Well, GDPR is not scaring anyone. In fact, it’s a lawyer’s dream come true. It’s becoming quite clear Europe and the U.S. are attacking GDPR compliance problems from different angles. In Europe, the compliance budget covers lawyering up, whereas the on the other side of the pond, the Americans are using their compliance budgets to solve the problems with automated solutions. Which is the opposite if what we’d expect given the litigious nature in the U.S. It seems the worm has turned.
I’m thinking that this swing is due to the practical implications of the very similar, yet different legislation. Let’s look at GDPR – non-compliance results in a fine of 4% of the annual revenue (or €20m, whichever is greater). How? Well the ICO imposes fines on a case by case basis, with fines being discretionary, not mandatory. That doesn’t really benefit Johnny Public, does it? In the U.S., non-compliance (with CCPA for example) results in a consumer (yes, Johnny Public) suing the company for $750. Simple, straight forward and completely comprehensible to the individual.
It really doesn’t matter that GDPR can apply sanctions where it is believed a company is at risk of breach, and that CCPA kick in only after a breach, because once again that’s a detail that does not bother Johnny Public. So in Europe, they attack the problem with lawyers, because at minimum it’s a €20m problem, where in the U.S. they attack the root of the problem and find or create technologies that will help solve the problem of discovery of personally identifiable information (PII), because it’s much bigger than a €20m problem.
Whilst data privacy legislation in the U.S. takes its lead from GDPR, in terms of adopting technology to address compliance issues, the U.S. seems to be ahead. They’re anxious to find the technologies that will save them the from the waste of human resources involved in the discovery of PII. The more you talk with any corporation and try to identify the many places where they store PII –file shares, data bases, etc. – the more you realize there’s an issue, and the biggest issue is man power. So companies are seeking to use technology to do the leg work, since computers will do what you tell them to do, people will do what they want to do. The U.S is a leader in technical solutions to the problem. Europe will wake up at some point and realize they’re behind the technology curve. We can see it in the disproportionately low number of fines to breaches in Europe where they’re smothering the problem with legal.
Technology solutions for meeting GDPR and data privacy compliance are evolving
GDPR legislation states that a company must make best efforts to comply to address the problem of PII. There have been solutions around the last few years addressing privacy and personal data, which are good at what they do. We can point these solutions to a file server or database and tell it to go find PII. When looking back at PCI-DSS, for example, you would talk to everyone in a company to find out where PII might located, this was a huge effort. What we found six months later after we made these huge manual efforts and invested all this money was that we were no longer compliant with PCI. The common issue is that the quality of the compliance is only as good as what you already know.
Today, you have solutions that are looking at the problem from a slightly different perspective. If you don’t know where your PII is and you must rely on people to tell you where it is, you’re not using the best approach, because people don’t always know, they forget, they leave companies and so on. Plus, you have an explosion in the last few years of DevOps and shadow IT and these teams, in order to do their jobs effectively, spin up servers and bring on resources and then take them away again, so you have a replica of PII. DevOps and shadow IT are largely ungoverned because of the speed of business and the requirement to get things done. This means that in any network, in any corporation, no one can say with any degree of confidence where all their PII data is. Partial inventory of PII isn’t good and isn’t compliant.
In order to be compliant and deliver on DSAR, you must know where all the PII is. At 1touch.io, for example, we take a copy of network traffic and when we see traffic that is holding PII we can see where its generated, stored, or processed, and we know immediately where we’re going to find PII because we know the location of those servers.
PII legislation and compliance with expand and become easier to manage/understand
Looking ahead – in the U.S., the rest of the states will begin to follow in terms of PII legislation and compliance. You’re starting to see new legislation and regulations such as CCPA catch on like wild fire. It’s going to affect other areas as well where people will start seeing and asking what constitutes personal data and information, so the definition will be more refined. How successful additional legislation will be will depend on the difficulty it imposes on people, the difficulty in responsiveness it poses to companies, and the ease with which it’s understood. Legislatures are getting better at using language that people can understand. We’ll also see agencies that chase down non-compliant companies die out. At this point, no one trying to punish companies for being non-compliant, unless they’re being non-compliant for their own benefit. Instead, compliance is about making sure everyone is playing on a level field.