As most everyone is now aware, the European Union Commission enacted the General Data Protection Regulation on May 25, which will coordinate and align data privacy laws across all the various nation-states encompassed within the EU.
Any organization located anywhere in the world that handles data belonging to citizens residing in the EU is required to comply with the GDPR or face stiff penalties of up to 4 percent of annual global turnover. The GDPR is specifically worded to apply to both controllers and processors, meaning that no one is exempt from the regulation’s requirements, not even providers located outside the EU.
While U.S. universities who offer information security programs typically cover a range of compliance concepts related to U.S. regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or Sarbanes-Oxley (SOX), the GDPR is something of a game changer because it is not a regulation enacted by a U.S. agency, yet it requires compliance on the part of U.S. entities.
The GDPR is only the first of several proposed global regulations governing data privacy. Before 2015, data exchanges between the U.S. and the EU were governed by the Safe Harbor program which allowed the personal data of EU citizens to be exchanged with U.S. providers as long as both sides of the transaction complied loosely with the EU Data Protection Directive. The directive wasn’t as tightly defined as the GDPR and lacked teeth in the form of significant fines or penalties.
As a result, up to this point in time, U.S. businesses have not had to unduly concern themselves with regulations enacted outside U.S. borders. GDPR demands a change in that mindset.
If a U.S. business touches EU based Personally Identifiable Information [PII] at rest or in transit, it is required to notify EU clients in the event of a data breach. Fines can be avoided if the breached organization employs EU mandated encryption methods on any EU PII residing in U.S. storage or transmitted through U.S. infrastructure.
Effective key management is required to safeguard the encrypted data, but also to allow the deletion of files which, under GDPR, guarantees a user’s right to be forgotten. These points of security must be clearly auditable for full compliance.
U.S. universities offering IT courses that cover compliance issues must change their thinking just as U.S. businesses will have to do and must now adjust curriculum to a global outlook.
There are a number of concepts embodied in the GDPR that are somewhat alien to a U.S. business audience. While compliance with HIPAA or SOX has always required that the organization follow effective auditing procedures, the GDPR also incorporates the right to be forgotten and the right for an individual to request a copy of their data. To comply with the right to request a copy of a user’s data, the request must be fulfilled within one month of receipt of the request.
IT graduates should be prepared to deal with these new additions to the compliance scenario, but other parts of the curriculum would also benefit from including GDPR compliance elements in their courses.
Programming courses should address secure programming practices that comply with GDPR requirements. Database management courses should include encryption concepts for data at rest, during processing, and in transit. Implementing Layer 2 encryption across routers, switches, and gateways should be taught in networking infrastructure courses. The professional role of the data protection officer should be covered in appropriate IT courses.
In short, because the GDPR will impact just about all of the operational processes of most modern, connected businesses world-wide, the concepts embodied by the GDPR should be infused into most of the courses which prepare students to work in IT/IS. GDPR will not only bring about change in the way that the U.S. does business but it will also change the way that U.S. businesses think about personal data. And U.S. universities should be places that support and even initiate that change.