Will the New General Data Protection Regulation (GDPR) Give us More Privacy and Security?

By Hector Cisneros

Courtesy of Pixabay

On May 25^th headlines everywhere were touting the announcement of the new EU GDPR law that was going into effect. Even if you didn’t see the headlines on the news, you would have been inundated by the many emails from a wide assortment of internet and SAS providers. They were all telling you about their updated data protection and privacy policies and were asking you to read it and agree to them. How many of you actually read any of these new policy updates? What do these new policies mean? Are they the answer to Facebooks data selling misconduct or the fact that Equifax dragged its feet for months before informing the public of its massive data breach? Is it the action of our government finally coming to our rescue? In this episode of Working the Web to Win, we will find answers to these questions and many more as we delve into the meaning of the new GDPR law here in the United States. So, get ready to dig deep as the implications of the General Data Protection Regulation spreads across the fruited plain.

Data security issues are not new to Working the Web to Win. In fact, we have written more than three dozen articles addressing this subject. Recently we wrote about the massive data breach at Equifax which has exposed more than 150 million Americans to the clutches of cybercriminals. We also wrote many articles on how to defend yourself against cybercrimes. Our latest self-protection article is called “36 Top Cyber Security Tips to Protect your Digital World”. This article provides a wealth of tips and techniques to help secure your digital assets. I have been calling for laws to increase our security and protection for some time. My question is, does this new EU law protect us in the USA?

Courtesy of Flickr

What is The GDPR - (General Data Protection Regulation) The GDPR was announced in 2017 as a law that was going to take effect in 2018. On May 25^th of this year it went into effect. Instead of trying to give you an inadequate summary of the law, here are a few paragraphs, from Wikipedia that covers the main parts of the law. “The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.^[1]

Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data subject. The data subject has the right to revoke this permission at any time.

A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.”

Courtesy of Pexels

I’m no lawyer, but what this says to me is that every US business is affected in some way by this law. Even if you are a small mom and pop store that sell digital fulfillment items to anyone in the EU, and there is a breach, you can be sued. If you are a blogger and you capture and keep email addresses, you must comply with the law, even if you're storing the data on a third-party site like Constant Contact. Most blogs are read all over the world not just in your neck of the woods. The Working the Web to Win blog on Blogger has been read in more than a dozen countries. We rely in part on Google to keep our data safe, but we must also do our part. We only store a customer’s name, email address and phone number if they provide it to receive our newsletters and eBooks. That data is stored in a secure third-party email database that can be unsubscribed from at any time. We never store any kind of financial data, and we never sell any data to other vendors. Even when we bill clients, we use a QuickBooks payment system which provides us with a “blind” transaction where we never see the customers financial data. Having said this, it is still our responsibility to protect that data, and we must make sure that any third party we use is taking adequate measures to protect the data as well.

Courtesy of Pixabay

For multinational, enterprise-size and larger companies, this has a direct impact on how these companies must handle their data and how they must now handle a breach. No longer can a company like Equifax sit on the facts once they are breached. They must now report the incident within three days. On top of that, they must provide full disclosure of what happened to the data and also take steps to protect the data and to notify the users affected. From now on, failure to quickly disclose a breach can lead to a class action lawsuit. With all the breaches taking place, this is sure to lead to another lawyer field day. This also means that all companies need to take the handling of personal data seriously. Many companies will need to create what is being called a DPO (data protection officer) a new IT officer whose job is to handle the crises and to be the face of the company dealing with the breach.

I found a great article and video on the CSO IDG website called “General Data Protection Regulation (GDPR) requirements, deadlines, and facts.” It provides a good overview and a different perspective than Wikipedia or my own for that matter. Check out the video below.

