The deadline for compliance with the European Union General Data Protection Regulation (GDPR) is May 25, 2018. Many organizations have spent countless hours already in their preparation for the deadline, while other organizations are just getting around to reading up on it.\nGDPR, like Y2K of a couple decades ago, has international implications that for some organizations HAS to be addressed as GDPR will impact the lifeblood of their operations, whereas for most organizations, some due diligence needs to be done to ensure they are within the compliance of the regulation.\nGDPR is today\u2019s Y2K\nI reference Y2K because I was one of the advisors to the United States White House on Y2K and spent the latter part of the decade before the millennium switchover traveling around the globe helping organizations prepare for 1\/1\/2000. Today with GDPR, as I did then with Y2K, believe there are fundamental things every organization needs to do to be prepared for the deadline, but to NOT get caught up in the hype and over speculation to the Nth degree detail that\u2019ll drive you crazy.\u00a0\nWhat is GDPR?\nTo help those catch up on what GDPR is, the regulation technically went into effect in 2016 and the deadline for compliance is May 25, 2018.\u00a0 The thing that scares people is that fines for non-compliance are up to 20-million Euros or 4% of the company\u2019s prior year worldwide revenue, which is an alarming number that gets everyone\u2019s attention.\u00a0\nWhile there are many tenets to GDPR, I net it down to three major things:\n\nPrevention of \u201cTracking\u201d Individuals:\u00a0This is the big thing in GDPR that goes after the big Internet companies (Google, Facebook, Amazon) that gather personal information on individuals, track the Websites they visit through cookies, and actively advertise to individuals through that tracked information. GDPR directly addresses the practice and process of gathering information on what individuals buy, sites they visit, and content they\u2019ve searched for by not only requiring consent but also have clear stated purpose WHAT that information will be used for.\nPrevention of Retaining Personally Identifiable Information (PII):\u00a0This tenet is not so new and has been a big piece of legislation around the world to protect individual\u2019s privacy. GDPR, like other global regulations on PII, sets limits on what personal information can be gathered (name, date of birth, address, etc), how that personal information needs to be stored and protected, and what needs to be done in the case of breach.\nCross-Border Transfer of Information:\u00a0GDPR stipulates that EU residents (citizens and even individuals that are temporarily working and living in the EU) information should remain in the EU \u2013or\u2013 if the information leaves the EU that the target destination for the storage of the information meets specific European Commission approvals\n\nOf the three major tenets I note for GDPR, the second and third are things that we\u2019ve been addressing for some time now with the predecessor to GDPR (the DPD 95\/46\/ec) and the various Privacy\/PII laws that are already in effect. So the big thing in GDPR is around the collection, storage, and tracking mechanisms commonly used by Internet organizations for web-based shoppers and social media participants. THOSE are the organizations that have been working very hard the past couple years already devising ways to inform, get consent, and handle tracking in a manner that fits within the requirements of GDPR.\nTenets of GDPR\nThere are other tenets of GDPR that organizations need to address and are commonly discussed in conversations about GDPR. They include:\u00a0\n\nData Protection Officer and Vendor Management: GDPR stipulates that organizations impacted by GDPR need to have a Data Protection Offices identified and have a process for vendor management as it relates to GDPR.\u00a0 This individual will have the role of overseeing the compliance with GDPR internally and with vendor\/suppliers.\nCodes of Conduct:\u00a0GDPR requires organizations to have stated codes of conduct how data will be extracted, used, timeframe for use, how the organization will protect the privacy and rights of the individuals the data was extracted from, and provide users the right to request that \u201ctheir data\u201d be purged.\nData Profiling \/ Data Consent:\u00a0As noted previously, GDPR has tight rules as it relates to using data to profile individuals that can be directly associated back to a named individual. Use of identifiable information (like Cookies) requires explicit consent.\nCross-Border Transfers:\u00a0Also as previously noted, GDPR has tight rules on EU data remaining in the EU \u2013or\u2013 that the target destination of EU data complies by the same standards expected of information stored in the EU\nData Portability:\u00a0GDPR has a data portability tenet that allows users to request their information to be allowed to be \u201cmoved\u201d to another provider. Just like phone number portability in the United States that allows an individual to keep their phone number as they switch from one phone carrier to another, GDPR data portability gives users the right to request their emails, photos, documents, and the like to be transferrable.