While I was hip deep in a couple more cybersecurity interviews a few weeks back, two sources independently mentioned the European Commission's (EC) new General Data Protection Regulation (GDPR) that went into force on May 25 with the aim of protecting the data and privacy of European Union (EU) citizens. Not too many flies on me, I hope, so I cobbled some basics together, and added a little sidebar to this issue's "Secure in the knowledge" cybersecurity feature article.
More recently, over the last week of May and first week of June, I and I'm assuming everyone else suddenly got dozens of "we're updating our privacy policy/procedures" messages. Because GDPR applies not just to EU folks, but also to their data that can be stored anywhere on the Internet, I'm betting this cascade of privacy updates is a direct result of GDPR requirements. But why would everyone apparently jump to comply at once?
Well, I went back and looked at some of GDPR's main features, and what jumped out at me was its sanctions for violations that will include warnings, audits and fines that could reportedly reach up to €10-20 million. Yikes, wonder no longer about the privacy update land rush. It seems GDPR has some serious teeth.
Next, I once again began to question why these and other rule-making efforts all seem to come from Europe? When I covered machine safety for our sister magazine Control Design years ago, almost every initiative and requirement appeared to be generated in Germany and/or Europe first, and I remember sources would tell me that the U.S., North America and the rest of the world would follow-up with similar rules in subsequent years. This was especially true for equipment that machine builders wanted to ship into Europe, of course, but then large end users would demand uniform safety measures for all their devices worldwide.
[pullquote]
Not surprisingly, similar scenarios exist for much of the voluminous process safety coverage that Control has provided over the years. For a long time, it seemed like we couldn't get done with a process safety article before another catastrophe would force us to rewrite the beginning of that story. Inconvenient for editors; injurious or too often tragically deadly for process personnel in the field. Even now, the continuing drumbeat of process safety incidents demonstrates there's a deep-rooted and chronic problem that's not getting solved or even faced. Anyone hearing lack of U.S. gun control echoes? You decide.
So what makes GDPR different? I think it's the teeth—regulations with prescriptive requirements and justifiably severe penalties for violations.
After years of researching and writing those process safety articles, my main takeaway is a belief that the Deepwater Horizon disaster in April 2010—which killed 11 people, injured 17, and fouled the Gulf of Mexico—would likely not have happened if that platform had been located in Europe's North Sea or just of Australia's coast. The sometimes large but often laughably minor fines applied in U.S. do little or nothing to stem or even slow the tide of process safety incidents and disasters. Alternatively, if you blow up some of your people in Europe, Australia or some other jurisdictions, there's a good chance at least some of your corporate officers will go to jail. Talk about teeth.
Plus, Europe and elsewhere maintain largely prescriptive safety standards and requirements, while the U.S. Occupational Safety and Health Administration typically calls for particular safety outcomes, but usually doesn't define how to accomplish them. Pretty toothless, and I think historically another case of the fox guarding the henhouse.
So what's the solution? You know what it is. Add some teeth. Develop some professional pride beyond short-term profit; participate in developing logical regulations that aren't too complex or burdensome; and repeatedly call for stiff penalties for violations and lawbreakers—and don't listen to their rationalizations that their "freedoms" are being suppressed. Crooks always talk like that.
