DATA RULES
Thanks to privacy policies in Europe, U.S. companies must delete your information if you ask, but do they?
In May, U.S. companies with clients or users in Europe were frantically sending emails and in-app notifications to let people know that their terms of service and data policies would soon change in order to become compliant with a new slate of privacy rules across the pond.
The General Data Protection Regulation, or GDPR, was put in place to help citizens of the European Union understand how companies are using their data. It even allows people to ask these firms to delete all information about them.
If you ask a company to delete your data — and many companies with an international presence, like Facebook, must — can you be sure that your data has really been deleted?
The regulation’s original aim was to rein in Google and Facebook, but it might be the smaller organizations that have really struggled to meet the new standards. The laws don’t just apply to companies in the EU but also all organizations that even process data about European citizens.
“It was meant to be a law against large internet companies, but lots of small companies have trouble complying,” said Oliver Dehning, co-founder and CEO of Hornetsecurity, a German cloud security company that recently opened its first U.S. office in Bakery Square.
Some have gone with a BandAid fix: simply block European traffic. Notably, over 1,000 U.S.based news websites, including the Pittsburgh Post-Gazette, made their pages inaccessible to EU citizens after GDPR went into effect.
In an October 2018 survey of privacy experts, the International Association of Privacy Professionals, based in Portsmouth, N.H., found fewer than 50 percent of respondents were “fully compliant” to GDPR and 1 in 5 even said they felt it was impossible to reach that level of compliance.
A number of companies in the Pittsburgh area contacted for
this story declined to discuss their efforts to become GDPR compliant.
Choosing not to comply can result in fines that cost tens of million of Euros. But compliance is also expensive: Firms spent an average of $1.3 million and expect an additional $1.8 million in future costs, according to the survey.
From a legal perspective, Mr. Dehning said, there are certain things companies must do to help EU citizens better control their data — like ensuring that information can be deleted upon request. While that may be irritating, he said, there’s no rule in place about how to develop the technology that makes compliance possible.
Companies may build out new processes and technologies for storing and deleting data on their own or choose to outsource that work; it’s not one-size-fits-all.
In most organizational systems, there is always a backup that makes it nearly impossible to truly delete a particular piece of information without taking intentional steps, Mr. Dehning said.
“There will be all kinds of data in that backup. Maybe you have data about a million people in a database ... and later someone says, ‘Give me all of that data,’” he explained.
It’s only impossible to delete the backup data if a firm doesn’t have the necessary protocols in place, said Jon Rosenson, senior vice president of strategic initiatives for Expedient, a company that offers data storage services from its North Side data center.
It’s just a matter of the parameters companies put in place — or don’t, he said.
While backup data is typically encrypted and spread out — rendering it almost useless to an outsider — companies that care about GDPR compliance will create “expungement jobs” that automatically delete backup information on a schedule, Mr. Rosenson said.
Expedient also needed to comply with GDPR, despite not working directly with companies in the EU.
Although the company is not a data “controller,” as outlined by the General Data Protection Regulation — that would be the person or entity that puts methods in place to process personal data, like the head of human resources — Expedient is a “sub-processor” of data. That means it is a third party that helps manage the information and, as such, has some level of responsibility.
“It’s like a waterfall almost — where if you have a little stream that goes over the falls, and it pools and goes over again, as the data flows by — the company flowing through has some level of custody,” Mr. Rosenson said.
Domestic companies with regional offices in the European Union need to provide assurances to their own auditors that their data will be held confidentially by outside vendors like Expedient, he said.
Cost of compliance varies drastically across and within industries, said Kevin Ogrodnik, CEO of Sherpa Software, a Bridgeville-based software company that helps companies automate their data processes.
“It highly depends on how big the business is, how much data you have, how complex, how spread out it is,” he said. “Data can hide in many different places, there are cracks and crevices, and it’s hard to know where everything is.”
In the hospitality industry, for instance, a hotel could either have credit cards spread throughout a whole slew of locations, as chains like the Hilton or Marriott would, or have far less data to worry about, like the motel down the street with one location.
In that sense, it would cost your local motel owner far less to become GDPR compliant than a huge enterprise. On the flip side, those big companies have more money to spend on compliance than the little guys do.
" ... at the end of the day, you just have to trust companies that they’re deleting [your data].” — Kevin Ogrodnik, CEO of Sherpa Software
Some companies haven’t done anything at all to comply with GDPR despite the legal risk. Until regulators check up on operations, firms can more or less get away with avoiding compliance, Mr. Ogrodnik said.
Meanwhile, consumers don’t really have a way to confirm that their data has actually been deleted, if requested.
“They’re going to make their best efforts to get rid of that information ... but at the end of the day, you just have to trust companies that they’re deleting [your data].”
Both Mr. Ogrodnik of Sherpa and Mr. Dehning of Hornetsecurity believe the U.S. will move toward its own GDPR-like data laws in the next decade. When that happens, companies will definitely have to put these methods and technology in place that they’re already supposed to be implementing for EU citizens.
Plus, it’s silly to have two different sets of processes in place for people in the U.S. and the EU, Mr. Dehning said.
“Therefore, [GDPR is] kind of becoming an industry standard.”