Finding a Good Place to Start for GDPR Compliance

Written by HITRUST Independent Security Journalist Sean Martin

The General Data Protection Regulation (GDPR) has received a ton of attention as the May 2018 date looms ahead. Even with a lot of attention paid, it still drums up a lot of confusion and angst. This simply means that more time needs to be invested to ensure a proper understanding is gained before actions are taken—or avoided.

If one was to compare GDPR against existing US privacy laws, GDPR-like requirements essentially exist in one form or another at the individual state level as well as at the federal level. HIPAA, FISMA, Do Not Call, and the Fair Credit Reporting Act are all examples.

GDPR, however, takes several leaps forward from where the US regulations are today. GDPR is truly a one-size-fits-all regulation—every industry regardless of location, and every user in Europe is impacted; either regulated by it or protected by it, respectively. This isn’t to suggest that every company in the US has to be compliant, but every company should do its own due-diligence to determine its own need to comply or keep their data out of scope.

Broader Scope Than US Regulations

Speaking of scope, the EU’s GDPR is much broader in scope than US regulations, especially when it comes to privacy mandates. GDPR essentially covers every industry and every individual in Europe; the regulation applies, it’s a matter of how the impacted company chooses to handle their data. By contrast, in the US, there could be 10 companies with completely different sets of laws and different issues they are faced with when it comes to regulations.

Some might need to adhere to HIPAA and the Statewide Health Information Exchange for New York (SHIN-NY), for example, whereas others might need to meet HIPAA and PCI DSS requirements. As can be seen by these two example, the differences can be determined industry, business type, business location, and more. Furthermore, one set of systems and data might fall into scope for some companies while different types of systems and data might come into question for others.

To put this into perspective, GDPR is less about the systems and more about the methods with which the information is being collected and stored, the business processes surrounding the use of the information, and the data flows with which the data is accessed and shared. The regulation covers everything—the data itself; the context in which the data is collected, stored, used and destroyed; the controls used to enforce access control and use policies; and the evidence required to prove compliance.

Greater Complexity Too

The EU has had privacy regulations for nearly 30 years, but GDPR’s new rules are very specific, comprehensive and more complex. When compared to US security-centric laws, such as HIPAA and PCI, GDPR is much more privacy-centric. But comprehensiveness and scope does not necessarily make it straightforward to implement. If a regulation is complicated and detailed, it is hard to enforce.

“This is GDPR version 2.0, and it’s on steroids,” said Kirk Nahra, a partner at Wiley Rein, one of the largest Washington DC law firms, with a focus on helping businesses comply with various regulations. During an interview, Nahra also added, “GDPR comes with broader applications, broader reach and significantly more complicated restrictions. It affects EU organizations AND entities around the globe doing business in Europe.”

An Intermediate Step Towards Compliance

Let’s take an example to drive home the point that all the fear mongering about anyone who touches an EU citizen needs to be GDPR compliant. As described by Nahra, we will use a hospital as an example to help illustrate the point.

“If there is an EU citizen who happens to be brought in to the emergency room, GDPR does not apply to that hospital even though they are treating an EU national,” said Nahra. “On the flip side, GDPR affects any company that markets to and has relationships with EU citizens.”

An important provision of GDPR is that data cannot leave a business entity unless the receiving party is an appropriate recipient. The US today is not an appropriate recipient since US laws are not strong enough according to GDPR regulations.

Enter the Privacy Shield program, a pre-negotiated agreement between the US and the EU that, per Nahra, allows companies in the US to take an intermediate step to compliance. Imagine a multi-national company that manages a global workforce including EU employees. They can comply with the Privacy Shield program to get permission to send data back-and-forth with its European offices.

Any non-EU enterprise or service provider doing business in Europe needs to go through Privacy Shield compliance checks. But at least that’s easier than complying with GDPR! It also makes it possible to prove to European customers that a US company is able to conduct business with them. That’s key to keeping existing markets open.

The Impact on Small Vendors

How are smaller vendors going to be impacted by the GDPR? For a consultancy doing business with a US hospital or a doctor, they should not be impacted by GDPR. But if an insurance brokerage wants to provide global medical coverage to a global company that operates in the EU, they would need to provide support for employees worldwide, including Europe; they are thus subject to GDPR.

The same would be true for a pharmaceutical company that conducts clinical trials in Europe. Small vendors providing services to US healthcare companies that are connected with European citizens are thus also subject to GDPR. They may need to be selective about doing business with clients that are global. If the cost-benefit of becoming GDPR compliant is high, then maybe the business is not worth it.

This said, GDPR isn’t just about small vendors. In fact, it could impact any organization that simply uses website tracking cookies or otherwise monitors the behavior of EU citizens on its website.

A Resource to Turn To

“One of the more difficult components of GDPR is the right to be forgotten, which means companies must delete all data it has on a customer upon the customer’s request,” said Nahra. “For a large global company, just finding every system where they have stored a customer’s data will be a big challenge.”

And this is a challenge that must be met, similar to the other regulations and standards organizations are adhering to. Organizations both inside and outside the healthcare industry that are leveraging the HITRUST framework and supporting program, already have the tools they need to begin to comply with the requirements of GDPR.

“If you comply with the HITRUST framework, you won’t be 100% compliant with GDPR, but you will be well on your way,” Nahra said. “And HITRUST is working to expand the privacy controls, which will get you even closer.”

To help US organization comply with GDPR, the HITRUST CSF is focusing its privacy requirements on generally-accepted privacy practices rather than industry- or regulation-specific requirements. HITRUST has integrated privacy requirements from GDPR into its core privacy requirements framework to the maximum extent possible. HITRUST has also placed industry- or regulation-specific requirements that may be considered beyond generally-accepted privacy practices into separate industry segments in the HITRUST CSF.

“The HITRUST team has made, and continues to make, great strides in creating a framework that allows companies to comply with all major regulations across all industries,” added Dr. Bryan Cline, VP of Standards & Analysis at HITRUST. “GDPR could be seen as an overwhelming venture, but our aim is to help ensure privacy throughout the healthcare supply chain through further improvements to the HITRUST framework and its supporting programs and help ensure organizations can meet the demands of the GDPR along with all the other regulations and standards for which they are already investing time and resources to meet.”

Most companies are taking GDPR very seriously because it’s just too risky to ignore the regulation. Data protection officers assigned by the EU will be on the lookout to prosecute cases relating privacy issues, and the fines are severe: 4% of global revenue or $20M Euro, whichever is higher.

This is exactly the type of fine that every organization needs to avoid. While compliance may not be required, it’s best to not leave it to chance to find out. And, if compliance is in the cards, why not perform your assessments and audits as part of your existing assurance and compliances programs as a means to maintain consistency and reduce unnecessary expense?