GDPR has a global reach
As of May 2018, the European Union’s General Data Protection Regulation (GDPR) applies to any and all companies conducting business within the EU, including those collecting data there, ensuring that EU citizens have the right to privacy. If there is a breach of security, companies must report it within 72 hours, and if a company fails to comply, the fine is up to €20 million or 4% of global annual turnover, whichever is higher.
Many companies, particularly those in the US, don’t realize that they are affected, but GDPR is applicable to those collecting or storing Personal Identifiable Information (PII) of any EU citizen. This includes license plate recognition and surveillance video. For these video streams, companies have to ensure that individual privacy is protected when the video is captured, stored, or shared. The most effective way to do this is with dynamic anonymization, which automatically masks individuals but can be removed if an investigation requires it.
GDPR also stipulates that organizations must design secure networks from the ground up, meaning companies need to work with vendors that offer compliant, up-to-date solutions. This poses both an opportunity and a warning for security integrators. If you can ensure your solutions keep clients as safe as possible, particularly with best-in-class data encryption and user authentication, you can capture new markets. However, this also means that you’re required to understand changes in regulation and how it affects your business (and that of your customers).
New year, new privacy law
As of January 1, 2020, the California Consumer Privacy Act (CCPA) governs how companies with regional customers must store and secure their data. The CCPA generally relates to consumer rights, including the right to request information, right of deletion, right to refuse the sharing of data, right to opt-out of their data being sold, and the right to know for what purpose their personal data is being collected.
California is the biggest state by population, but it’s not the only one drawing up and implementing new privacy laws. Hawaii, Massachusetts, New Mexico, and Washington are also in the process of drafting privacy protections. Outside of America, the LGPD is Brazil’s first General Data Protection Law, and it goes into effect on August 15, 2020. South Korea is also close to finalizing an omnibus law similar to GDPR, which would bring together all its existing data and privacy laws.
Staying Protected
Security integrators play a central role in ensuring not only that their customers’ businesses are as safe as can be, but compliant too. Your customers are looking to you to act as the expert in the security realm, and they could assume that you are responsible for consequential damages as a result of a security breach. If you’re not paying attention to the details on the contract you have with your client, the resulting impact from a security breach or data leak may extend to you in terms of liability and financial reparations.
However, contracts can be written in such a way to include a stipulation of liability for direct damages from a breach, up to an agreed limit. Perhaps this agreed limit would be as a multiple of the contract size, for instance 2x. If the breach results from gross negligence, however, security integrators can be expected to recompense at a far higher rate. It is therefore crucial that you remain up to date with legislation that impacts your clients and explore cyber-liability insurance. You can also find external certified organizations to help you confirm you and your clients are meeting regulatory standards, for example the European Privacy Seal for GDPR compliance.
Staying protected starts with understanding the regulatory state of affairs and actively building your business with a privacy-by-design mindset. This doesn’t just protect you from possible client breaches, but it also allows you to build a sustainable business in an ever more technologically advanced world.