Protecting Your Data

Facebook announced it will comply with the GDPR and so should you

• By Christian Morin
• Jul 11, 2018

Even if you don’t have a Facebook account, you have undoubtedly heard the reports about how Cambridge Analytica accessed the personally identifiable information (PII) of up to 87 million users over a period of several years. Starting in 2014, the British political consulting firm began collecting data from the social media platform’s users, the vast majority of whom reside in the United States, with the alleged goal of using that data to influence voter opinions.

Essentially, Cambridge Analytica gathered and sold PII to help a variety of politicians influence the public in both the United States and the United Kingdom. While the ultimate scope of the influence has not yet been determined, what is clear is that people everywhere feel violated by the access. Given the nature of social networking applications, it is not surprising that Facebook has faced a lot of harsh criticism and has had to implement new strategies for dealing with personal data.

One strategy that they have been open about is their decision to implement the European Union’s General Data Protection Regulation (GDPR) in all areas of its operations, significantly, not just in the EU itself. In fact, during his testimony before Congress in April of this year, Facebook’s founder and CEO Mark Zuckerberg said he believed GDPR was a positive step for the internet.

“A lot of the things in there are things we have already done for a long time; some are other things that I think would be good steps for us to take,” Zuckerberg said. “I think it makes sense to do more and it’s something GDPR will require us to do and it will be positive.”

Given the gravity of the Facebook/Cambridge Analytica scandal, the swift response to it, and Zuckerberg’s support for the GDPR in its aftermath, you would think that North American companies would be eager to follow suit. However, and despite the fact that the GDPR will be applicable to organizations worldwide, many have not yet made the move.

North Americans Aren’t Ready for the GDPR

A surprising number of North American companies are either uncertain about or unprepared for the GDPR. Comp TIA, a leading technology association, surveyed 400 U.S. companies in April of this year, and the results were telling.

According to Comp TIA’s survey, 52 percent of the 400 companies they looked at are either still exploring how the GDPR applies to their businesses, have decided that it does not relate to their businesses, or are unsure. In fact, they found that only 13 percent of the companies say they are fully compliant while 23 percent feel they are mostly compliant and 12 percent feel they are somewhat compliant. Given that the regulation took effect on May 25, a little more than a month after this survey, these numbers are concerning.

Does the GDPR Apply to North American Companies?

So why are North American companies lagging behind on their compliance? In large part, it is because they feel the GDPR does not apply to them. This is understandable since the regulation was developed to protect individual privacy as it relates to the data being collected from citizens of the European Union.

The regulation stipulates that European citizens own the PII being collected from them and have the right to make decisions on how it is used or distributed. PII includes an individual’s name, home address, images, bank details, social networking posts, medication information, IP addresses, mobile device ID and data collected through the IoT.

Some in North America believe that, since they are not located within the European Union, the regulation does not apply to their operations. What these companies fail to recognize is that the GDPR is applicable to any organization conducting business within the EU, including those simply collecting data there. As soon as a European citizen visits your website, you are subject to the regulations and fines set out under the GDPR. Ultimately, if you are collecting PII from people within the EU, your organization is going to be held accountable, regardless of where you are based.

The Global Benefits of the GDPR

North American companies should not be nervous about complying, particularly in light of the new reporting requirements around breaches. We know that mitigating the risks associated with a system breach requires early detection. We also know that, with the increased connectivity between systems and the sharing of information between organizations, a breach at one organization can have a significant impact on others. As a result, when a company reports a breach quickly, it goes a long way to reducing potentially disastrous outcomes.

The GDPR states that, in addition to new record-keeping requirements for collecting, managing, modifying, storing and analyzing PII, companies must also abide by mandatory breach reporting rules. This includes reporting a breach within 72 hours of detection. In this way, the regulation, which is designed to help European citizens, will also help protect our global networks as well.

Now That You’re Convinced, What Can You Do?

The first step on your road to compliance with the GDPR is to talk with the experts. If your company has a compliance department, reach out to them. They are probably already working on it and will have many of the answers to your questions. What questions should you be asking? Typically, you are going to have to look at all the data you are collecting to see if you need to comply. Once you determine whether or not your company will be subject to the regulations, you have to see what, if any, additional controls you will need.

To help organizations build a solid foundation for continued compliance over the long-term, the regulation stipulates that, in order to meet its requirements, organizations cannot simply deploy add-on options. You must use solutions that implement privacy by design. This means that organizations are going to have to work with vendors who, in addition to understanding the importance of keeping systems and networks secure, focus on providing the tools and features that can continue to make this possible.

Specifically, solutions that implement privacy by design allow companies to leverage the latest technologies to encrypt their data— both in motion and at rest—keeping it hidden from prying eyes. They also allow for a high level of identity assurance by authenticating user access in order to make sure that everyone—app, user, server—is who they claim to be.

At the same time, organizations are going to have to ensure that they control access to personal data. This is particularly important as companies grow in size and reach and as they share data with stakeholders outside their organizations. A company must allow enough access to ensure that people can do their jobs effectively without putting anyone’s PII at risk.

How to Protect Individual Privacy

Under the GDPR, video surveillance is considered a high-risk processing operation. As a result, companies will have to implement controls that allow them to protect individual privacy in video streams both as they are being captured and then once they are shared or stored. There are a variety of methods of protecting privacy in video surveillance, including permanent masking, redaction, and dynamic anonymization.

The most basic method is through permanent masking. This involves permanently anonymizing individuals in video footage. Because the masking cannot be removed, this method is not ideal in situations where a person’s identity might be relevant for future investigations.

Redaction, which is usually done after the fact, involves hiding the identity of selected people in video footage. This is typically done in instances where an organization is sharing video with law enforcement. But it does not protect individual privacy in live streams.

The most effective method of anonymization, especially for organizations conducting video surveillance of public spaces, is dynamic anonymization. Using this approach, VMS monitors actions and movements and automatically anonymizes individuals in live and recorded streams. Then authorized personnel can unmask the video in the event of an investigation. In this way, dynamic anonymization both ensures individual privacy and supports law enforcement in their efforts to keep citizens safe.

How GDPR-compliance Might Impact Workflows

Finally, North American companies are also going to have to think about how to handle the increased pressure on their workflows as they move toward compliance. Under the GDPR, EU citizens have the right to obtain confirmation as to whether or not their data is being processed, where it is being processed, and for what purpose. In addition, they also have the right to request and receive, free of charge, a copy of their individual PII.

This means that companies need to have systems in place to recognize requests, assess their validity, and provide the information. How is a company going to find an individual’s PII within the vast amount of data they are collecting and how are they going to protect the privacy of other individuals when fulfilling these requests?

The answer is to work with a solution that facilitates workflow by providing assets back to the requester in a secure fashion. When it comes to sharing video assets, for example, a solution must be able to redact any other individuals in order to protect their privacy.

In Benefits vs. Cost There is No Contest

Ultimately, regardless of your location, if your company or organization is conducting any form of business in the EU, you are going to have to determine what you will need to do to comply with the GDPR. You are going to need to look at how you keep the data you are collecting private and how you can continue to share that data securely. As a result, you’re also going to have to think about the way you store, access, and transmit that data.

While it can seem like a daunting task initially, complying with the GDPR will help keep our global networks more secure as it increases personal privacy. And, if you are wondering what will happen if you do not comply, the answer is that it will cost you. The penalties for non-compliance are steep with fines of up to $20 million euros or four percent of global annual turnover—whichever is higher. It is no wonder that Facebook has been working to get on board.

This article originally appeared in the July/August 2018 issue of Security Today.