What doesn't The GDPR do? - How does this help the average Joe in the USA? We get some protection because many US corporations do business in the EU. However, the law does not directly mention US citizens! Part of the problem we have in the US is our laissez-faire attitude on how we use internet services and subscriptions. For example; when was the last time you read a EULA (end user legal agreement). Never, right! Well, guess what, when was the last time you read a consent or subscription agreement for a social net or any other SAS product (software as a service)? Never, right! I am going to go out on a limb here and bet that you will not be reading GDPR agreements either, which means you won’t know what their privacy agreement says. While doing research for this article, I noticed that every privacy agreement I read, was at least three or four pages long. Nobody is going to read a three-page agreement. This means Americans will still be giving their consent to share and sell your data without knowing it!

Courtesy of CMSWire

Yes, this new law is designed to protect individuals in the EU, so they can be informed quickly about data breaches. It allows them to band together and sue negligent corporations who did not protect their data. However, if a Transunion breach happened tomorrow, this law does not protect us in the USA! So, what can you do? Who can we hold responsible for the Equifax type breaches that happen in the USA on a regular basis? Don’t look to the federal government. They have been asleep at the switch for more than a decade with regard to data security.

We the People need to take responsibility for our data because many corporations are just not doing a good job of protecting it. We need to minimize our risk by not sharing our financial data so easily. We need to pull back on the sharing on social nets, newsletters, app subscriptions and email addresses. All too often websites ask us to create an account and provide a username and password, then to create a profile for them. STOP! The more you do this, the more you put your identity and financial future at risk. There are countless online criminals on the internet willing to beg, buy, borrow, or steal your digital ID and financial assets. We have to demand that our government take action to address digital security and privacy in a broad and comprehensive way. The new EU law is a small step towards giving Europeans some additional rights, but it does not address actually making things more secure or private for us in the USA. This is especially true if we the users of the internet are not taking responsibility for protecting our data in a prudent way.  

Courtesy of Armed with Science

In the past, I have called for government and industry to create a task force that will produce a war on cybercrime to combat this ever-increasing threat to our way of life. So far, we haven’t seen any laws with real teeth to deal with companies like Equifax.  Nor have we seen any kind of cyber defense initiatives by government or industry to collaborate on new broad and comprehensive defenses to help stem the tide of cybercrime. With this said, here are a baker’s dozen ways you can tighten your defenses against cybercrime.

A Baker's dozen smart ways to protect your data

1. Minimize your data footprint – Don’t needlessly share your data. Minimize your subscriptions, cancel the ones you’re really not using and minimize your profile information and never leave credit card info on file if possible.
2. Use a VPN to access the web when possible. VPN access provides a higher level of anonymity and if they can’t see you, then it’s harder for them to attack you.
3. Multilayer Anti-Malware with Ransomware vaults – Never access the web without up-to-date antimalware protection. If possible use multiple top-end anti-malware products and make sure they have a ransomware vault.
4. Use an Inline AI Self-Monitoring Security System that monitors all digital connections in your house or small office. At this years CES we saw the widespread introduction of “whole house” digital protection devices. I have personally Beta tested Trend Micro’s IoT security Solution, and they hold a lot of promise, especially for IoT devices in your home (since you can’t add an antimalware protection package to most IoT devices).
5. Make sure all digital devices are protected - including all smart appliances. Many users never protect their smartphones or tablets even though they use their devices on unprotected networks at coffee shops and in stores. Purchase antimalware that covers most, if not all your devices.
6. Keep all software applications and hardware drivers up to date - If your internet security, applications, operating systems, software applications, smart apps, and hardware driver applications are not kept up to date, you're vulnerable! Just do it!
7. Employ a Multi-layered backup - local and Cloud – Today, if you don’t have a reliable backup in place, you’re gambling with your data’s life! It’s not a matter of if, but when, and data loss doesn’t have to be caused by a breach, it can be caused by a mistake you make, a bad update or hardware failure.
8. Use Two-step authentication – If you're not using two-step authentications by now on all your primary accounts, you're at a higher risk. Make sure your email account, all financial accounts, and any accounts that allow you to set up two-step authentications are in use. This takes your security to the next level.
9. Use 12-character passwords – Throw away that eight characters (or less) password and switch to a minimum 12-character password that uses a mix of upper and lower case alphabetical letters, numbers and special characters. This is extremely hard to guess and again takes your security to a new level.
10. Use authentication hardware Dongles – If you are a government official, reporter, celebrity or just plain paranoid. Get yourself one of the new Google login security dongles to access your email and other accounts.
11. Use Password vaults – If you purchased a top of the line antimalware product, you also own a password vault. If you don’t have one, there are low-cost ones out there that work well. Most are bundled with other security software. Get one and use it!
12. Use single-use Credit Cards tied to a segregated bank accounts and cards with smart chips. If you are purchasing items online, give yourself an extra layer of protection by using refillable single-use credit cards tied to a segregated bank account. This will limit your exposure. Also, don’t use your debit card for purchases and always use chipped smart credit cards.
13. Purchase ID Protection Insurance – If you have not done so yet, purchase an ID protection plan. Many homeowner policies offer them as an add-on’s, and there are a number of dedicated providers like life lock for you to choose.

