he EU’s General Data Protection Regulation (GDPR) takes effect on May 25. And all in-house lawyers should be well aware by now that the key provisions require reporting data breaches, removing privacy data when requested to do so, and protecting personally identifiable information (PII). It covers all organizations that do business with an EU entity, all individuals from the EU, and all U.S. citizens who move there and declare residency.
Companies and their lawyers will undoubtedly be busy, as the deadline approaches, consulting outside experts, drafting policies and procedures, and training employees who will carry them out. But they will also need to navigate the inevitable gray areas that accompany any new and complex regulation.
As an experienced cybersecurity consultant, I have recently been working with one institution that is trying to figure out how to proceed. Though the organization is a community college, the questions it has raised are likely to surface not only in other academic institutions but in many different business environments. They involve the privacy rights of EU citizens who reside in the United States.
The concern for individual privacy on campus has typically been addressed through the Federal Educational Rights and Privacy Act (FERPA) and identity theft legislation. The GDPR raises the bar for organizations to control PII, and it changes the viewpoint because citizens from the EU have the right to control their own information. Individuals may consent (or not) to provide PII and may request that it be deleted or corrected. Now U.S. organizations must comply with these rules.
John Williams is an IT director at Anne Arundel Community College in Maryland. He is in the process of implementing GDPR into the college’s policies and procedures, and it's been challenging. “It is difficult to translate the regulation from the EU to an academic environment in the United States,” he said. There are three key questions he’s trying to answer.
1. When do U.S. privacy laws pre-empt the GDPR?
2. Can EU citizens request that all their personal data be removed from their academic files, or only the personal data
that they provided?
3. How can an academic institution ensure that identifying students and faculty members as EU citizens isn’t used in a
way that either discriminates against them or treats them preferentially?
Williams asked some good questions that general counsel may also be pondering. In instances where GDPR conflicts with U.S. privacy laws, it is unclear which laws will prevail and whether rulings will be specific to each case or generally applied. In the area of breaches, GDPR requires that notification be given within 72 hours and delivered to the appropriate data protection authority and any individuals the breach is likely to cause harm to, though the format of notification is not specified. U.S. privacy laws merely require that a breach notification be issued “without reasonable delay” after a breach has been confirmed. Unfortunately, this can often take many months, as organizations are hesitant to release notifications that hurt their “brands.”
It is also unclear what information an EU citizen can ask to be changed or deleted. For instance, students do have the right to request that personal information they provided to enroll (date of birth, identification number, country of birth, etc.) be corrected or deleted, but it is not clear if this right extends to personal information about the individual that the school rather than the student generated, such as grades or transcripts obtained from other institutions.
Also of concern to academic institutions is another question that sounds like one that a civil rights lawyer may have to answer. Does the request that EU students identify themselves as such on their applications constitute a form of discrimination in the selection process? Will institutions have to convince admissions auditors and regulatory authorities that individuals from EU countries were not denied admission as a means of avoiding GDPR compliance?
I have been assisting federal agencies for two decades in accrediting and auditing their information systems. I have written security policies and procedures that codified the expected behavior of the federal and contractor staffs, and from my perspective, GDPR should be considered a best practice that should be adopted by the U.S.
Since the early stages of computer processing, U.S. organizations have been protecting information that is deemed essential for the well-being of the population (defense, finance, health, intelligence, environmental, etc.), with a focus on the adverse consequences that disclosure of the information could cause to the organization’s mission or operations. The impact on individuals was only considered in the context of loss of life or serious injury. The concern for individual privacy and personal electronic information provided to an organization has only been addressed in the last 10 to 15 years.
Initially the concern about PII was how to protect this information from accidental loss or disclosure, with the underlying assumption that once the information was given to the organization, the individual no longer retained “ownership.” GDPR changes that viewpoint. An individual from the EU can request that PII be deleted (or corrected), and the organization is obligated to comply within a reasonable time frame. This seems like an important improvement in today’s data-driven world.
There are many questions about implementing GDPR compliance in educational and commercial organizations. The federal government requires compliance with Special Publication (SP) 800-171 Rev 1, published by the National Institute of Standards and Technology (NIST). This document will assist organizations in meeting GDPR requirements; however, control selections are based on risk. Each organization must therefore perform a risk assessment, which includes a privacy impact assessment (PIA), to determine the processes and procedures in place and the changes that may be needed to improve them.
Nowadays most federal organizations have a civil liberties and privacy officer as well as a general counsel to ensure that they are compliant with evolving privacy regulations. It is highly recommended that organizations that collect PII, and don’t have one, add a privacy or data protection officer to work with the general counsel and the IT department to address the technical and legal aspects of GDPR.
One of the most important messages they can deliver is that security and privacy are the responsibility of everyone in the organization. If this sounds obvious, you would be surprised to see how rarely it is truly embraced. Too often people believe that information security or privacy is the sole purview of the IT or legal or information assurance department. Nothing could be further from the truth. In the Navy, there is the expression “loose lips sink ships.” In corporate America, security and privacy are only as robust as the least-trained individual.
There are many studies that back this up. An estimated 40-50 percent of data breaches are caused by poorly trained employees who fail to practice operational security, which can result in a loss or compromise of data. And I’ve seen it. You probably have too. I have witnessed people discussing sensitive information outside of controlled spaces. I’ve seen them fail to lock their workstations when going for coffee. I’ve watched them print sensitive information on a shared printer and fail to quickly collect the documents, or leave them on their cubicle desks. I’ve heard sensitive topics discussed so loudly that anyone in the hallway could overhear what was being said.
So while general counsel focus on the new rules that will roll out of Europe in May, this might be a good opportunity for organizations to redouble their efforts to train everyone about the importance of data security. Whether it’s the laptop stolen from an executive’s car or the phishing email that leads to a ransomware attack, there are vulnerabilities everywhere. Companies should have annual cybersecurity and privacy training for all employees. We need to understand and constantly remind ourselves that security and privacy protection is the responsibility of everyone, because we all represent the first line
Steven Senz is a consultant who has over 35 years’ experience in the computer, cybersecurity and telecommunications industries, developing new products and services for the public and private sectors. Senz, who has a master’s from Cornell University and an MBA from the University of Michigan, is certified as a CISSP, ISSMP, CISA, CHP, CRSIC and HITECH. He has participated in multiple working groups sponsored by the National Institute of Standards and Technology (NIST) and the Committee for National Security Systems (CNSS). Formerly the director of information assurance for Inscope International, he headed the Center of Excellence for Cybersecurity. He is also the founder of Your Cyber Security Matters and a co-developer
of the ASCERTIS application for the authorization of nonfederal information systems.