\nPseudonymizing of Personal Data:\u00a0Fancy word, but effectively the randomizing of data so that it cannot be attributed back to any particular individual, effectively making the data anonymous. However, GDPR does stipulate that just because the data is randomized doesn\u2019t allow an organization to just collect and use the information as they please. GDPR has stipulations that require an organization to justify why they are collecting the information, what they plan to do with the data, and with clear definitions how the data will be eliminated when those stated purposes are no longer valid or applicable\nData Breach Notifications:\u00a0GDPR tightens the timeframe that cybersecurity breach notification is made, with requirements for notification in as little as 72-hours from an organization being made aware of the breach. There are some variations to this notification where individuals need to be notified if information that can be attributed back to them (personally) has been breached, however if information has been pseudonymizied, that only the European Commission needs to be informed.\n\nGDPR for enterprises (not web\/social media providers)\nWith much of the heft of GDPR focused on Web\/Social Media Providers (Facebook, Google, Amazon, etc), the common question for Enterprises (corporations, small businesses, companies headquartered in\/out of the EU) is what does a typical business need to think about relative to GDPR?\nFirst of all GDPR is not a bigger thing nor a smaller thing based on the size of the enterprise. The requirements of GDPR are the same no matter the size, where the organization is headquartered, or the type of industry the organization is in. GDPR also applies to every organization that does business with companies in the EU, has employees that are citizens of the EU, or even has employees that are foreign citizens but are residing and working in the EU. So the umbrella on who has to comply with GDPR is pretty broad.\nA common question is whether an email system hosted in the United States can fit within GDPR requirements. For organizations that have migrated to services hosted by Microsoft (like Office 365) or Google (G-Suite), both Microsoft and Google have officially stated their cloud services WILL be GDPR compliant before the May 18, 2018, deadline. The way these services will be compliant is because the European Commissions has already approved and adopted the EU-US Privacy Shield.\u00a0\nWhile GDPR does not specifically refer to the EU-US Privacy Shield, it does explicitly acknowledge the current requirements for Binding Corporate Rules (BCR) for processors and controllers. BCR confirmation is acquired by having auditors validate and certify compliance for organizations in their movement of data globally. The EU-US Privacy Shield fits within this certified Binding Corporate Rules deemed acceptable for GDPR as it allows the European Commission to conduct periodic reviews to assure that an adequate level of data protection exists in the transferring of data cross-border.\u00a0 What remains for these cloud providers is a formal \u201csign-off\u201d that they do indeed meet the provisions of GDPR which are anticipated to be approved without resistance.\nNote:\u00a0For the topic of cross-border transfers, one might hear that the most common cross-border certification, \u201cSafe Harbor,\u201d has been invalidated for GDPR, that is true.\u00a0 On October 6, 2015, the European Court of Justice invalidated the US-EU Safe Harbor Framework. However, Binding Corporate Rules (BCRs) do remain valid.\nAdditionally, organizations can rely on Standard Contractual Clauses (SCCs) that are approved by the European Commission.\u00a0 SCCs are agreements between the EU exporter (ie: EU subsidiary) and the data importer (ie: US parent company or service provider) on the handling of cross-border transfers.\u00a0 Large enterprises are seeking certification under SCC approvals so that they can move corporate data between corporate offices and datacenters around the world.\nThe SCC validations are not easy to acquire as they require an audit of the data management, security, handling, and processing of information throughout an enterprise.\u00a0 However once an enterprise has an SCC, they can more freely move information throughout their organization.\nHandling GDPR for internal documents and content\nA common question by enterprises is whether email messages and business documents fall under the requirements of GDPR. The answer is generally no, a business document is a business document for the purpose of conducting the business of the organization. Of course if the document includes the names of employees, their home addresses, their mobile phone numbers, and other personally identifiable information, then the document falls under GDPR as well as other existing laws and regulations on information privacy.\u00a0\nHowever a business contract, marketing materials, client documents, architectural drawings, and the like exchanged during the normal course of business are not \u201cpersonal documents\u201d embedded with \u201cpersonal data\u201d for non-legitimate business uses.\nThe KEY to handling internal documents and content to ensure the documents do not contain content subject to GDPR or other PII restricted regulations is to use content classification. Technologies built in to Microsoft\u2019s Office 365 have the ability to scan content (emails, documents, memos) and auto-classify the content as having content that appears to include PII (birth dates, social security numbers, etc).\u00a0\nBy auto-classifying the content, policy rules can be applied to the content that allows the creator of the content to choose who can access the information. By giving control to the originator of the content, that satisfies the requirements of GDPR by giving the content owner the free and direct control of the content, and to whom the content can be shared with.\nCan employers force employees to give consent of their PII?\nThe short answer is NO, GDPR is very clear that consent is not valid unless it is \u201cfreely given, specific, informed, and unambiguous.