By Jon Wollenhaupt
The most imminent cybersecurity-related risk exposure facing organizations comes not only from hackers using ransomware to hold data hostage and demanding payment for its release, but also comes from regulatory agencies imposing stiff fines that could cost a business millions of dollars.
In May 2018, a new era of cybersecurity regulations began. The regulation with the biggest implications is the European Union’s General Data Protection Regulation (GDPR), which is designed to enable individuals to better control their personal data.
What Is GDPR?
GDPR was enacted by the European Parliament in April 2016 and requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. GDPR also regulates the exportation of personal data outside the EU.
What Do GDPR Compliance Regulations Mean for California Businesses?
Does your company conduct online sales in the EU? Does it have clients or suppliers in any of the EU member countries with which it communicates via email? In either case, your organization needs to be compliant. Furthermore, many experts predict GDPR’s guidelines will be the model for new U.S. cybersecurity and data privacy regulations that are likely coming within the next two years. In the U.S., as in the EU, widespread and vociferous consumer outcry is driving federal, state, and local governments to act. High-profile massive data breaches at Equifax, eBay, JPMorgan Chase, and Yahoo! indicate to regulators that companies are dragging their feet when it comes to protecting consumer data. Being proactive by becoming compliant with GDPR regulations now will help your organization avoid costly penalties.
To help California manufacturers understand what new cybersecurity and data privacy regulations mean for their business and how to put best practices and process in place to become and remain compliant, UpSkill California spoke with Tim Booms, Cybersecurity Expert for Educated Business Resource Corporation.
UpSkill California: What is the current regulatory environment, and how is it creating challenges for manufacturers?
Tim Booms: First, let’s define the difference between cybersecurity and data privacy. I think the larger concept today and the one that is the most relevant and most penalizing today is data privacy. Right now, it is the big thing that is looming over businesses.
The European Union has implemented something called the General Data Protection Regulation (GDPR), which includes the Data Protection Authority—the arm that levies fines to organizations not in GDPR compliance. Even though the GDPR is a European regulation, its policies and standards affect everybody worldwide. The GDPR has gotten people’s attention because the fines it can impose run as high as 4% of an organization’s global profits. Consider Apple as an example. Its revenues are as high as $234 billion a year, and its margin is 23%, or $53 billion. This means a GDPR fine could be $9 billion. You can be sure that the EU is going to implement these fines. Over the next three or four years, it will be looking to make an example of any company that is in violation of European Union data privacy regulations. It has a robust reporting mechanism for individuals and companies that believe that their data privacy has been breached.
For American companies, GDPR regulations are one of the bigger threats. To avoid fines, U.S. businesses have to understand the cultural and contextual difference surrounding personal data privacy in the EU. GDPR considers personal data information related to the identity or identifiable nature of a person. That could be an email address; that could be a geographic tag on a picture; that could be just about anything if not handled correctly. I think that any manufacturer or any company, regardless of the vertical market, especially in California, has to understand this it applies to everybody, and for any online or electronic identifier.
GDPR is actively enforcing these regulations. Therefore, if you are a U.S.-based manufacturing company and you are exchanging data with anybody in the EU—whether with a subsidiary, a client, or a third-party vendor—you’re subject to this regulation.
UpSkill California: What do the EU regulations mean for a midsize manufacturing company in California that has contracts with the federal government? Would it have to follow GDPR compliance rules?
Tim Booms: It would be highly advisable. Another way to look at it is this: The EU has the strongest regulations, so if you’re compliant with those standards, you would be compliant with U.S. regulations.
UpSkill California: It sounds like just about any type or size of manufacturing company in California should be paying close attention to these regulations.
Tim Booms: Yes, absolutely. I’ll give you a great example of why this is so.
The GDPR compliance regulations will supersede the California Online Privacy Protection Act of 2003, which the Federal Trade Commission (FTC) uses to hold companies accountable. If you’re following the GDPR regulations, you’re covered under the California Online Privacy Protection Act, and you will be in good shape. Forty-seven other states and Washington, D.C., have followed California’s lead and implemented these notification laws. Even if you’re a small regional manufacturer in California, you should be paying close attention for a couple of reasons. Information privacy started off in the ’90s as something that only lawyers did. They realized the need to protect themselves from lawsuits related to information leaks or data privacy breaches. The legal industry’s diligence regarding data privacy led to changes in patient privacy rules in healthcare, including HIPAA. The concern about securing personal data continues to grow throughout the economy, and manufacturing is no exception.
Next, consider the simplest business scenario: You have a client that is four blocks down the street with whom you are only exchanging emails. That client sells your product statewide in California. If a problem arises because of some sort of data privacy breach within the supply chain, you had better be prepared if the regulators come knocking at your door. Being prepared means having well-established processes in place. Hopefully, you can say, “Look, we take this issue seriously and provided awareness training company-wide.” Such precautions will allow your lawyers to shield you from any legal consequences. The basic rule of thumb is this: As long as you’re doing things over the internet, you need to protect yourself and have good policies and processes in place to protect personal data.
UpSkill California: How can company-wide GDPR compliance be attained when all your employees are using the internet for their job functions and are sending emails to clients and business partners nationally and internationally?
