The ‘GDPR Effect’ on U.S. Companies

Print Friendly, PDF & Email

With the EU’s General Data Protection Regulation (GDPR) going into effect on May 25th, organizations across the globe are busy planning, budgeting and making any remaining changes needed to meet its guidelines. Designed to “harmonize data privacy laws across Europe” and better support the post-breach world in which we find ourselves, the guidelines aim to protect the digital data of EU citizens and improve the way organizations handle data privacy.

GDPR is an EU-based directive, however the guidelines affect any organization handling personal data of individuals no matter where they are located, meaning even U.S. companies that process the personal data of individuals residing in the EU will have to comply. As U.S.-based companies that handle the data of EU citizens (which takes into account almost every U.S. company that operates on a global scale today) prepare for GDPR to go into effect, it’s interesting to consider the impact it will have on organizations and their cybersecurity strategies, and how that might impact the possibility of similar legislation in the U.S. As we’ve seen with other sweeping cybersecurity regulations, it’s likely that a set of best practices addressing the protection of critical data will emerge to address GDPR.

Trust in Businesses > Trust in Government

American and European consumers have contradictory feelings when it comes to trusting businesses versus government. The majority of American consumers typically place more trust in businesses and tend to be suspicious of the government (in the EU, it’s often the opposite). We happily hand over our personal data to companies like Google, however we’d be reticent to share our photos, purchasing habits or social media information with the government. There’s also an element of risk versus benefit to consider, i.e. most U.S. consumers are happy to share their personal information in exchange for a product, service or other benefit. In fact, according to the Pew Research Center, more than half of Americans consider it an acceptable trade-off to have surveillance cameras in an office in order to improve workplace security and help reduce thefts.

In contrast, EU citizens’ cries for more control of their personally identifiable information have been answered with GDPR, and only time will tell how far (and how costly to businesses) the impact of these regulations will be. As GPDR regulations become enforceable, the biggest global organizations will have a target on their backs, as the prosecution of their violations will create the most noise on a global scale – and have the biggest financial impact. Up to 4 percent of annual global revenue for a company on the scale of Apple or Google can easily surpass a billion dollars, a fine that would ostensibly make headlines across the globe.

Government Intervention Isn’t the Answer

In the U.S., the societal expectation is autonomy, not government-issued standardization, which will be an adjustment for companies that are soon subject to EU regulations. If you really think about the fact that we’re about to have a centralized European body telling individual programmers and independent businesses what they’re supposed to be doing and how they’re supposed to be doing it, isn’t there a bigger issue here? Neither the U.S. nor the EU should need government guidelines like GDPR. Businesses and the security industry as a whole should be doing much more to protect their customers and citizens. The fact that organizations across the globe aren’t enforcing even the most basic of security protocols, and that as a result, the EU government has had to step in, is a failure on everyone’s part.

And while it may seem like a monumental task, addressing GDPR shouldn’t be seen as an impossible task, especially if your cybersecurity and  identity program is already in order. Employing a robust identity governance strategy that extends to data stored in files like documents, spreadsheets and PDFs allows organizations to identify their sensitive data, determine who in their organization has access to that sensitive data and create preventative and detective controls around that data, no matter where it resides. The result? Full visibility into who has access to what critical data and what they’re doing with that access. Organizations who employ this method will be in much better shape once the GDPR enforcement and penalty phases take effect.

The ‘GDPR Effect’ on U.S. Companies

How will this regulation leave its mark on the U.S. regulatory environment? It’s a lot less black and white, as U.S. companies aren’t in the eye of the storm like those companies located in the EU are at the moment. While it’s clear that U.S. companies that operate globally must also be prepared, GPDR has taken on Y2K-levels of hysteria as companies rush to shore up their security programs and hire from an all-too-short list of qualified Data Protection Officers. As with Y2K, it’s entirely possible the hype is overblown. And the first violator prosecuted under GPDR will surely be used as an example for us all. Companies who already have a robust identity governance program as the guiding light behind their overall security strategy are ahead of the curve when it comes to addressing GDPR regulations. And for those that don’t, organizations can take proactive steps to stay ahead by focusing on a few key identity governance priorities:

  • Identify Your Sensitive Data: First, develop a complete picture of where customer data that is required to be protected under GDPR exists within your organization – whether it’s in structured systems like databases and mainframes, in files and folders including documents, spreadsheets and presentations, or in cloud cloud storage systems like Box and Google Drive.
  • Determine Who Has Access: Second, understand who should have access to customer data and reconcile it with who does. This should be an ongoing process, not a one-time event.
  • Create Preventive & Detective Controls: Users should have access to only the minimum resources they need (“least privilege”) and access to sensitive data should be highly restricted. You need to build a governance model that aligns access to applications and data based on business need.

Perhaps the U.S. will embrace some version of GDPR-like guidelines one day. After all, we’re not completely against government intervention when it comes to digital security. Even though it admittedly wasn’t the best use of resources, the federal government eagerly joined in on Y2K readiness initiatives, spending about $9 billion to help combat the perceived bug. No matter what lies ahead, it’s imperative that organizations in the U.S. continue to get their identity house in order, not just because they need to comply with regulations like GDPR, but because they are ultimately responsible for the security of their critical corporate data, which often includes the critical data of their customers.

About the Author

Juliette Rizkallah, CMO at SailPoint. Juliette leads the company’s worldwide marketing efforts, and is responsible for articulating the company vision, product solutions, technology innovations and business purpose to customers, partners and media around the globe. She has held executive positions and was an agent of growth at some of the world’s largest technology companies, including Oracle, CA, Business Objects-SAP and Check Point Software. Juliette holds an MBA from Harvard Business School and a BA from Ecole Superieure de Commerce de Paris (E.S.C.P.) in Paris, France.


Sign up for the free insideBIGDATA newsletter.

Speak Your Mind