Blog title

New European Data Protection Regulations apply globally

EAS Team
By EAS Team 28 January 2018

Philip Ingram, renowned journalist and industry advisor focused on security, intelligence and geopolitics examines the potential impact of GDPR for global organisations

The world is interconnected and many global companies are do business into Europe, investing in European companies, selling to European citizens and tracking the online behaviour of European citizens through their websites.  All of these issues mean that wherever they are based, companies will have to be aware of the incoming European General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679 to give it its official reference.

It comes into force on 25th May 2018 and is all about protecting individual’s data but the environment where much of that data is held or processed is the cyber environment. It is something all company Chief Executives should be taking note of and taking ownership of their data security procedures, as the potential penalties are huge. Philip Ingram from Grey Hare Media looks at its potential impact for non-European organisations.

Steve Grobman, McAfee's chief technology officer said in an interview at the end of last year, "The evolution of ransomware in 2017 should remind us of how aggressively a threat can reinvent itself as attackers dramatically innovate and adjust to the successful efforts of defenders."  We are also seeing an increased availability of cyber-attacks "as a service," not just where they traditionally lay, in the Dark Web, but now increasingly available through sites on the Surface Web.

“This will impact every entity that holds or uses European personal data both inside and outside of Europe,” said Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC) to Computer Weekly magazine.

According to the legal firm Allen & Overy, “GDPR applies to data controllers and data processors outside the EU if their processing activities relate to the ordering of goods or services (even if for free) to EU data subjects, or monitoring the behaviour (within the EU) of, EU data subjects.” This apparently relates to a company having a web presence in an EU country, for example a .ge or .fr website or if the goods are offered in local currency e.g. the Euro.

The regulations also apply to Cross-Border Data Transfers. Should an organisation use online IT services, cloudbased services, remote access services or global HR databases that hold or process data on EU citizens then they too will be subject to GDPR regulation.

An example of how a company may be subject to GDPR regulation: 

A Singapore based business sells goods or services over the internet across the globe, including to Europe.  It doesn’t have any offices or representatives outside Singapore. Some of the services offered are free and some are paid for, but knowing how difficult it is to get web visibility in Europe with a .ae web address, the company purchases and uses local top-level domains (e.g., ".ge,” ".fr"), it also allows transactions in local currency eg the Euro. 

In this case under these European regulations the Singapore based business will be processing the personal data of EU residents, as it is offering services into EU countries and this is clear through the use of local web addresses and local currency.

The issue with these attacks is that if they result in the loss of that data a company has processed about an EU citizen and the company does not report it as per GDPR regulations then they could be subject to penalties.  The penalties the EU are talking about amount to 4% of global annual turnover or €20 Million, whichever is the greater.

GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Worryingly at a recent conference for Security Professionals in London out of 120 attendees less than 10% indicated they were aware of and had starting to think about the potential impact of GDPR.  Jason Towse, the Managing Director for MITIE Total Security Solutions says that this is number one on his risk register.  It is probable that a much smaller percentage of global companies are doing so. 

Elizabeth Denham, the UK Information Commissioners is clear when she says, “It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation.” One thing is certain, GDPR is coming whether enterprises and organisations are prepared for it or not.  Of note the UK retail giant Tesco, whose banking arm was hacked last year would face a fine of £1.9 billion under GDPR, according to Computing magazine at the time!

“The commercialisation of cyber-crime combined with the increase temptations to generate commercial or national advantage by exposing rivals to the scourge of GDPR litigation through data breaches enabled through plausibly deniable outlets will become an increasing trend through 2018,” concluded Philip Ingram.