EU’s GDPR: Bigger Than Macron or Le Pen

May 01, 2017 / in Blog, Encryption/Security / by Zafar Khan, RPost CEO

The biggest unifying force in Europe may be cybersecurity regulation. Despite Brexit and the wavering EU support in France, all 28 EU member states are implementing the General Data Protection Regulation (GDPR) which goes into effect in May, 2018.  GDPR will standardize cybersecurity across all 28 member states, including the UK, Brexit or not.

GDPR aims to protect the rights and data of any EU citizen or resident by requiring those companies who access their data to clearly explain how it is going to be used, processed, stored, sold, and for how long. Companies must 1) obtain permission from the person to use their data 2) provide specific notification of a data breach 3) allow the person to transfer their data to another provider, including a competitor and 4) remove a person completely from their database if requested.

American Companies Can be Fined up to 4% of Worldwide Sales

GDPR violation fines are steep and they apply to ANY company that accesses the data of an EU citizen or resident, even if they aren’t living in the EU. Fines range from 10 Million Euros or 2% of total worldwide sales to 20 Million Euros or 4% of total worldwide sales, whichever is higher. (Details)

An EU citizen who is a customer of Google, for example, can request a copy of their usage data and see what Google knows about them. They may see reporting on where they were each time they logged into Google and how much time they spent online. Google, Facebook, and any data processor has to prove GDPR compliance and demonstrate ongoing data monitoring.

The steepest fines are imposed for violation of Article 5. This requires that personal data is

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

This means businesses must use available technology, such as email encryption and other forms of cybersecurity services, to prevent unauthorized access and/or use of personal data.

Pseudonymization – A quick fix?

Pseudonymization offers an easier way to comply with GDPR. This long word just means replacing all personal data with code. Since GDPR is all about personal data, if you can find an easy way to remove this data, you’re home free. Once you’ve used this technique, you can still analyze behavior or create marketing campaigns but you won’t have access to a subject’s name, address or birthday.

The Right to Be Forgotten

GDPR also provides the Right to be Forgotten (RTBF). A person can request that Google, for example, remove links to public records that detail his financial circumstances, even though the public records still exist. This was a real case brought by The Spanish Data Protection Agency that was settled by The European Court of Justice in favor of the plaintiff. This could create a huge request volume once people realize that they can erase links to their home foreclosure, a settled malpractice lawsuits or a divorce report.

Even if France leaves the EU and the EU dissolves these data protection regulations will likely stay in effect.

RPost predicts that GDPR will compel businesses operating in Europe not only to transmit information securely, but also to retain auditable proof of compliant, secure email delivery. For many businesses, the latter driver will require them to change email encryption services altogether.