May 25 was a red-letter day for companies in Europe because that’s when the General Data Protection Regulation (GDPR) came into effect. Organizations that fail to protect the data of European citizens and residents, and to delete data they hold on them when requested, among other things, will be fined up to €4 million (US$4.7 million) per case, or 4% of their global revenue, whichever is higher.
Companies in Asia may think they don’t need to worry about something that’s happening in Europe. They may be wrong. “If there's one European person's data in your systems, then you have to comply,” says Chester Wisniewski, Principal Research Scientist at European security company Sophos.
He is a Canadian working in Sophos’s Vancouver offices, where five EU citizens are also based. If any of them were to take out a loyalty card from a Canadian coffee shop, says Wisniewski as an example, that local enterprise will be covered by GDPR. An Asian company that has EU nationals on staff and/or sells to or imports from Europe will be covered as well, since it will have staff, customer and supplier information in its data banks.
You can refuse to do business with anybody from Europe, you can segregate your European customer information, or you can say: “We're going to use this to improve our data security as an organization and, moving forward, everybody will get the new protections"
What to do? Wisniewski spoke to CFO Innovation’s Cesar Bacani about GDPR, the impact on non-European companies, the approaches that can be adopted and other issues. Edited excerpts:
GDPR applies only to European companies, right? Those in Asia and outside Europe don’t have to worry about it?
Some companies need to worry about it right now, even in Canada. I was talking to my Member of Parliament a few weeks ago. Canada is looking at passing privacy laws that mirror GDPR, just so that we have a business advantage in Canada being able to sell to Europe.
If we can say: "Our laws are the same as your laws," then more European companies will buy IT services from Canadian cloud providers. I think we'll see more of that around the world. We'll see the GDPR regulation spread.
So a non-European company that does business with European enterprises may be covered by GDPR?
If there's one European person's data in your systems, then you have to comply. We have five EU citizens that work in our office in Vancouver that moved from Germany and the UK. If they walk into a pizza shop and fill out a frequent pizza buyer card, the pizza shop wouldn't know they were European. But it’s now got Europeans' information.
It's going to be messy, because how can Europe impose their law on me when I'm in Thailand? We have no idea how it's going to work. I know how it would work with me – they would refuse me entry and I wouldn't be able to enter Europe again or I go to jail or something.
But if you never go to Europe, how would they punish you? Nobody really knows how that's going to play.
What can non-European companies do?
There are three approaches. You can refuse to do business with anybody from Europe. I've been seeing a few small Internet companies blocking you if your IP address is in Europe and not letting you use their services. I think it's a terrible idea, but it's an option.
The second option is to segregate your European customer information from the rest of it. Do you only want to invest to improve the data security of the stuff that's under GDPR and not for the rest? It looks like Facebook, for example, is only going to protect the EU residents' data with the GDPR rules.
Finally, you can say: “We're going to use this to improve our data security as an organization and, moving forward, everybody will get the new protections." It's easier to do the same thing for everyone, and if you can identify the benefits to the business of doing it, you may as well.
I think it really depends on the kind of company you are, how you're going to decide to do that. At Sophos, we've decided that everybody gets GDPR protection. Everybody gets the best protection, period.
“We’re completely changing tons of policies, especially those affecting the marketing team, which always wants to gather lots of information for prospects”
Regardless of what nationality and where they are?
Yes. As far as our data centers and the way we're structured, it doesn't make sense for us to treat Americans one way and British people another way.
Fortunately for us, we don't mass collect user data. Mostly we just have data about our customers, so it's not as big a deal. I think it's a lot harder when you're Google or Facebook and you're going, "Right, we have 4 billion accounts and this person wants their email from eight years ago deleted."
And Sophos decided to use GDPR as an opportunity to improve data security?
It’s a good driver for things that we kept talking about doing that would make us more secure, but somehow never got around to doing. And we were able to go: "We've got some budget, we've got time to make sure that our GDPR project is successful, let's use this as a positive thing throughout the business and for all kinds of other reasons."
The IT people love it when we go: "We're going to collect less information from customers." That means they have less data they have to protect. It saves us money as a business. So it was good to use GDPR as an excuse to not just improve our security, but to make changes in policy through a lot of parts of the business.
That's my advice to others if they're looking at any kind of compliance.
