within 72 hours of detection. In this way, the regulation, which is designed to help European citizens, will also help protect our global networks as well.

Now That You’re Convinced, What Can You Do?

The first step on your road to compliance with the GDPR is to talk with the experts. If your company has a compliance department, reach out to them. They are probably already working on it and will have many of the answers to your questions. What questions should you be asking? Typically, you are going to have to look at all the data you are collecting to see if you need to comply. Once you determine whether or not your company will be subject to the regulations, you have to see what, if any, additional controls you will need.

To help organizations build a solid foundation for continued compliance over the long-term, the regulation stipulates that, in order to meet its requirements, organizations cannot simply deploy add-on options. You must use solutions that implement privacy by design. This means that organizations are going to have to work with vendors who, in addition to understanding the importance of keeping systems and networks secure, focus on providing the tools and features that can continue to make this possible.

Specifically, solutions that implement privacy by design allow companies to leverage the latest technologies to encrypt their data— both in motion and at rest—keeping it hidden from prying eyes. They also allow for a high level of identity assurance by authenticating user access in order to make sure that everyone—app, user, server—is who they claim to be.

At the same time, organizations are going to have to ensure that they control access to personal data. This is particularly important as companies grow in size and reach and as they share data with stakeholders outside their organizations. A company must allow enough access to ensure that people can do their jobs effectively without putting anyone’s PII at risk.

How to Protect Individual Privacy

Under the GDPR, video surveillance is considered a high-risk processing operation. As a result, companies will have to implement controls that allow them to protect individual privacy in video streams both as they are being captured and then once they are shared or stored. There are a variety of methods of protecting privacy in video surveillance, including permanent masking, redaction, and dynamic anonymization.

The most basic method is through permanent masking. This involves permanently anonymizing individuals in video footage. Because the masking cannot be removed, this method is not ideal in situations where a person’s identity might be relevant for future investigations.

Redaction, which is usually done after the fact, involves hiding the identity of selected people in video footage. This is typically done in instances where an organization is sharing video with law enforcement. But it does not protect individual privacy in live streams.

The most effective method of anonymization, especially for organizations conducting video surveillance of public spaces, is dynamic anonymization. Using this approach, VMS monitors actions and movements and automatically anonymizes individuals in live and recorded streams. Then authorized personnel can unmask the video in the event of an investigation. In this way, dynamic anonymization both ensures individual privacy and supports law enforcement in their efforts to keep citizens safe.

How GDPR-compliance Might Impact Workflows

Finally, North American companies are also going to have to think about how to handle the increased pressure on their workflows as they move toward compliance. Under the GDPR, EU citizens have the right to obtain confirmation as to whether or not their data is being processed, where it is being processed, and for what purpose. In addition, they also have the right to request and receive, free of charge, a copy of their individual PII.

This means that companies need to have systems in place to recognize requests, assess their validity, and provide the information. How is a company going to find an individual’s PII within the vast amount of data they are collecting and how are they going to protect the privacy of other individuals when fulfilling these requests?

The answer is to work with a solution that facilitates workflow by providing assets back to the requester in a secure fashion. When it comes to sharing video assets, for example, a solution must be able to redact any other individuals in order to protect their privacy.

In Benefits vs. Cost There is No Contest

Ultimately, regardless of your location, if your company or organization is conducting any form of business in the EU, you are going to have to determine what you will need to do to comply with the GDPR. You are going to need to look at how you keep the data you are collecting private and how you can continue to share that data securely. As a result, you’re also going to have to think about the way you store, access, and transmit that data.

While it can seem like a daunting task initially, complying with the GDPR will help keep our global networks more secure as it increases personal privacy. And, if you are wondering what will happen if you do not comply, the answer is that it will cost you. The penalties for non-compliance are steep with fines of up to $20 million euros or four percent of global annual turnover—whichever is higher. It is no wonder that Facebook has been working to get on board.

This article originally appeared in the July/August 2018 issue of Security Today.


  • ASIS International and SIA Release “Complexities in the Global Security Market: 2024 Through 2026”

    ASIS International and the Security Industry Association (SIA) – the leading security associations for the security industry – have released ”Complexities in the Global Security Market: 2024 Through 2026”, a new research report that provides insights into the equipment, technologies, and employment of the global security industry, including regional market breakouts. SIA and ASIS partnered with global analytics and advisory firm Omdia to complete the research. Read Now

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

  • ASIS Announces ANSI-Approved Cannabis Security Standard

    ASIS International, a leading authority in security standards and guidelines, proudly announces the release of a pioneering American National Standards Institute (ANSI)-approved standard dedicated to cannabis security. This best-in-class standard, meticulously developed by industry experts, sets a new benchmark by providing comprehensive requirements and guidance for the design, implementation, monitoring, evaluation, and maintenance of a cannabis security program. Read Now

Featured Cybersecurity


New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3