The financial and ethical penalties of violating GDPR are so significant that every company must fundamentally shift how they manage big data, said IBM Security's vice president.
TechRepublic's Dan Patterson talked with IBM Security's vice president Caleb Barlow about why the GDPR has such a wide impact.
Patterson: If you use the internet, and you do use the internet, right? Your email inbox has been flooded with privacy notifications since May 25th. That was the implementation of the EU's GDPR. That's the General Data Protection Regulation. But who and what is the GDPR protecting?
Caleb Barlow, IBM security, we now live in a post-GDPR world.
Barlow: We do, for a couple of days, anyway.
Patterson: For a couple of days. We have been preparing for this for at least two years. Let's start with the 101, the basics. What is the GDPR, and who and how does it protect people?
Barlow: Well, the GDPR is focused on protecting the privacy of European citizens. Now, the reality, however, is because the penalties of violating GDPR are so significant, many organizations are very concerned that one European citizen in the mix, and their data could potentially open the door to rather direct and significant penalties.
You're looking at 20 million Euro or 4% of last year's turnover, for example, if you don't declare a breach to European regulators within 72 hours. And 72 hours is not a lot of time.
Patterson: All right, so there are a number of territories in the world. Why does a regulation that protects EU citizens impact people all over the world?
Barlow: Well, if you think about a lot of corporations that are maybe selling different things or providing various services online, you've been in a posture for probably the last decade of gather as much data as you can about your customers. Mine that data. Use it in new ways. Find new insights. Some companies even package up that data and sell it.
The challenge is, you've been gathering all this data for probably the last decade. You don't even know what you've got in there. You probably haven't segmented who's a European citizen, versus a US citizen, versus a Canadian citizen. You don't necessarily know who you've sold that data to or where it's gone.
It's causing some new thinking from a lot of companies. In fact, we found that 80% of organizations are rethinking how much data they gather in the first place. What I find even more interesting is 70% are now looking at the data they've collected historically and purging a lot of it, saying, "Look, I don't necessarily know what's in there. I don't necessarily know how to manage it. I'm just going to get rid of it if I don't need it."
SEE: Password managers: How and why to use them (free PDF) (TechRepublic)
Patterson: Okay, before we get into the security implications of the GDPR, I want to talk a little bit about the Wild West. Have we been living in this era of fast and loose data? What does that mean after this transition has occurred?
Barlow: Well, I think one of the things we have to recognize is that there are many companies that gather data in order to provide you with better services and capabilities. For example, the pizza place where I buy pizza keeps my credit card so the next time I order pizza, I don't have to give them my address to deliver it to again and my credit card again. That's a pretty simple example.
However, there are a lot more complex examples, like what we see, for example, in social media, where we might not only be tracking your credit card information, your geo location within a foot every place you move during the day, your likes, your interests, what you look at online. In many cases, we all, as consumers, have become the product that is sold by these businesses.
This is about getting in front of that, giving individuals some control over their data, giving them the ability to, for example, be forgotten, to have all of that data removed upon request, or at a bare minimum, to see what a company is tracking about you and how they're using it.
Patterson: The tech industry will say, especially the consumer technology industry, will say the GDPR stifles innovation. It prevents us from gathering data that is not just helpful and useful to consumers but also critical for us to develop new applications and execute new ideas. Is this a good line of reasoning, or is this an anti-regulatory gripe by the tech industry?
SEE: IT pro's guide to GDPR compliance (free PDF) (TechRepublic)
Barlow: Well, it's probably a bit of a gripe. The reality is it does for some businesses mean a bit of a shift in terms of business models. But there is absolutely an opportunity for companies to be the trusted steward of individuals' data. I think that's what we really need to look forward to is how do we become those companies that people trust with their data, maintain it appropriately, and provide them the products and services they want without them being the product that is sold and bartered openly in a way that isn't exactly transparent.
Patterson: Trust and trust equity is one of the huge opportunities that the GDPR could open. But when we look at consumer data and when we look at how consumer sentiment is, on the one hand, there is the Facebook Cambridge Analytica scandal that exposed tens of millions of people's private information to unknown developers and to a lot of different maybe nefarious actors.
On the other hand, at least American consumers continue to use social media pretty unimpeded. What is the disconnect between intellectually understanding that your data could be out there in the wild and the lack of consumer care about this type of potential liability?
Barlow: Well, I think this is changing, and it's changing rapidly. In a recent study, we found that only 20% of consumers actually completely trust the companies in which they interact with, which goes to your first point of there's a bit of a lack of trust there today. But what we also found in the same survey is 75% of consumers, no matter how good a product or service is, are now questioning whether they should buy that product or service from a company that they don't necessarily trust their ability to handle their data.
I think we're going to start to see that shift, because more and more, these things are becoming transparent. More and more breaches are becoming disclosed. Consumers are aware of when they've lost their data, and we've all seen an impact of this.
But we're also starting to recognize that data is a currency, and it's being actively sold and bartered in many cases without our consent. There may be new business models, new capabilities that deliver the same products and services and expectations that we all have without our own data being sold and us being what's offered up as a commodity.
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- GDPR: It's here, so what happens now? (ZDNet)
- Improve your cybersecurity strategy: Do these 2 things (ZDNet)
- Why companies should make security a key performance indicator (TechRepublic)
- As GDPR looms, 60% of global enterprises still don't properly tag sensitive data (TechRepublic)
- Will GDPR actually protect EU citizens? 61% of infosec pros say yes (TechRepublic)