International Facility Security Officers and Data Protection Regulations

Defense Contractors

The European Union’s General Data Protection Regulation (GDPR) is law, adopted in April 2016, with full enforcement to come May 25, 2018. GDPR will have an impact on how business is conducted between US and European companies and customers, to include those falling within the export control regime of the United State’s International Traffic in Arms Regulation (ITAR).

Based on a quick review within ClearanceJobs of the number of open reqs/positions which have an ITAR focus a great many of us will need to acquire an understanding of the change that is coming. Now is the time to noodle out the adjustments necessary with respect to EU companies who are operating under ITAR – Technical Assistance Agreements (TAA), Manufacturing License Agreements (MLA) and Warehouse and Distribution Agreements (WDA).

A recent survey commissioned by Compuware showed over half of US companies have personal information about their European colleagues and customers in their databases. Do you?

Breaches under GDPR carry an expensive bite.

Information which will require an adjustment in the way it is protected and handled.  The EU recognize that in order to have entities comply with regulations, they needed to put some teeth into the regulations, and they did – violations will hit companies squarely in their pocket. The price of a breach is steep. “Businesses in breach of GDPR after May 2018 will face steep fines of as much as €20 million or 4% of global turnover—whichever is greater.”

Where’s the PII?

Take a moment and think about your own ITAR TAA, MLA and WDA instances. How many of those include the personal identifying information (PII) of European employees, partners or customers?  Some? Most? All?

Complexity of IT systems will and is giving companies a headache.  The question is:  Do you know exactly where your customer PII data resides. If you do, congratulations. Approximately 51 percent of the survey respondents found the they could not identify where their customer PII resided. The question did not include partners or employees.  However, those with ITAR responsibilities should include this in their internal calculus. The push-back of it would take too long, or if it is too expensive, will no longer hold water.

A potentially labor intensive requirement of the GDPR is the right of an EU citizen to request their data be forgotten. The survey showed that 52 percent thought they had in place the system which would allow them delete and destroy the PII on demand, and to do so efficiently.  Does your entity?  Does the solution include the ITAR instances?  Are resources in place to handle an influx of requests from foreign partners, employees or customers?

Adjust your processes

Going forward as you complete your ITAR TAA, MLA and WDA, you may wish to do so with an eye toward eventually having to reach in and delete the PII of the individuals named within these agreements, and amending the same within ITAR. There is heavy lifting ahead, and there is a bit over a year to put the process and procedures in place.

Now is the time to get it done, use the next 14 months to fine tune before enforcement of GDPR begins.


European Union’s General Data Protection Regulation

International Traffic in Arms Regulation

Compuware Survey:  Unprepared for the GDPR (behind a registration wall)

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).