The European Union’s General Data Protection Regulation (GDPR), focused on the rights of individuals to protect their identities, came into effect one year ago today. What’s it been like for security analytics companies subject to the GDPR since then? And what lies ahead?
In the leadup to the regulation’s May 25, 2018 launch, there was rising anxiety in the boardrooms of companies with EU-based customers and/or workers, as it became clear the bar for compliance would be set very high and the fines and penalties for non-compliance would be onerous.
In the intervening year, GDPR enforcers have had an unexpectedly soft touch. Perhaps recognizing the widespread panic the GDPR generated (or more likely because many of the regs were downright confusing) regulators took a mostly advisory approach, offering guidance on how companies could comply rather than bringing the hammer down straight away.
That said, an estimated 100 companies were penalized — including Google, Facebook and a clutch of lesser-known companies in Poland, Germany, Portugal and Denmark — but most had either improperly collected personal data or carelessly exposed it.
Security analytics firms were particularly focused on making sure they complied with a provision known as the right to explanation, one of eight citizens’ rights enshrined in the GDPR. Spread across three articles and a recital, the measure gives citizens the right “not to be subject to a decision based solely on automated processing” that “significantly affects him or her”; the right “to obtain an explanation of the decision reached… and to challenge the decision”; and the right to know what personal data a company is using and how it’s being used. Additionally, the data controller must provide the subject, at the time his or her personal data is obtained, with “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing” for the subject.
We have argued consistently that the right to explanation is a good thing. Many machine-learning systems and similar ‘black-box’ solutions are incapable of explaining to users and subjects why a particular decision — say, to deny a loan or launch a corporate insider-threat investigation — was made.
The EU was correct to make fixing that shortcoming a core goal of the GDPR, even if the right to explanation has apparently not been a factor in EU regulatory actions to date. Individuals have an inherent right to privacy, and companies investigating those who may be planning to harm the organization or sabotage its system or steal its data should be able to articulate exactly why their security analytics solution flagged up the individual for investigation in the first place.
So what will the next few years look like for GDPR enforcement?
The International Association of Privacy Professionals estimates enforcement actions in the past 12 months have resulted in over $62 million in fines paid; there have been 64,000 data breach notifications and 94,000 individual complaints. More than 375,000 organizations are known to have registered data protection officer, with by far the most in Germany. (The actual number EU-wide is estimated to be closer to 500,000.) Expect those numbers to go up.
Security analytics companies should not be lulled into believing they will get the same pass as they did in Year 1. Efforts to make algorithmic decision-making more transparent should continue, despite the reported drop-off in board attention and buy-in, and uneven enforcement across different EU countries.
For all of its concrete effects, the GDPR is most notable for having raised awareness of data privacy, not just within EU borders but worldwide. Some non-EU countries are now aligning with the GDPR. Early this year, Japan became the first to have its data protection regime declared “adequate” — in effect a GDPR proxy. Other countries are expected to apply for adequacy recognition or have already aligned their data privacy regulations closely with the GDPR, including Switzerland, Norway, Iceland, Liechtenstein and Brazil.
It is highly unlikely the U.S. will be one of them in the near or medium term, at least not at the federal level. That said, individual states seem to be leaning in the direction of adopting GDPR-like regulations. Most notable is California, with its California Consumer Privacy Act (CCPA) coming into effect on January 1 of next year.
In other words, treat GDPR as an EU-based harbinger for things to come in parts of the U.S. and in other non-EU countries. Even if it takes years to get there, the time to prepare for compliance is now.
# # #
Note: Want to know more about how the Haystax for Insider Threat solution fully meets GDPR requirements for the right to explanation using multiple artificial intelligence techniques? Contact our sales team through firstname.lastname@example.org or visit www.haystax.com for a demo.