How tech giants are preparing for the EU GDPR

Over the past few months, Google has started allowing its users to choose which data they share through its various products. The Google Dashboard introduces privacy controls that help users see and manage their data in each registered account.

Amazon is improving its Cloud storage service data encryption and has simplified its customer agreement for processing personal information. Meanwhile, Facebook has unveiled its new global data privacy center — a web page that allows users to specify core privacy settings, such as who sees their posts or what types of ads they receive.

These tech giants are conducting due diligence when it comes to protecting consumer data, but a main driver for the emboldened cybersecurity efforts is the EU General Data Protection Regulation (GDPR). The Regulation is forcing US organizations to reconsider how they manage the privacy of consumers’ personal data.

The GDPR’s requirements were approved in late 2015, and compliance is mandatory from May 25. The Regulation holds organizations around the world accountable for any EU resident’s personal data they process. Failure to comply can result in fines of up to 4% of annual global turnover or €20 million ($27,607,000) – whichever is greater.

The GDPR places restrictions on the types of personal data companies can collect, store, and use, which includes:

  • The “right to be forgotten” clause, written into European law so a person can request that an entity removes online data about them
  • A rule that anyone under the age of 16 must obtain parental consent to use popular digital services and apps

Tech giants demonstrate varying degrees of GDPR preparedness

With the clock counting down to May 25, Silicon Valley’s tech giants are at different stages of readiness for the GDPR. Facebook and Google, for example, have enlisted several hundred people to better understand the Regulation. According to Doug Kramer, general counsel of Cloudflare, an Internet performance and infosec company based in San Francisco, “Every person who works for us has, in some way, been involved in preparing the company for GDPR.”

Many companies have been forced to rethink how they allow users to adjust their own privacy settings. Some have set restrictions on how much data certain products absorb. Others have removed products completely (at least from the European market) because they might violate new GDPR privacy rules.

Notwithstanding the GDPR, Facebook, Google, and other company officials have said that they were already considering ways to give users greater control over their data. This is a change from past privacy rules responses. Formerly, many organizations expressed hostility, such as cutting offerings by region to avoid product redesigns that would meet privacy requirements.

Large-scale internal change at organizations working to understand the GDPR

Gilad Golan, Google’s director for security and data protection, said that Google will be ready for the GDPR and will be introducing new security features. He also said that the GDPR mandates giving Europeans control over how their digital data is organized have posed a challenge. Google has updated a number of apps – from Gmail to its Cloud storage services – to ensure compliance. New rules require individuals to provide consent to organizations to access their data. These mandates have forced Google to redesign consent agreements and underlying technology for added data handling flexibility.

Facebook proactive in its GDPR preparation

Facebook has made several adjustments to address GDPR compliance. Its privacy center should create the momentum needed to continue financing products and educational tools for privacy protection. Rob Sherman, Facebook’s deputy chief privacy officer, announced that the social network has held “Design Jams”, where designers and engineers are invited to reimagine products featuring greater user control of their online data. Facebook is also holding back from releasing certain services in Europe that may violate GDPR mandates.

In November 2017, for instance, Facebook refrained from releasing a program in Europe that uses artificial intelligence to detect self-harm behaviors, such as suicide. The program requests permission to access users’ sensitive health data, i.e. their mental state. Facebook is also holding back the release of facial recognition software in Europe.

Amazon is also changing its approach to information security and privacy management. In April 2017, the company said it would strengthen its data encryption on its Cloud storage services. It also reaffirmed user rights to store their data where they want – in Europe or otherwise.

It is critical to prepare your organization for GDPR compliance

Now more than ever, organizations must have effective cybersecurity measures in place – not to set themselves apart, but to ensure they are compliant with major regulations. Implementing an information security management system (ISMS) that mitigates data breach risk is one way. Businesses can gain ISO 27001 certification, demonstrating that they have taken adequate measures to safeguard their data using best practices.

IT Governance is a global leader in cybersecurity compliance training, advisory, and information. Its accredited, practitioner-led course will give you the knowledge and tools to lead an ISO 27001 ISMS implementation project. Learn how to comply with data security regulations, mitigate information security risks, and manage data breach events. Register for the ISO27001 Certified ISMS Lead Implementer Training Course.