Slowly the world is awakening to the massive data security and privacy issues that the World Wide Web has always had. As a country, we are most vulnerable because we have the biggest market for cybercriminals to fish in. On top of that, many Americans have a laissez-faire attitude about privacy and data security. And to make things worse, our government has been asleep at the wheel for more than a decade, with little or no real action to combat cybercrime.

Courtesy of Wikimedia Commons

What is needed is a full-fledged war on cybercrime with dedication (and budget) that we as a country showed when we decided to land on the moon when JFK was in office. We need a joint effort with government and industry working together to put together new defensive and offensive countermeasures to thwart the growth of cybercrime. We need an across all borders agreement to allow for the apprehension and prosecution of cybercriminals wherever they live. The last Item I don’t see happening because governments use cyber-weapons as part of their online espionage, but the other items should not be relegated to just wishful thinking.

The only way we will see a program that makes progress towards the quenching of cybercrime is if we hold our government official’s feet to the fire. Write your representative. Ask your representatives to pass effective laws and to make cybercrime an election year platform referendum. Make sure you as an individual do your part by minimizing your exposure and by implementing your own security measures. The reality is this. Change, will only take place when we make this an election year issue. So, start raising cane with your representative and let get the cyber-defense initiative going this year.

That's my opinion: I look forward to reading yours.

This article provides an overview of the new GDPR law and how it affects American companies and citizens. It also provides more than a dozen tips and techniques to help you protect your data and privacy regardless of what the law says and does. There are also many links to resources providing the reader with everything they need to improve their data privacy and protection.

Get your FREE copy below.

If you feel your business is not marketing itself in the best way possible, we can help with guaranteed services that produce positive results, or you don’t pay. You can contact us at by dialing 904-410-2091. We are very good at creating websites that are not only compliant but also productive and profitable. You can also fill out the form in the sidebar of this blog where we will provide a free marketing analysis to help you get better results. Our claimed to fame is that we are one of a few companies who actually provide real guarantees.

If you found this article useful, please share it with friends, family, and co-workers. I recommend checking out the links on the blog, along with checking out other related articles on our Show Notes Page.  Also, don’t forget to listen to the BlogTalkRadio show on this subject. If you have a related useful comment or opinion about this article, leave it in the comment section of this blog. Also, don’t forget to plus us, on Google+ and share us on Facebook, Twitter, and LinkedIn as well.

Hector Cisneros is COO and Director of Social Media Marketing at Working the Web to Win, an award-winning Internet marketing company based in Jacksonville, Florida.  He is also co-host of the weekly Internet radio show, "Working the Web to Win" on BlogTalkRadio.com, which airs every Tuesday at 4 p.m. Eastern. Hector is a syndicated writer and published author of “60 Seconds to Success.”