GDPR will soon be upon us and I’m seeing a tremendous amount of discussion about it on both sides of the pond. While I tend to find both Americans and Europeans agree on GDPR’s ultimate goals, the term “Data Protection” has vastly different meanings to each group, and this difference is causing quite a few problems. Here is why.
Americans: To most American security professionals, the term Data Protection implies just the security controls in place to protect data from being compromised by un-authorized people (i.e. hacked). When a European is using the term Data Protection, Americans are thinking about things like firewalls, anti-virus and DLP. Americans are not thinking about the regulations of data handling. A second big difference is that for Americans, the term Data Protection implies securing ANY data, not just Personally Identifiable Information (PII). Finally, for most Americans, rules on how PII (what Europeans call Personal Data) can be collected or handled is what Americans call Privacy. So, for most Americans
GDPR = Data Protection + Privacy
Americans have a strong culture of protecting data, to include breach notification, which begin with California S.B 1386 in 2003. However, where most Americans have very little experience is the extensive privacy controls that GDPR enforces. This is why Americans continually use the word ‘privacy’ when discussing GDPR, because to us that is the 800 pound gorilla.
Europeans: For Europeans, there is no distinction. For Europeans, Data Protection is both the security controls and the regulations limiting what can be collected, how it can be processed, and the right to rectification and removal. If you look at European history, you can see why. Numerous countries have suffered from governments that punished or even killed their citizens based on who they were or what they believed in. Nazi Germany is but one example, and can help explain why Germany today has some of the strongest privacy controls in the world. However, almost no one in Europe uses the term ‘privacy’. In fact, the word “privacy” is literally never stated in the GDPR articles or recitals.
Thus the global challenge with the term “Data Protection”. When Americans say they have Data Protection in place, they usually mean they have the technical security controls. When they talk about privacy, they mean the regulations on data handling. For Europeans, Data Protection is both. We even face similar challenges with the GDPR required DPO position. For Europeans, that means Data Protection Officer. To Americans, that means Data Privacy Officer. But as you can see, those titles do not necessarily mean the same thing. So, whenever you are communicating across the pond, be sure to clarify who means what. Definitions make all the difference in the world.
PS: Yes, this post is a gross generalization, I’m in no way implying every American or European security professional thinks in this manner. However, I’ve ran into this enough times in the past several years during my extensive travel to feel the need to raise the issue. If you feel anything is wrong, needs to be corrected or can be added, please reach out to me at lspitzner@sans.org.
