Sunrise Banks Director of Cybersecurity Eric Breece Talks GDPR

Breece answers questions on the regulation and provides his take on the law a year after implementation

The General Data Protection Regulation, otherwise known as GDPR, was enacted in May of 2018 and brought sweeping changes to how companies can handle and process consumers’ personal data.

The law is a response to heightened concerns about privacy in the age of the internet, where consumers are giving up more personal information than ever before. In particular, the GDPR deals with how much personal information companies can retrieve from individuals, and what they can and can’t do with it.

The new law also allows individuals to know what information companies have on them and how they’re using it. In certain circumstances, the GDPR gives consumers the “right to be forgotten,” or the ability to erase their personal information if they so choose.

The long and the short of it is this: The GDPR is an important piece of legislation, and one of the first to address concerns over internet privacy.

We sat down with Sunrise Banks Director of Cybersecurity Eric Breece to get his take on the GDPR. Here’s what he had to say.

Why was the GDPR created?

EB: Privacy regulations have a long history across the nations that make up the European Union (EU) and can be traced back to just after the end of World War II. These were formed around the idea to solidify individuals’ rights to information about themselves.

In 1995 the EU issued the Data Protection Directive, which provided guidelines on how to protect and handle personal data. This included understanding and say over who has an individual’s information, what they are using it for, and how it is shared. However, EU directives are not legally enforceable across the EU, and each nation’s privacy laws varied greatly.

Back in 2012, the EU introduced the first version of the GDPR as, among other things, an enforceable regulation that applied to EU members and as a way to better reflect the ways in which our data is handled and used in our ever-digital world. The EU parliament adopted the GDPR in 2016 and it became enforceable across the EU nations in 2018.

How does the GDPR affect banks?

EB: Typically, banks are considered a data controller in relation to the GDPR, which means they are responsible for protecting the rights of the individual that the data relates to (a.k.a., the data subject). This means they have a heavier lift than organizations that aren’t subject to GDPR or are a data processor.

It should also be noted that a bank could be considered a data processor in specific business arrangements.

Could you explain the difference between a data “controller” and data “processor” under the GDPR?

EB: A data controller is not only on point for protecting the data subject’s rights, they are also the ones that define how the data is to be used and for what purpose.

While a data processor is responsible for protecting the data, they are processing the data on behalf of a data controller. They cannot change the purpose or use of the data under their care.

Does the GDPR only apply to companies in the European Union?

EB: Yes and no.

Yes, if you are a company from one of the EU nations; in this case it clearly applies. It all ties back to the data subject’s location and business transactions. Therefore, typically all EU citizens are considered data subjects under the GDPR, but it can also apply to U.S. citizens doing business with an EU business while in (or flying over) an EU nation.

No, in that, if you are a U.S. company that has a presence in any of the EU nations then the GDPR also applies to those U.S.-based companies. A lot of U.S. companies have a presence in the EU, even if it is just for tax purposes, which puts them in scope for the GDPR at some level.

However, if you are a U.S. company with no presence in the EU, but you are handling EU citizen data that is tied to a residence in the U.S., you are not subject to GDPR. For example, a foreign student on a student visa going to a U.S. university – in this case, the school is not subject to GDPR.

There is one caveat to this: Some of these aspects of GDPR haven’t all been tested through legal action. In other words, things could change once a data subject pushes a complaint through the courts.

How is GDPR compliance regulated? Are companies audited on a consistent basis?

EB: Overall GDPR regulation across all EU nations is done by the European Data Protection Board, which also includes representation from the European Commission. However, the “boots-on-the-ground” regulators are supervisory authorities, which each member state establishes.

Companies that are responsible for becoming compliant with the GDPR can face hefty fines if they experience a breach. They also can pursue GDPR certification to prove compliance with the regulation through an approved certification body.

Does the United States have a GDPR equivalent?

EB: The U.S. does not have an equivalent federal regulation to GDPR. However, various states are passing their own regulations that are mimicking the GDPR requirements. The most notable is the California Consumer Privacy Act (CCPA), which goes into effect on Jan. 1, 2020. There are some subtle differences, but the CCPA is extremely similar to the GDPR.

The GDPR has been law for more than a year now. In your opinion, is it “working?”

EB: As a practitioner in the information security and privacy space, I believe regulations of this nature help shed light on the need for securing data and do ultimately help to keep individuals’ personal data private.

However, with something that applies so broadly across multiple nations, its effectiveness will vary based on the strength of the enforcement body that’s in place.