RSA Conference 2018 is starting with a BANG! – the Human Element of GDPR, that is.

Terranova is a key actor at RSA Conference 2018, taking place at the Moscone Center in San Francisco, CA. The event is the largest of its kind. Our team is on-site, engaging security professionals, privacy advisors, and all RSAC attendees in core conversations about security awareness, data privacy, phishing simulations, the GDPR, as well as women in security.

Because there is no security, without awareness. An inseparable pair!

We kick off the dialogue with the GDPR. The EU regulation is imminent, less than 40 days away. In the following article, we shed new light on this legislation by exploring its human factor and the implications that will ensue. Let’s get talking!

The race is on. Across the globe, organizations are rushing to comply with the EU General Data Protection Regulation, taking effect May 25. And this race is very much about the human element of the GDPR.

Why all the excitement? For one thing, failure to comply with this legislation can result in fines of €20 million, or up to 4% of a company’s annual global turnover. Although this financial risk is by itself a strong motive for compliance, there is another more personal risk to be considered… the impact that the misuse of our personal information could have on each of us.

The human element of GDPR is about protecting Our Right to Control: when, where, and how our personal data is collected and processed. It is about protecting people from the harmful or unwanted use of personal information. Shielding a person’s confidential information is the same as protecting The Individual.

From a humanistic point of view, people and personal data are interchangeable. When our personal information is either mismanaged or mishandled, our lives feel disrupted in some way. Perhaps we’ve fallen victim of identity theft, or we’ve been the target of intrusive emails.

The GDPR exceeds our expectations. Its regulations apply to all companies processing the personal data of EU residents, regardless of their geographical location. For example, if an EU resident buys something on a US website, his/her personal data is protected by the GDPR. Likewise, if you are a US citizen buying something on an EU website, your information is also protected. Alternatively, if you have a Japanese work visa, and you are a resident of the EU, your data is secured accordingly. The implications of the GDPR legislation are global, and extremely complex – especially for organizations that wish to process and manipulate our information.

The GDPR and the human element: Privacy

The GDPR is sort of a Bill of Rights for privacy, particularly when it comes to determining what can or cannot be done with people’s personal information.

Under the GDPR, organizations that request our personal information will be required to obtain our explicit consent prior to processing and storing such data. When we give our consent, we have the right to know how long our personal data will be stored, what purpose it will serve, and who will process it. The request for our consent must be clear, precise, and easily understandable. When we provide personal information, we should expect to be informed of the contact details of the entity processing personal data, or the contact information of their representative.

Moreover, we must be given the choice to either opt in or opt out. Refusal to give consent must not be met with penalties. This is quite a paradigm shift from the traditional approach: a simple preset opt-in box or consent buried in shady terms and conditions.

The GDPR and the human element: “Right to Disappear”

Since we are giving our consent, knowingly and freely, we have the right to revoke that consent at any time. Cancellation needs to be straightforward. Being able to revoke our consent is part of our GDPR “right to be forgotten,” also known as our “right to disappear.”

This right of erasure extends to removing our data everywhere it has been stored and processed. For example, if our personal data was subsequently sold to several 3rd party marketing companies, we have the right to remove all traces of personal data.

Similarly, we have the right to remove personal data when it is no longer needed for intended purposes. If personal information is required for a 12-month subscription, then that personal data is considered obsolete – by the GDPR – and should be automatically removed. Inactive personal data can no longer be used for non-intended purposes.

Personal data is an extension of our person. We own the information. We have the right to request a copy, or to have it transferred electronically. We have the right to ensure that our personal information is accurate. If errors are present, we can demand corrections.

Moreover, we have the right to be notified within 72 hours if our personal data has been compromised. Organizations that do not comply to such rule are in violation of the GDPR. Consequently, they may suffer severe financial penalties.

From a humanistic point of view, the GDPR is a white knight, making sure that our right to privacy is protected. When our personal information is protected, WE are protected.

Although the GDPR is causing a sense of urgency for organizations that need to comply to such directives, it is also very promising for us, humans, who provide the personal data. We will be able to control our own privacy. The GDPR is not only a significant step in reclaiming our personal data, it also represents a giant leap for the protection of human privacy!



Lise Lapointe