Learning to Wear the European Union’s data directive with style
by David Gibson, Director of Strategy, Varonis
There is bound to be a certain amount of controversy over the harmonisation of Internet data directives between countries. However, cooperation between the EU and the US is becoming not just more important, but increasingly less controversial as time goes on. The agreement for terrorist suspects to be handed over to the US is to be applauded. However, the controversy in Europe carries on as Internet retailers continue to claim that enacting the new legislation will burden their customers with too many requests for permission and that they will lose valuable data if people refuse to be tracked. However an examination of the legislation reveals that the US could learn much from the application of Internet law in Europe.
It is under the circumstances that Varonis Systems welcomes the news that a common set of privacy standards are to be applied to organisations across the entire European Union for the first time - as well as the gameplan that includes immediate notification of breaches and other ‘data misplacements’. This is the first significant update of data protection legislation since 1995, therefore it is well overdue. The measures are being finalized within the European commission, so some of the fine detail is still to be revealed and they will have to be approved by the national governments. Some, particularly Germany, will be reluctant to lose out on privacy matters to Brussels, so it will likely take two to four years before the measures come into effect.
Despite the economic problems which made international headlines in the last few months, Europe remains a vital market for North American companies. It is a staging post for the Middle Eastern and African markets and London is still one of the most important financial capitals in the world. The United Kingdom coalition government has led the way in fiscal probity for Europe. However, Europe does have a habit of making things difficult for itself and the new laws have been viewed by some as falling into this category.
The proposals are designed to significantly increase the EU’s powers to punish those who allow major data breaches to occur or who sell customer data to third parties without authorization. They also aim to further protect information held by social networks and cloud computing services. Organisations will have 24 hours to notify the data protection authorities and the affected parties in cases where private data has been compromised. By making sure that the rules apply also to foreign groups’ European subsidiaries, the new rules will force global companies to strengthen their data protection policies. All companies with more than 250 employees will have to have dedicated staff to deal with data protection issues. The rules will give the EU similar powers and policing privacy to those it wields in competition matters – where it can impose fines of up to 10% of turnover for violations.
In a teleconference last week between members of the European Commission in Brussels and the US Department of Commerce in Washington, EC vice president Vivian Reding suggested that the US copy the EU’s approach - one which could imply a heavier hand. Reding said that the aim of meetings between the commercial regulators for the two governments was nothing short of “regulatory convergence” — suggesting that they should come to an agreement on the language of the respective laws governing how ISPs and content providers handle personal data protection. She said that it’s up to Washington to catch up with the “gold standard” that Europe has already set. So while Europe and Washington battle it out about the respective effects of the US Patriot Act 2001 and adequate levels of protection for European data and American data centers, US organizations doing business in Europe will have to establish mechanisms to comply with this new law.
So, should we be horrified by European bureaucracy or beat the drum for watertight data protection? In our opinion the new rules are an excellent balance between the very real data privacy needs of citizens against the practical issues of managing data within the modern corporate environment.
Many IT security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to their growing data stores. While these concerns are understandable, the reality is that with the correct technology in place these issues can easily be solved.
The US EU Safe Harbor program has been created as a way for US companies to comply with the EU data protection directive. This program allows companies which are certified with the Safe Harbour principles to process EU personal data even though the US has not met the EU’s privacy protection adequacy standards. The Safe Harbour principles reflect the seven fundamental principles laid out in the EU data protection directive. They are 1) notice 2) opt out choice 3) restriction on onward transfer 4) security of data protection 5) preservation of data integrity 6) individual’s right to access and 7) effective enforcement.
Many organizations have been struggling with non-existent or limited permissions management, classification, and auditing capabilities included with their data stores, but new metadata framework technologies can provide intelligence, automation, and control across multiple platforms to allow C-level executives to sleep easy.
Surely we do not need the threat of legislation to ensure that we remain compliant? Sensitive information should only be accessible to those that absolutely require access. But just how many companies actually have the security procedures in place to enable this to happen? Not many is the truth. What happens in practice is that many IT departments face significant challenges keeping authorization up to date – making sure the right users are in the right groups and the right groups map to the right data resources, like folders, sites, and mailboxes. This is essential as users move through an organisation, changing roles, requiring access to more and more data. Unless the processes to grant, review, analyse, and revoke access are automated, content is automatically inspected to look for sensitive data, and access is monitored and analysed, the organization will be unable to maintain correct authorization, and unable to monitor access activity to look for likely threats.
The problem of the rise in unstructured data, i.e. the data which is increasing dramatically in everyone’s corporate network, is one which has to be faced head-on. As far as unstructured data is concerned, the introduction of a single set of privacy standards for all EU territories is long overdue. The fact that this will be a complex migration for some multinationals — and those firms who are pushing into new countries for the first time — is one which we should see as a welcome opportunity and not a dreaded challenge.
The key issue in the new rules is the requirement that any company maintaining personal information – be that customer records, internal human resources directories or any other list – will have to comply with the new rules, and be able to show how and why they are using personal data. This is something which is a service to the customer anyway, and should already be in place in any well-organized company. Another controversial aspect of this legislation is the “right to be forgotten” which means that companies cannot just keep information they have finished with, and have no legitimate right to use any more, in their infrastructure on pain of being heavily fined.
This highlights the difference between US data laws and European data laws. While data protection requirements in the US, according to a September 2011 Forrester Research, Inc. report, (“Q & A: EU privacy regulations” written by Chenxi Wang, Ph.D) “...are commonly industry-centric those in the EU focus more on the individual’s right to privacy. This leads to a number of differences in how data should be handled in the EU versus the US, especially in transferring data between countries with varying regulatory standards.”
There have been some fears expressed that the planned five per cent turnover penalties are too high. While a two per cent maximum will please many industry onlookers, it will still act as a very positive deterrent for any company thinking they can simply hope for the best with their existing data protection systems.
The new regulations’ mandate for the appointment of a data protection officer will help focus the attention of many more companies on what has become a major issue in this digital age - and help ensure that the vast majority of firms do a lot more than simply pay lip service to the new regulations.
The application of the rules to non-EU entities – especially those in the US – that want to offer their goods and services in the EU is to be welcomed, as it helps to balance parallel requirements under the US Sarbanes-Oxley governance rules. US companies cannot expect to get special treatment on mainland Europe.
There are precedents which we can look to and which allow us to say, with some certainty, that a lot of the objections are ill informed. We would suggest that, as we saw with the PCI DSS governance rules, this controversy will die down after a short period of argument and what has been declared as “impossible” will merely become part of the data protection and management daily grind. When senior management of major companies realise what is at stake and that this legislation protects their customers’ information they will feel a lot happier.