Spring is coming.
Yes, I know that doesn’t have the portentous ring of “Winter is coming,” and it's not like there are zombie dragons and White Walkers on the move. But come May, many companies may face the regulatory equivalent of hoards of the frothing undead at their gates in the form of new and toothy requirements of the EU General Data Protection Regulation, or GDPR.
We’ve written about this before - noting that GDPR’s could add a few “0s” to the fines imposed on companies that mishandled the personal data of EU residents. That’s true both for so-called “data controllers” (basically companies that collect and store EU resident data) and data processors - meaning any third party organization that a data controller shares data with. .
Importantly for US companies who might otherwise be inclined to thumb their nose at EU regulators: GDPR applies to Controllers and Processors that are EU legal entities and organizations not located - or incorporated in the EU. So long as data processing activities in question are linked to goods or services offered to EU residents and the monitoring of the behaviour of EU individuals takes place within the EU, the provider and any third parties it uses are bound by GDPR. (There’s an excellent write-up of this on the Lexology blog.)
The first step for companies in complying with GDPR is to formulate a contract - or Data Processing Agreement - that describes the data processing that will take place and the rules governing that data processing. That’s a pretty straightforward proposition if you’re, say, a retailer or credit card processor. But what about social networks? After all: their whole business is predicated on collecting information from ordinary individuals today and then figuring out how to monetize it tomorrow.
Well, with the GDPR deadline fast approaching, we are starting to see what social networking in a GDPR era will look like. LinkedIn, the dominant social network for professionals, this week released its Data Processing Agreement to describe how it plans to handle data uploaded to its platform under GDPR.
The GDPR is pretty specific about what Data Processing Agreements should contain. Articles 28 through 36 of the Regulation list the issues that must be specifically addressed in any Data Processing Agreement. Among these are requirements that data controllers and processors keep record of all data processing activities, report breaches and comply with requests to delete or return personal data upon cancellation of the contract. For LinkedIn, a variety of activities that take place on the platform bear on GDPR requirements for data processing. Among them: job seeking, sales and marketing, advertising, and so on. All involve the collection and transfer of data on users for a variety of purposes.
According to the DPA the company published, organizations that use LinkedIn for these purposes have to establish and maintain a procedure for the exercise of GDPR rights of the individuals whose Customer Personal Data are processed. They also have to ensure that they are processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses. Further, organizations or individuals processing LinkedIn data have to ensure their employees and third parties are complying with the terms of the DPA and GDRP.
LinkedIn’s requirements under the terms of the DPA are more extensive. It promises to “use appropriate technical and organizational security measures” and to act in compliance with the instructions received from Customer on how its data is to be used.
Importantly: LinkedIn is bound to a number of security requirements under GDPR, which are articulated in its DPA. Among them, that the company will maintain a host of “appropriate organizational and technical security measures” that include physical security (personnel and facilities” as well as technical controls (access controls, monitoring and logging, vulnerability and breach detection) and so on. The company will take steps to make sure that its staff are protecting the security and privacy of customer personal data and notify customers of any breaches by LinkedIn or its third parties.
Make no mistake: this is a big deal. First of all: GDPR codifies the kind of protections that security and privacy advocates have long called for in the U.S., but that U.S.. lawmakers have been unable to agree upon and make law.
More important: for companies inclined to think that GDPR doesn’t matter to them, the spectacle of a major, US-based technology firm like LinkedIn getting in line behind GDPR is both a model and a warning to other US firms to get their GDPR house in order before the regulators come calling. The company’s Data Processing Agreement - while specific to LinkedIn’s business - can serve as a model on which other firms might base their own DPA. It may also serve as a wake-up call for the work yet to be completed at firms that have not put GDPR on their radar.
Spring is coming!
Paul Roberts (@paulfroberts) is the Editor In Chief and Publisher at The Security Ledger and The Security of Things Forum.