Tim Booms: That type of business needs to have a data privacy awareness training program. Remember: The majority of cybersecurity problems occur within small and medium-sized businesses because they are the most vulnerable to attacks. Everybody thinks it’s companies like Disney or Wells Fargo that have to worry about these things, but it’s not. The last thing a small or midsize company wants is to have all its files encrypted and held hostage by a hacker using ransomware. This can happen when someone opens a supposedly safe file attachment like a PDF. To be in GDPR compliance, everyone in an organization who uses web-connected computing devices needs to go through a formalized training program.
UpSkill California: Let’s say I’m a midlevel manager in a manufacturing company. What would I need to know? What kind of training would I need to help keep my company in GDPR compliance?
Tim Booms: The first thing that I would suggest is awareness training for everybody in the company who uses email. That would include all the front-office staff, supervisors, and anybody who sends electronic files to recipients outside of the building.
Then the next thing I would suggest is something called the Certified Information Privacy Professional, or CIPP, which provides understanding of privacy regulations to the entire organization. It’s a two-day program that delivers a thorough treatment and understanding of the laws. I think that would be sufficient for most manufacturing organizations.
I think, at that point, the people who use web-connected communications tools would have a full understanding of the laws and the ramifications thereof, and everybody else would be aware of cybersecurity challenges. Cybersecurity coupled with an information privacy program would establish a level set for everything. If a company wanted to go further, there are other programs for IT departments and managers. It is crucial to understand that, ultimately, any regulatory fines hold a company’s board of directors or the owners accountable for those fines.
UpSkill California: If a complaint is lodged against a company, does GDPR take into consideration the steps a company has taken to prevent breaches of personal data?
Tim Booms: Traditionally, the first thing GDPR considers during an investigation is “Has this organization put any processes in place or made an attempt to training its people about protecting data?” If you’re involved in a complaint, the first thing GDPR authorities will look at is, “Are you doing anything? Have you provided even basic awareness training for your staff?” If you have, they take their foot off the accelerator and start talking with you, as opposed to just going right after you and starting a legal battle.
The training is required under GDPR, so you must provide it. Again, you can try and hedge your bets, but I wouldn’t suggest that.
The ideal approach is to become a data privacy organization, or DPO. Your organization can become a DPO by going through two other steps. Once you become a DPO, you’re protected. If any legal issue comes up related to data privacy, the conversation ends right there. You’ve got the documentation. The regulators will see that you’ve done everything possible according to the rules. So, it is a business best practice to get people certified. The certification levels include Certified Information Privacy Professional (CIPP), which we talked about. Then, there is Certified Information Privacy Manager CIPM. The third level is Certified Information Privacy Technologist, or CIPT. Implementing all three levels of certification in your organization means your IT people, your managers, and your entire staff are certified or made aware. If you provide classes for CIPP and CIPM, your company becomes a Certified Privacy Organization.
UpSkill California: I imagine that becoming a CPO reduces a lot of anxiety related to cybersecurity for people. They probably sleep better sleep at night.
Tim Booms: Exactly. Yes. Because, if you’re an owner or on the board of directors and you understand the risk exposure related to data privacy, and you ask your managers, “What are you doing about privacy?” and they’re scratching their heads, you’re not going to be sleeping well at night.
UpSkill California: The general awareness training for the entire company population is an hour-long online class?
Tim Booms: Yes.
UpSkill California: How do you keep average employees vigilant six or 12 months after they’ve taken a one-hour class?
Tim Booms: That’s a great question. Part of the process of attaining CIPM or CIPP certifications is that the organization creates an ongoing educational process, just like they do with ISO. An internal auditor is established that is dedicated to continuous education and oversight. The auditor sets up processes and makes sure the organization is constantly in compliance.
UpSkill California: What do regulations require of an organization when it realizes its systems have been hacked and data compromised?
Tim Booms: GDPR regulations—Articles 33 and 34—require that an organization notifies the appropriate authorities within 72 hours of becoming aware of a data breach. There are 34 states that also require 72-hour notification to authorities. In the case of a data breach, it is especially important to have an established notification process in place. To prepare for this level of response, an organization’s IT and security professionals need to be prepared and know who to contact. You have to have a plan in place to be able to meet these regulations.
UpSkill California: How are you approaching California-based manufacturers to educate them about the need for cybersecurity training?
Tim Booms: We are working in partnership with El Camino College in Torrance, Calif. and the California Community College Contract Education Collaborative on a plan to roll out a series of cybersecurity training courses statewide that will be eligible for Employment Training Panel (ETP) funding. The ETP eligibility piece is critical because this will allow California private-sector employers to be reimbursed for the cost of cybersecurity training for their workers. The Collaborative, spearheaded by Eldon Davidson of El Camino College, has been instrumental in providing support and guidance to fellow community colleges that seek to leverage ETP funding to serve the training needs of business in their region. Through our partnership with El Camino College and the Collaborative, we expect to be able to reach and educate many California manufacturers about the importance of cybersecurity training.
For More Information About How the California Community Colleges Can Deliver Cybersecurity Training Programs to Your Organization, Please Contact:
El Camino Colleg
Director, Contract Training & Community Education
About Educated Business Resource Corporation
EBRC is a national provider of primarily instructor led, custom training classes. We work with colleges, universities and all types of corporations. For more information, please contact:
President and CEO
Office: (866) 401-089
About the Author
Jon Wollenhaupt is a marketing consultant who writes about topics related to contract education, employee training, and corporate learning for the California Community Colleges. His work is funded by the Technical Assistant Provider (TAP) grant hosted at Mt. San Antonio College. He can be reached via email at firstname.lastname@example.org.