GDPR - Another Y2K or Real Apocalypse?

If you’ve been in this business long enough, you have lived through multiple “Hype Cycles”. They start with some vaguely defined ‘problem’ that if not addressed will lead to the end of the world, or at least, you and your organization’s world.

We’ve seen this before, and now we’re about to see another wave of hype from GDPR, the EU’s latest personal privacy regulation set to take effect on May 25, 2018. It’s reminiscent of another hyped event that had everyone holding their breath on New Year’s Eve in 1999.

Truth be told, part of the reason we saw almost no impact Jan 1, 2000, is that while there was a lot of hype, there were also real Y2K problems to be solved and they were addressed (ad nauseam) by IT world-wide. GDPR seems to be in the same boat. There are real potential problems to address, but it’s likely not the catastrophic all-encompassing event portrayed in many posts on this subject.

What we’re going to show here is that there’s a reasonable approach to assessing your (likely lack of) impact from GDPR, while addressing any real concerns.

Y2K… the Big Nothing-burger

One of the most infamous hyped tech disasters is Y2K, which created a veritable state of hysteria in the IT community and in the citizenry at large. Many experts feared that computer programs storing year values as two-digit figures, such as 99, would cause problems. As the end of the 1999 approached, media outlets got in on the hype, echoing the “millennium bug” warnings of massive technical glitches and economic fall-out.

The result? Instead of clanking champagne glasses, welcoming in the New Year and the new millennium, people around the world were anxiously awaiting the fallout from the terrifying, ominous Y2K bug.

While impacts on January 1st, 2000, were imperceptible, the effort invested was estimated to cost over $100B with $9B in the U.S. Government alone.

Was Y2K a significant problem that needed addressing before 12/31/99 at 11:59 AM?  Of course.  A $100B problem?  Doubtful.  And one that resulted in billions in panicked, possibly unneeded business expenditures and run-on-the-stores consumer spending – flashlights, generators, water, food supplies – by people who were taken in by the hype.

We now have another issue that is creating a similar level of misinformation, fear, uncertainty and doubt – GDPR.

The Lowdown on GDPR

The General Data Protection Regulation (GDPR) was passed by the EU Parliament in April 2016 to address the growing concerns of private citizens regarding how personal data is utilized by businesses and organizations doing business in the EU and with European citizens.

Officially, the GDPR “not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects,” according to the official GDPR FAQs. “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

Personal data is defined as any information related to a “natural person” or “Data Subject”, that can be directly or indirectly used to identify the person. Data can be a name, a photo, email address, bank information, social media posts, medical information, or a computer IP address.

What’s Required vs. the GDPR Hype

If we ask others in the Information Security industry how GDPR applies to U.S. companies, and then ask the same questions to a room full of privacy attorneys (and we have), we may get opposing opinions.

InfoSec and privacy company marketing materials will tell you if you have EU citizens as customers, you must comply with GDPR, full stop. I read half a dozen articles and white papers from reputable sources that make that exact statement just today alone.

Attorneys might advise yes, but only if:

  • Your company has physical facilities in the EU
  • Your company markets your services directly to EU citizens
  • Your company has an EU-based business or technology presence
  • Your company has a contractual relationship with a GDPR Data Controller that making you a GDPR Data Processor

Who Needs to Comply in the U.S. – and Who Doesn’t

Increasingly, our clients have been filling my inbox with questions on GDPR requirements and what they must do to be compliant. Here are a few of the top concerns we’re hearing, and the real answers regarding your true GDPR compliance requirements.

“We aren’t in the EU, but we do get EU citizens as customers who walk into our U.S.-based and located store/business/hospital, and now we need to comply with GDPR!”

In most cases, companies are not required to comply under these circumstances.  Unless you’re marketing to EU customers which bring them into your U.S. business, you have no GDPR responsibilities if an EU citizen uses your services here in the U.S.

“We aren’t in the EU, but we do get EU citizens as customers who walk into our U.S.-based and located store/business/hospital, and now we need to comply with GDPR!”

In most cases, companies are not required to comply under these circumstances.  Unless you’re marketing to EU customers which bring them into your U.S. business, you have no GDPR responsibilities if an EU citizen uses your services here in the U.S.

“We’re a Data Processor for an EU company, and although we have no EU presence whatsoever, we need to comply with GDPR.”

Yes, but only the parts that you need to maintain your contractual relationship with the Data Controller.

Ultimately, most Data Processors based and operating solely in the U.S. are only exposed to GDPR via a contract with GDPR Data Controllers they provide processing services to.   Data Controllers are companies that collect and have custodial responsibilities for EU citizen data and are under the regulatory control of the Data Protection Authority (DPA) in the EU country in which they are located.  If you have a presence in many EU countries, you can shop for the most favorable DPA as some countries are expected to be more aggressive in enforcement than others might be.

If you only process EU citizen data for a Data Controller, you are a GDPR Data Processor and the Data Controller dictates contractual requirements to you that will enable them to meet their GDPR responsibilities.  Receiving your first contract with a Data Controller that has requirements for GDPR compliance is often the first time U.S. companies realize they will be impacted by GDPR.

“We sell our parts to companies in the EU – GDPR!”

Unlike the U.S., the EU still has the good sense to realize corporations are not persons, so it’s likely there’s no need for GDPR here, either.  I see companies signing up for things and adding policies for things they do not even do because a GDPR expert with a product to sell told them they had to have them to be compliant.

The Future of GDPR Enforcement in the U.S.

GDPR is treated as a must for compliance because of the massive fines – fines that have no obvious method of legal enforceability in the U.S. if you are not an EU-company or a U.S. business that wishes to continue to do business in the EU.  U.S. companies cannot be hauled into an EU court for things that happen here and only here.

Furthermore, if you are subject to GDPR, you should identify a ‘main establishment’ and the associated DPA in the EU country in which you are based who will act as the enforcer of GDPR.  Since the U.S has no EU DPA, there’s no one to register with, no one with legal authority over you and no one to come after you if things go wrong.

On top of all of this, massive, lengthy test cases against Facebook or Google or another giant with legal department better funded than many EU countries will need to be tried and ruled upon before any real enforcement can happen.  As a result, elements of GDPR that are most disruptive to U.S. IT operations are also the elements of GDPR that may be weakened, reinterpreted or rendered legally moot.

Fred Langston

Fred Langston CISSP, CCSK

Executive VP of Professional Services