What exactly has Sophos done to comply with GDPR?
We’re completely changing tons of policies, especially those affecting the marketing team, which always wants to gather lots of information for prospects. While we know we need to do that as a business, we also have to be very careful to be sure we're doing it properly.
Even though Sophos is in security, it doesn't mean we're any better at it than anyone else. We all have the same challenges.
The first year of preparation was pretty much just spent identifying all those assets. Where have marketing teams been storing that information and is that good enough? Do we need to move it? Do we need to delete it to? What do we need to do?
But now that we gathered all that, it was much easier for us to put our plan in place and for the C-level people to go: "We're going to outsource this [particular process] to a data processor who can certify that they're compliant with GDPR.”
So, for example, we're moving to [cloud-based] Office 365 [from the on-premise Microsoft Office version]. Instead of having 25 people manage our Exchange servers, we'll now have 25 people who can actually help us improve our data security and our asset management.
“If the company that you can outsource to has more security resources and is more experienced in securing the data in that area than you do, then it's a good thing to consider, because you'll free up your own resources”
There must be other processes that can be outsourced to GPDR-compliant service providers.
We use Salesforce.com [for customer relationship management]. And we use Concur for our travel & expense management. I think those are about it at the moment. Those are things that we're not experts at, so that [outsourcing] makes sense to me.
Obviously, our internal software development and source code management is all done internally by our own teams. While there are services that are offered in the cloud for those types of things, not only would we not entrust something as sensitive as the code to our products to an outside provider, but the customization that's gone into making those things work for our business means it's better off that our experts build our own systems for those things.
You have to be very careful about who you outsource to.
If there's a provider that can do it better than you, then you should do it . . . Microsoft probably is way more secure than even we are, because they built the product and they've got an amazing security team over there. Same with Salesforce.
Some of these companies, they've been audited by every major auditing firm in the world. They really focus on security. If the company that you can outsource to has more security resources and is more experienced in securing the data in that area than you do, then it's a good thing to consider, because you'll free up your own resources.
But every business is unique and has some strange thing about how they do business and manage data and the only people that will know that well are the people that work at your company. So those unique things you can't outsource.
You want your own staff working on those problems because they really need to understand how is it that your manufacturing company gets orders from the customer to the assembly line, for example. That's specific to your business, no matter what your business is.
So is Sophos totally compliant now?
I don't recommend anybody brag about being compliant because that's when something bad happens.
On the other hand, I'm hoping that it turns out to be an advantage to many businesses to be able to say: "We're compliant with this and that should mean that we're more trustworthy to do business with than someone else."
How much did you need to spend on all of this? CFOs would want to know.
I have no idea. I'm not a numbers person. I couldn't even tell you how much our products cost. I know that they cost enough that they can afford to pay me.
Right now it's going to be a lump of money because you got to bring some consultants in and that's always expensive. But in the long run, hopefully it should lead to a better optimized data infrastructure within your organization.
Most of us designed our data collection randomly 20 years ago. We know a lot more about doing it now. So it's a good time to bring it up to modern standards and throw away the old stuff, to move forward in a clean manner.
I think it's a good way for the organization to get some operational efficiency. If you're going to spend all this money on all these auditors and all of this worry about protecting this data, while you're at it, if you're getting rid of unnecessary data and simplifying your processes, you're going to save money in the end.
“GDPR is incredibly complicated. In some areas in the law, it says that it applies to European citizens, which implies that even when they're abroad, it would protect them. In other areas it says European residents, which would include non-citizens, but only when they're in Europe”
It seems a stretch for companies outside Europe to worry about being prosecuted. Isn’t it more likely that regulators would look within EU borders first?
If somebody gets punished and it's a global news story, everybody that it touches will probably start taking it a lot more seriously. If they wait a long time before the first punishment, I think people will just ignore it.
GDPR is incredibly complicated. In some areas in the law, it says that it applies to European citizens, which implies that even when they're abroad, it would protect them. In other areas it says European residents, which would include non-citizens, but only when they're in Europe.
And then there's another area of the law that refers to European persons, which means you wouldn't even necessarily have to be a resident. As a visitor, you would be protected if you were in Germany, but when you leave you wouldn't.
The only way we'll be able to tell if [GDPR] works or not is a couple of years from now, once it's been out there.