Subscribe to Cyber Resilience Insights
Get the latest cybersecurity news, analysis and tips delivered to your inbox every week.
Auditing, evaluating and updating data handling processes and technology is a necessity under the tougher personal data protection and privacy requirements set out in the new EU General Data Protection Regulation (GDPR). Any organization, anywhere in the world that processes or holds personal data of EU residents must comply with this new regulation or face significant fines.
For some organizations already bound by more stringent controls, like those in healthcare and financial services, they may already be further down the line than others. However, the prospect of competing regulations becomes a very real concern. Is it possible to comply with every regulation in every territory or region? Unlikely. But understanding the complexities of overlaps, and assessing the risks these may pose can’t be ignored.
Financial services organizations are bound by strict controls on data exfiltration, exposure and record keeping under the Exchange Act, FINRA, MiFID, and others. MiFID II, for example, requires all communications, including personal data, that could lead to transactions being carried out to be stored for up to five years. Yet under GDPR, personal data should be kept only for as long as necessary, and data subjects can request their data is deleted in line with “right to be forgotten” entitlements. Which regulation wins out? This is not yet clear and financial organizations should look to the regulators to help navigate through this maze.
The same conundrum applies to the requirement to protect personal data versus the need to share information to help counter financial crime. Article 23 of the GDPR may provide a route to follow here, giving countries the ability to issue guidance based on a need to preserve national security. However, if the organization operates in multiple jurisdictions, conflicting guidance may complicate things even further.
In healthcare, systems like electronic health records, pharmacy, and radiology systems are improving the efficiency of providing care and ease of access to information. However, they also increase the potential security risks of personal data including health information falling into the wrong hands. Healthcare providers governed by the US Health Insurance Portability and Accountability Act (HIPAA) must follow strict guidelines on the collection, use, and protection of health information.
GDPR, while much broader in its definition of personal data, includes requirements for the protection of sensitive health-related data. The requirements are similar but not identical. Healthcare providers in the US must, therefore, understand where the differences are and make provision for these if treating EU residents.
Similarly, life sciences organizations may well face new rules on data protection, especially those outside of Europe who may receive personal information collected during clinical trials. While they may have some familiarity with EU data protection rules relating to EU-US Privacy Shield, for example, GDPR is likely to impose more stringent requirements.
The bottom line is many more highly-regulated organizations will likely face competing requirements and unclear guidance. Now is the time to consult the relevant regulators, working parties, governing bodies and others to help clarify requirements.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly