The General Data Protection Regulation, the European Union’s effort to give individuals more control of their personal data — and level the playing field for businesses handling that information — have been met with applause, criticism, and not a few raised eyebrows.
Under GDPR, a person living in one of the EU countries has the right to know how their data is collected, processed, and protected by a company, as well as the right to request that that information be erased if it is no longer needed.
The directive applies to companies based in the EU, and companies outside the EU that offer goods, services, or “monitor the behavior” (such as social media) of people living in one of the EU member countries.
We asked several MIT Sloan cybersecurity experts to weigh in on what they’ll be watching in the first year of the data directive.
Unsolvable problems
MIT Sloan professor and founding director of Cybersecurity at MIT Sloan Stuart Madnick wonders if the GDPR’s benefit to citizens outweighs the cost and effort for companies to come into compliance with the directive.
“I don’t think anybody necessarily intended for it to be good for business,” Madnick said. “The question is whether citizens appreciate what’s being done for them or not.”
Perhaps companies that offer GDPR-related services are seeing benefits, Madnick said, but for other companies, they might be spending their time and money figuring out how to comply with the various forms of GDPR codified by the respective EU members.
The EU only puts out directives — it doesn’t have sovereign authority of its members.
“The laws get made, which may not necessarily be exactly the same,” Madnick said, adding how those laws are interpreted and implemented isn’t always clear nor the same as other countries.
This can get tricky for businesses that have multiple international offices and are trying to comply with GDPR. Depending on a country’s particular application of the directive, a company might decide to write off that office if the investment required by a particular country is deemed too high, Madnick said.
Madnick said he’s also interested in whether those different regulations will be at odds with each other across nation-state lines.
“Just imagine in a criminal investigation, a company being asked to give cell phone records of someone, which may be a legal requirement in one country, but may be violating either GDPR, or GDPR-like regulations for another country,” Madnick said.
In a similar vein, while the GDPR requires companies to report a cyberattack within 72 hours, some American law enforcement agencies prefer companies wait to report the incident, while officers attempt to track down the hacker before they flee.
Madnick also pointed out potential flare-ups between the GDPR and blockchain technology.
The whole idea behind blockchain is to be able to trace back a verified sequence of events. But what happens when someone involved in that sequence of events wants to be forgotten?
“The whole premise of blockchain is that once it’s set in stone, it’s set in stone and not reversible,” Madnick said. “I’m not saying all these things aren’t solvable, but they’re not easily solvable, and maybe not solvable at all.”
It’s not just about compliance
Keman Huang, a researcher at MIT Sloan and research scientist with Cybersecurity at MIT Sloan, said his concern stemmed from the baseline requirements the GDPR gives companies for protecting customers’ data.
“The internet grows so fast, and cyber defenses, cyber offenses, they change a lot,” Huang said.
Huang said companies that are focused only on meeting GDPR requirements will eventually find themselves — and their cyber practices — impacted by today’s regulation or one in the future, along with their customers’ data.
Huang advised companies to make data protection part of their top-down business strategy, not just a temporary compliance exercise.
“If you’re a business, do not consider GDPR first, think about your business strategy,” Huang said. “Try not to just consider it as a regulation or compliance issue.”
A company should have a process for complying with new — and future— regulations, but if each new regulation is part of a dynamic business process, a company might find it already meets many of the requirements and can cut costs for compliance.
Government versus industry
According to the regulation, noncompliance or infringement will result in a fine of 20 million euros, or 4 percent of a company’s global revenue — whichever is higher.
“It’s onerous,” said Lou Shipley, a lecturer at MIT Sloan with 25 years of experience as an enterprise software executive. “It's real. You can't ignore it. You can't say, ‘oh maybe we'll negotiate this.’ When it happens there's going to be kind of public humiliation and maybe it’ll get changed, but it seems to have everyone’s attention.”
But while there might not be negotiation, that doesn’t mean there won’t be pushback.
“Let’s just say it happens and Amazon’s the one [fined]. You don’t think they’re going to fight?” Shipley asked. “You don’t think they’ll take on the Europeans? I think what’s going to be interesting is the strength of governments versus companies.”
Who’s to say a government is that much more powerful than Amazon, Google, Facebook, or Apple, Shipley said. What GDPR might do is get the ball rolling on breaking up these giant companies, because they’re getting “too powerful.”
“If it looks like they come down in an unfair way and penalize someone 4 percent of their revenues for something that’s almost impossible to defend against, then I think there’s going to be a pushback on the law,” Shipley said. “I really think that, because I just don’t know how it’s going to be adjudicated. You just don’t know until something happens.”