When many of us look at regulations, we might think that as long as we’re following a framework, we’re probably covered from a PCI and HIPPA standpoint. However, the EU Data Protection regulations are a bit different. They aren’t just security regulations, but more of a privacy regulation. The group started their discussion of this topic by looking at enforcement. How can this be enforced and what are the fines and penalties? While many of those at the table don’t have offices based in the EU, some do still have data from customers based in that region, and therefore have to now consider the legal and jurisdiction related challenges of managing and storing that data. Similarly, the group cited the importance of focusing on third party vendors and how they’re interacting with this data as well, which in turn means that third party security will be an even more important issue when it comes to handling GDPR.
The group also talked about how even using tools like DropBox or Google Docs factor into this issue. Do these resources also need to be compliant and regulated? How do the companies that mange them paly a role in keeping them securing? The topic of audits after a data breach occurred also came up in conversation. During this kind of audit, security teams will now how to be more aware of how EU customer data is used and the levels of consent that they have over the use of that data. You can have a great security program, but do you also have the ability to purge a customer’s data from all your systems should a breach arise and they want their information removed? This in turn raises the questions of what is a reasonable amount of turnaround to do this? This lead the team to agree that having a comprehensive data map will also be increasingly important and the need to also partner with your legal team to make sure that policies and procedures are being followed.