The European Union's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. It's wide-ranging in its scope, and has generated a correspondingly wide-ranging amount of buzz as the effective date approaches. And although it's an EU law, it will also be applicable to American companies who operate in EU countries, either physically or via the internet.
But what exactly is in the GDPR? And just as importantly, does it actually go far enough?
Why the GDPR Exists
At its heart, the GDPR is a set of requirements designed to protect personal data. That's obviously important, with social networks like Facebook, Twitter, SnapChat, and all the rest collecting, storing, processing, and using the personal information and online habits of billions of users. And as the recent news about Facebook and Cambridge Analytica revealed -- for those of us to whom it wasn't clear already -- privacy matters.
Furthermore, many people are not aware that any connected internet device is capable of data collection in some form or another. Alexa, Siri, Cortana, Google Assistant, Nest thermostats, WiFi baby monitors, and that internet-connected doll can all collect personal information. Sometimes that data collection is clear to the end user, and sometimes it may not be clear but the intent is benign -- but sometimes the data collection is of a more intentionally surreptitious nature.
The varying nature of the collection of personal data represents a surrender of privacy on the part of the user that's both voluntary and involuntary. Users typically have little control over their data once in the hands of a company, and thus even voluntary surrender of data can lead to problematic privacy issues as the companies involved sell or otherwise lose control of that data.
And because privacy matters, the protection of that personal data is important long after it's collected from users. That kind of data protection is what the GDPR and its varying provisions are all about.
What the GDPR Is
The protections mandated by the GDPR begin with the user. Companies that collect personal data will, in the first instance, have to provide a variety of notifications designed to inform the user of who is collecting their data, what data is being collected, how it will be used, to which third parties it may be provided, and how long the data will be kept. It also requires notification to the user that they have the right to access, modify, and request deletion of their personal data.
The obligations of a company to protect personal data extend far beyond providing proper notifications to individuals. Under the GDPR, companies are required to implement appropriate technical and organizational measures to protect data -- what the GDPR calls "data protection by design and by default." In an overarching sense, the intention is that the amount of data collected and the way in which that data is processed is appropriate to the purposes for which the user allowed the data collection in the first place.
What the GDPR Isn't
Although the GDPR is a dramatic codification of privacy rights and personal data security principles for companies doing business in the EU, it has no legal authority in the United States over companies with no users in the EU. Although many American companies are erring on the side of caution and implementing policies that align with the GDPR, users outside of the European Union should always be aware that their privacy and their personal data is not legally afforded the same safeguards.
Furthermore, users globally need to be aware that the GDPR does not address device security -- a topic which is obviously near to our hearts here at ReFirm. In that sense, while we applaud the GDPR's efforts to advance the cause of privacy, it's simply true that it doesn't protect users from the vast amount of data that's collected via connected devices that have been compromised by hackers.
Device-level protections need to start with the manufacturers, but as we've previously discussed there is little financial or legal incentive for connected device manufacturers to go the extra mile in ensuring device security, particularly when they are in a rush to market. Instead, truly protecting privacy currently falls squarely on the shoulders of device users, whether those users are consumers with Ring doorbells or IoT implementers meshing together thousands of devices into industry-specific solutions.
Like the proactive capabilities afforded them in the GDPR, device users can likewise be proactive in safeguarding their personal data. Among other proactive security practices, users should only use devices that are from reputable manufacturers, or provided by a reputable source. Further, since even reputable devices can have security flaws that were undiscovered before release to the market, users need to be sure that they are keeping both their device firmware and software up to date.
The need for users to ensure their own connected device security is why the GDPR alone isn't enough to protect data. Privacy is a right, and the GDPR is a good start -- but in the final analysis, security is everybody's business.
----------------------------------------
When we talk about privacy, data protection, and device security, we know what we're talking about. Our team has years of cybersecurity experience at the nation-state level, and we've brought that experience to ReFirm and to our Centrifuge platform, which mitigates the data protection and privacy risks of connected devices by analyzing and continuously monitoring them for threats.
If you'd like to see a demo of how Centrifuge can help mitigate the risks of connected devices, request one now;