Is there a privacy statute that has created more awareness about data privacy than GDPR? The General Data Protection Regulation applies to all European Union (EU) member states. It aims to set a high standard for data protection, and to provide one set of data protection rules for the entire EU.
GDPR's 99 articles set forth several fundamental data protection rights, including:
- right to be informed
- right of access
- right to rectification
- right to erasure/to be forgotten
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
GDPR did not introduce any fundamentally new rules. It modernized the principles from the EU's 1995 Data Protection Directive. For the last 5 years, threats of strict enforcement have made headlines. Companies violating GDPR risk fines of up to EUR 20 million or 4% of their global annual turnover. Ireland's Data Protection Commission (DPC) slapped Meta with the largest ever GDPR fine. Illegally transferring personal data to the US resulted in a €1.2bn (£1bn) fine.
We have seen a growing number of enforcement actions. This is not surprising. Complying with key aspects of the regulation remains an operational nightmare. Companies struggle to maintain compliance while enabling innovation. The biggest hurdle is Chapter 5, which regulates the transfer of EU personal data outside of the EU.
Why is this aspect of GDPR so complicated for US companies? Managing data transfers isn’t new. But it is nearly impossible for the receiving countryUS to guarantee adequate privacy rights to EU citizens. Plus, the US has a little-known law called the Foreign Intelligence Surveillance Act of 1978 (FISA). That allows the government to conduct targeted surveillance on non-US citizens located outside the US. “FISA requests” can compel US businesses to provide information about their users. This has led EU courts to rule that the US government does not provide adequate privacy protections to EU citizens.
The privacy shield or standard contractual clauses (”SCCs”) used to simplify data requests. These contracts tried to guarantee a high-level of protection for personal data. But they lacked detail on technical controls. So it's no surprise that the government compels businesses to disclose personal data.
Today, US companies are at an inflection point. EU Data protection authorities have reaffirmed that data transfers to the US pose a risk to EU citizen privacy. SCCs alone are not enough to ensure privacy protection. Regulators have promised US companies a new EU-US Data Privacy Framework. This should ease legal data transfers between the two countries. But, it remains unclear if this framework will be accepted. It is also unclear which operational privacy protections may remain the company's responsibility.
This begs a question. How can a US business put the appropriate controls in place to reduce the risk of personal data transfers between the EU and US?
Cyera provides visibility and control over where and how companies manage data
Cyera automatically discovers, classifies and protects data across your multicloud data landscape.
This goes far beyond basic discovery and classification. Large language models (LLMs) identify and differentiate between personal and non-personal information. They also highlight when one or more classes are identifiable. Topic extraction also allows us to determine the location data originates from. This enables customers to understand what data is in scope for GDPR. It also shows how it is being managed, who can access it, and the security and compliance policy violations that exist. That facilitates remediation - for data at rest, and as it is being manipulated in real-time.
The Policy Engine detects and validates encryption, masking, data zoning, access and more. For example, zoning rules ensure that EU citizen data remains in approved datastores or regions. Data Security Posture Management (DSPM) highlights where data at rest violates GDPR mandates. Data Detection and Response (DDR) flags when data drifts in real time.
Dozens of out-of-the box policies detect and remediate EU citizen data exposures. These empower customers to easily measure and attest to security and privacy controls. And that ensures you can prove to regulators that you take EU citizen privacy seriously.
If you have been looking for a security solution designed and built for the complexities that modern architectures have introduced, look no further. Sign up for a free Data Risk Assessment and let’s start building the foundation for holistic data protection. We are helping dozens of businesses resolve GDPR exposures affecting millions records. On this, the 5 year anniversary of GDPR enforcement, we are standing by to help you too.