EU GDPR vs US: What Is Personal Data?

 

By Rich Campagna, Chief Marketing Officer, Bitglass

GDPR-personal data screen shotMay 25, 2018—GDPR enforcement day,—has come and gone with little fan fare (and about 6 quadrillion privacy policy updates), but that doesn’t mean we all know what to do to get into compliance. In fact, some measures put only one third of organizations in compliance as of the deadline, and the linked article refers to UK organizations—what about US organizations that are only now catching on to the fact that they probably need to be GDPR compliant? We thought that contrasting GDPR with typical US regulations and definitions would be helpful.

It’s personal. Or, is it?

First topic, what constitutes personal data?

In the US, when we hear “personal data,” that usually equates to Personally Identifiable Information (PII). PII, according to the CIO of the US Navy, is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual.” This has become an important enough topic that NIST has created a list of specific fields that constitute PII.

GDPR: It’s more than PII

How does this differ from how personal data is defined in GDPR?

Well, according to the GDPR, personal data means “any information relating to an identified or identifiable natural person.”

Side note: In GDPR, “natural persons” are typically referred to as, “data subjects,” which is the least personal and least natural possible way to describe natural persons that I can think of, but I digress…

GDPR clarifies that “identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In other words, personal information includes the US definition of PII, but goes much further. In addition to PII, personal information can include IP address (yes, even dynamic IPs with user behind a router doing NAT/PAT), sexual preference, medical prescriptions, occupation, eye color, shoe size and puzzling fandom of the band Survivor.

That’s lesson #1 – personal data, as defined by GDPR, goes far further than the typical US definition of PII.

More to come in future posts…

 

 

GDPR Is Coming: Will the Industry Be Ready?

By Jervis Hui, Senior Product Marketing Manager, Netskope

GDPR Prep and Challenges Survey report coverWith the impending May 25, 2018, date for GDPR compliance coming up, Netskope worked with the Cloud Security Alliance (CSA) to survey IT and security professionals for a recently released report covering GDPR preparation and challenges. According to one of our recent Netskope Cloud Reports, only about 25 percent of all cloud services across SaaS and IaaS are GDPR-ready. And with the ubiquity of cloud and web services, organizations face steep challenges with just SaaS, IaaS, and web alone, not to mention the myriad of other issues they need to address for the GDPR.

To help better understand the challenges, CSA and Netskope asked over 1,000 respondents questions that covered topics like their ability and confidence to achieve compliance, specific plans and tools being used to meet GDPR requirements, what they consider to be the most challenging elements of GDPR in terms of compliance, and the impact of GDPR on company plans for the adoption of new technologies, provider relationships, and budgets. Key findings of the report include:

  • Eighty-three percent of companies do not feel very prepared for GDPR, with companies in the APAC region feeling less prepared than other regions.
  • Fifty-nine percent of companies are making GDPR a high priority. Even so more than 10 percent of companies still have no defined plan to prepare for GDPR.
  • Seventy-one percent of the respondents feel confident that their organizations will meet GDPR compliance in time.
  • Thirty-one percent of companies have well-defined plans for meeting GDPR compliance, 85 percent have something in place, and 73 percent have begun executing that plan.
  • The GDPR’s “right to erasure,” (53%) “data protection by design and by default,” (42%) and “records of processing activities” (39%) were cited as being among the biggest challenges organizations face in achieving compliance.
  • Documentation of data-collection policies (68%), codes of conduct (56%), and third-party audits and assessments (55%) are among the most common tools being used to demonstrate GDPR compliance.

The results seem to indicate that while organizations are in the midst of implementing programs, solutions, and processes to comply with the GDPR, many were still feeling under-prepared as of the survey dates of January 25-February 21, 2018. The interpretation of the articles and how DPAs will enforce the GDPR probably only exacerbated organizations’ feelings of under-preparedness. The good thing is that 70 percent of respondents indicated that they either felt ‘somewhat confident’ or ‘very confident’ that their respective organizations would be ready to meet GDPR compliance by the May deadline.

Across Netskope customers and prospects, we’ve seen many security teams work across their organizations, collaborating with legal, compliance, and technology teams to implement policies and solutions to meet GDPR guidelines. While cloud and web services present more risk vectors for data loss and threats, securing the use of these services allows for continued productivity gains and flexibility by employees. The full GDPR Preparation and Challenges Survey Report contains more information on how organizations are preparing for the GDPR.

Download the full report to get more specifics and see how others compare to your current GDPR plans.