The continued digitization of the world economy brings with it the increasing reliance on the processing of personal data. While it provides tremendous opportunities for business growth and consumer benefits, it accompanies the importance of protecting personal data.
The General Data Protection Regulation (GDPR) triggers the most significant changes to EU data privacy regulation in 20 years. The regulation was ratified in April 2016 and will be effective in May 2018. It aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. The objective of the new regulation is to ensure that adequate data protection is incorporated into the process of collecting personal data “by default and by design”. Although an EU regulation, it applies to any organization regardless of their physical location if they are collecting personal data of EU residents.
With 99 articles and 173 recitals, GDPR is far-reaching, complex, and onerous for which to comply. The regulation has gained prime attention among various multi-national organizations due its steep penalties which may reach as high as 4% of worldwide revenue or €20M, whichever is higher, and its threat to cease operations. It expands on the rights of data subjects such as breach notification in less than 72 hours, right to access, right to be forgotten, data portability, privacy by design, and mandatory deployment of Data Protection Officers (DPOs).
Who is regulated?
GDPR applies to and regulates every EU-based “controller” or “processor” of personal data, and the same applies to every controller based outside the EU that targets goods or services, or profiles, towards people living in the EU. A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. In simpler terms, it applies to any organization regardless of their physical location if it collects, stores, uses, or shares personal data of EU residents. This data can be from employees, business partners, or prospects and customers.
What constitutes personal data under GDPR?
The scope of protecting personal data defined by GDPR is comprehensive. It pertains to any information related to a natural person or “Data Subject”, which can be used directly or indirectly to identify a person. It can be anything from a name, a photo, biometrics, an email address, bank details, posts on social networking websites, medical information, or a computer IP address, etc.
What are the key challenges that GDPR introduces for companies?
- Standards: New rights requiring changes to policies, procedures, technology platforms, and vendor agreements
- Evidence of Compliance: New obligations covering privacy notices, consent, record retention, data breach notification, master processing registers, and third-party data processors
- Data Minimization: New processes including data protection impact assessments, process register management, privacy by design, and privacy by default
- Encryption at rest and in-motion: New data security measures including pseudonymization and anonymization
- Hiring of personnel including a Data Protection Officer and/or EU Representative
What are the rights of the EU residents?
- Right to Data Protection: Right to have personal data protected
- Right to Object: Right for individuals to object to direct marketing
- Right of Access: Right to access all personal data processed by the firm
- Right to Data Portability: Right to receive personal data in a structured and machine-readable format, and to also have it transferred to another firm
- Right to Restrict Processing: Right to “block” or suppress processing of personal data
- Right to Erasure: Right to request the deletion or removal of personal data where there is no compelling reason for its continued processing
- Right to Rectification: Right to have personal data rectified if it is inaccurate or incomplete
- Rights in relation to Automated Decision-making and profiling: Right not to be subject to a decision based on automated processing
The first challenge towards GDPR compliance is therefore to audit and modify the way the organization collects, stores, uses, or shares personal information in accordance with these rights. Precisely locating all instances of an individual’s personal data across the entire infrastructure will be key to cater to the rights of the individuals.
For some organizations, this will present an opportunity to streamline operations, eradicate unnecessary data collection, and limit processing to only that which is essential to the core business goals.
GDPR also introduces a new obligation on organizations to notify data subjects and relevant authorities of any personal data breach likely to result in a risk to “the rights and freedoms of individuals”. Notifications must be made “without undue delay” and, where feasible, within 72 hours of the event discovery. Even in the absence of any explicit reference to specific data protection and network security technologies, the transition to compliance must begin with ensuring that the underlying network is sufficiently protected across all possible attack vectors.
Technological measures prescribed by GDPR
Due to the rapid pace of technological change – as witnessed in the domains of Internet, mobile devices, applications, and the digital economy for example – and the subsequent evolution of cyber threats that will continue to exploit such changes, the regulation is necessarily vague here about the exact technology measures needed to comply. Beyond the most obvious precautions of data encryption, pseudonymization, etc., the GDPR uses terms such as “appropriate” and “state of the art” to convey the requirement for continuous risk assessment and the updating of compliance measures. As new vulnerabilities are discovered, the security technology or data protection practices considered compliant today may need to be changed to remain compliant in the future. While this undoubtedly leaves room for legal challenges over interpretation, organizations will nevertheless need mechanisms to ensure their efforts keep pace with the latest changes in technology and threats.
What will regulators be looking for during a GDPR audit?
Regulators want to ensure that companies collecting, storing and/or using/sharing EU resident personal data are able to demonstrate the following:
- Policies and procedures: Organizations must document and institute internal policies, standards and procedures that ensure privacy and protection of personal data of EU residents, in accordance with GDPR compliance guidelines. The procedures must also reflect enablement of rights of EU residents and breach management measures.
- Evidencing implementation of policies: Organizations must evidence implementation of the policies and procedures for processing of personal data. They must be able to evidence all the controls that are instituted within the organization for protection of personal data.
- Sharing of information with 3rd parties: Since all processors of personal data (cloud service providers, marketing firms, etc.) for an organization are in scope for GDPR compliance, they are required to institute the same minimum security standards as the multinational organizations.
- Roadmap: Organizations must have an enterprise-wide roadmap for demonstrating activities planned towards GDPR compliance. This includes process documentation, Data Protection Impact Assessments, controls, etc.
Putting it all together
It is critical to first gather metrics to determine exposure and then perform a GDPR assessment. If a GDPR readiness assessment is performed, most organizations will likely find the initial transition to GDPR compliance to be a lengthy and challenging process. Furthermore, as the digital revolution marches on bringing technological advances to both sides of the cybersecurity arms race, that compliance will require regular re-evaluation based on continued reassessment of the risks.
Foundation to this ongoing process will be the requirement of an enterprise-wide awareness of discovering, protecting, governing, and enabling processes and procedures for EU resident personal data. GDPR compels organizations to plan and strategize on building and maintaining personal data inventories and enhance the following for a comprehensive approach to successfully comply with GDPR:
- Policies and procedures
- Information security practices
- Privacy breach management
- Consent and client preference
- Records management
- Supplier management
- Marketing analytics
- Enterprise data governance
How Knowledgent can help
Knowledgent has experience interpreting the GDPR regulation and “right-sizing” it for our clients. We have deep expertise in data governance management, all within an industry context, and we bring assets and accelerators to enhance discovery and execution of the roadmap.