\u201d That means an employee cannot be reprimanded nor discriminated against for choosing to not consent to blanket policies.\u00a0 This is why content classification becomes so important, it enables an organization to require users to provide consent, classify, or reclassify content as they deem appropriate on a case by case basis.\nCollecting and handling employee and customer information under GDPR\nGDPR is clear that an organization needs to provide users, visitors, and employees detailed information on what data is collected and how it will be used. Obviously this first makes the assumption that personal information about an individual is being collected in the first place.\nWhile some simple common business applications like the Web Browser that an employee uses likely by default has cookies enabled and is storing and tracking the Web access of the user of the Web Browser, a simple enterprise fix it to set all Web Browsers to Private or \u201cIncognito\u201d mode. This will prevent cookie tracking and storage of data protected by GDPR. A user can be allowed to turn off the Private mode if they choose, that will be their decision and their personal consent to having content potentially tracked.\u00a0\nIn the normal (historical) course of doing business, organizations do collect personal information on employees necessary for the transaction of a normal employer\/employee relationship. Things like home addresses (to mail legal notices, end of year tax statements), and bank information (to process payroll and employee benefits) are commonly collected by employers. This information is necessary for an employee to get paid and receive benefits, and as long as the organization only uses the personal information of an employee for the stated purposes of payroll and direct benefits, then the organization is well within the bounds of complying with GDPR. At that point, then the organization needs to adequately store and transfer that information in a secured manner to prevent the breech of PII, which organizations can do so with content classification and document encryption technologies readily available in the marketplace.\nWhere there is a grey line on GDPR compliance of employee data is when employee information is used to process say for example an employee\u2019s travel arrangements (booking flights, rental cars, etc). While the processing of these arrangements are in the normal course of business, not all businesses nor all employees within a business travel and have these services provided for them. As such, it is prudent that an organization clearly notify its employees and get clear consent from the employee that the organization will use personal employee information to make travel arrangements.\nThe two key provisions to accommodate variances of this type is to allow an employee to reject the organization\u2019s involvement in making travel arrangements (ie: giving the employee the GDPR given right to object) AND for the organization to allow the employee an alternative for travel arrangements (that might include allowing the employee to book their own travel with a clear reimbursement policy). Many organizations already provide these options, but for some organizations that have a very strict travel office process, there may be changes needed to fully comply with consent provisions of GDPR.\nThe result from this type of scenario where an employee objects to a process that is deeply grounded in an organization\u2019s transactions that might not be flexible is for the organization to potentially put themselves in default of a provision of GDPR.\u00a0 As with the compliance of all laws, organizations have provisions for Risk Management.\u00a0 If it is cheaper\/better for an organization to fight a violation or failure in accommodation than it is to change a deep rooted process, then the organization may just stay their course.\u00a0 Since this fits a grey area in GDPR where GDPR does not explicitly state that an organization cannot use personal employee data to make travel arrangements, it would be up to the European Commission to bring suit against the enterprise.\nThe key for the organization is to ensure that their actions remain consistent for the legitimate interest and efficiency of the business, and that the organization isn\u2019t using the personal information to sell to some organizational that\u2019ll then profit by marketing or advertising to the employees.\u00a0 Before financial damages will be assessed on an organization, someone will have to identify that the organization worked in malice and with disregard for employee privacy by making centralized travel arrangements for employees.\nSummary\u00a0\nGDPR is targeting the blatant breech of privacy for financial gains by organizations using technologies like cookies, data extraction, user tracking, and the like for the purpose of marketing or selling services for financial gain of user data.\u00a0 GDPR seeks to protect and prevent the breech of personally identifiable information by preventing organizations from collecting the information in the first place, and then making sure to protect the information (and actively delete the information) when the stated purpose has expired to minimize future exposure to data loss.\nThrough the awareness of what GDPR is, what falls under the general protection of GDPR, and the use of modern technologies like auto-content classification, labeling, and content management, organizations can create stronger security controls, minimize and prevent the breech of information, and ensure the proper management of protected data through the use of technological solutions available.