As this term is the number one searched term related to data privacy on Google, I thought this relatively short primer may help clear things up.

GDPR Primer

GDPR or general data protection regulations came into effect in May 2018 as a successor to the Data Protection Directive of 1995. The intention of the regulations was to create one set of rules for all EU states to follow when protecting personal data.

The regulations are mandatory as opposed to the data protection act which was a voluntary code of conduct and identifies three main parties in the data protection chain. These are a data controller, data processor and subject (an individual person) which I’ll explain shortly.

Why GDPR came into being?:

At a simple level, the rules came into place as a result of the age of big data and the internet and revelations around abuse of how our personal data was being monetised by ad-tech, data brokers, tech giants and others.

It’s widely believed that the revelations of Edward Snowden around US government mass surveillance programs which targeted US citizens but also inadvertently included EU citizens triggered alarm bells in Europe and pushed the issue of data protection to the fore.
Another major case recorded was Max Schrems vs Facebook Ireland in 2013 in an action where Schrems won.
The issue at hand was with respect to Facebook’s failure to get his consent to transfer his personal data back to the US for further processing. This of course had larger ramifications for all EU citizens data and how it was automatically transferred outside the EU without knowledge or proper supervision.

More >>

We of course saw GDPR implemented in 2018 but this has spurred a raft of follow-up legislation internationally at the country and state level. I mentioned in my previous article What is GDPR? developments with the data protection acts of 2018 in Ireland and the UK.

These changes are essentially refinements and in some cases dilutions of GDPR regulations. But what about the US? Well in 2019, 5 US states alone implemented new or updated data privacy laws whilst in 2020, California implemented sweeping changes with it’s CCPA regulation (“What is CCPA?”:Related Article) while New York enacted it’s data privacy updates with the implementation of it’s Shield Act which strongly focuses on data safeguards, expands the definition of private (personal information) and strengthens it’s breach notification rules in instances where HIPAA or Graham-Leach-Bliley doesn’t take precedence.

Developments on international transfers have also been to the fore in 2020 with the ruling on the invalidity of the EU-US privacy shield “Privacy Shield is struck down”:Related Article muddying the waters for US companies doing business in the EU. It’s safe to say that each regulation has it’s own nuances which is further complicated by the fact that many companies operate under multi-jurisdictional data privacy rules which are often subject to conflicting interpretation.

Perhaps one of of the more interesting trends in compliance, is the rise of AI and underlying technologies. I refer back to my article on CCPA regulation and the section on Innovation Automation. Where I highlight 3 companies and their approach to specific data privacy challenges.

It’s apparent that regulated firms, globally, have been overwhelmed by the burden of regulation and they need automation and skilled resources such as legal compliance help, privacy practitioners (such as myself) and regtech solutions integrators to address the challenges.
Fines and reputational damage are too costly not to get it right anymore as the regulators seek to make examples as never before.

So what’s in the CCPA regulations?
Applicability: It applies to any qualifying business, in any country who has customers or employees based in California. Qualifying businesses being those who have annual gross revenues in excess of $25 Million or trades data on more than 50,000 customers annually or derives 50% or more of it’s annual revenue from selling personal information.

Sanctions: California consumers may invoke the new law where enforcement actions may include a $2,500 penalty per record for an unintentional violation and $7,500 penalty for an intentional violation. (If Cambridge Analytica happened today, that would be 50 million multiplied by $7,500 or 375 with nine zeros).
At a lower level, the act allows a “Private right of action” for California Residents, allowing claims of $100 to $750 per incident, whether actual harm is proven or not. This law is tied to the recently updated California Data Breach Notification Law AB 1130 which defined data in scope including driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information.
More >>

In the UK the latest information commissioners office report shows that GDPR fines have tripled in the space of a year on the back of BA and Marriott rulings, while in the US, the California Consumer Privacy Act (CCPA) and New York Data Shield acts have just been enacted in 2020 and will certainly see data security perp walks of sorts very shortly if data breach history teaches us anything.
Well, let me start by saying, I’m sorry to be alarmist, but it’s my  job in security to be the squeaky wheel sometimes. So, in this article I hope to set you in the right direction if you have more than a passing interest in privacy by design (PbD) and data protection regulations, in particular how EU and US registered businesses in a post privacy shield era can better prepare for GDPR and CCPA regulations using a 10 point plan. The plan has been designed more toward medium to large size regulated firms given that budget constraints for security controls like IAM and the ability or requirement to hire a data protection officer maybe beyond reach of smaller firms.

In order to prime you for these steps, may I recommend that you have a glance at the GDPR FAQ’s from the EU commission press office, CCPA guidance from the Office of the Attorney General in California and New York Shield Act text from the NY Senate which is useful at a high level.

More >>