There was a conference in NY this week hosted by The Wall Street Journal on Cyber Security. They published a separate section in the NY edition of their newspaper entitled WSJ PRO REPORT – CYBERSECURITY. It is a worthwhile read if you can get your hands on a copy.
This post is a follow up to my December 3rd post ‘GDPR is coming. Are you ready?’. The consensus at the WSJ Cybersecurity conference is ‘NO’, the vast majority of US companies are clearly not paying attention at all. The gist can be found in the WSJ Article from the WSJ paper cited above titled, ‘Here come the EU Rules’. I recommend you read it.
If you would like to discuss GDPR, or other cyber exposure concerns you may have, drop me a line at email@example.com. You might also consider taking my new series of courses on GDPR titled ‘GDPR Essentials for Risk Managers’ which will be available at the global risk academy in January. https://globalriskacademy.com/p/gdpr
Be Safe and Be Secure. See a short retelling of the WSJ article below.
Europe’s Upcoming Privacy Mandate Brings Strict Rules, Hefty Fines
U.S. companies generally are unprepared for coming restrictions regarding how they may handle the personal data of Europeans
By Kim S. Nash Dec. 18, 2017 5:16 p.m. ET
NEW YORK–U.S. companies generally are unprepared for coming restrictions regarding how they may handle the personal data of Europeans, according to privacy experts speaking at the WSJ Pro Cybersecurity Conference here.
The European Union’s General Data Protection Regulation, or GDPR, tightens rules that govern how companies can collect and use information about individuals in Europe. Firms that do not comply with the GDPR’s 99 articles, which are due to go into effect next May, will be subject to fines of up to 20 million euros or 4% of global revenue, Ajay Arora, co-founder and CEO of Vera, told a crowd of cybersecurity executives who gathered Wednesday.
“Penalties are so onerous,” he said, “there’s strong impetus” for senior executives to understand how they treat customer and employee data.
Privacy “has become a trade issue, a market issue,” said Justin Antonipillai, founder and CEO of WireWheel, which provides data privacy services.
GDPR includes how companies must gain informed consent to store and use an individual’s data and how – and how quickly — companies must respond to requests to remove someone’s data. Some companies might be required to hire an outside auditor to assess GDPR compliance, said Mr. Antonipillai, former acting under secretary for economic affairs at the U.S. Department of Commerce, in the Obama Administration.
Companies are subject to the regulation whether or not they have significant operations in Europe, he said.
A GDPR provision that will require significant process and technology changes for U.S. companies, he said, is a requirement to notify officials and, in some cases, customers and employees, of a data breach within 72 hours of discovery.
A company must identify the kind of breach, whose data was affected and the kind of information compromised. “This is why data flow mapping is so critically important,” he said. “If you’re the one who has the customer relationship, you’re responsible for making sure the entire chain that has access to that can let you know in 72 hours. It’s on you.”
Rules in some countries, including France and Germany, are more restrictive than in others. Privacy and security officers, as well as company attorneys, should develop relationships with local regulatory officials to understand their expectations, Mr. Arora said.