If you think that you're safe from needing to be compliant with the European Union's upcoming General Data Protection Regulation (GDPR), think again. If you do any business with companies or individuals in the European Union (EU), or collect or analyze data about EU citizens, you're required to adhere to the regulation, regardless of your location.
And even though GDPR doesn't come into effect until May 25, 2018, it's probably past time to do some work.
So, what is GDPR? Formally known as Regulation (EU) 2016/679, and titled Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the new GDPR, passed in April 2016, is intended to give back control of their personal information to EU citizens and residents, and to provide a set of unified regulations around personal data. It is designed to make things easier for international businesses to comply; no longer will there be country-specific regulations to navigate.
To make things more interesting, post-Brexit, it is expected that the UK will create similar regulations.
"Personal data" is broadly defined by GDPR as "Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address." And it doesn't matter how the data is acquired or stored; paper files in a filing cabinet receive the same protection as automatically acquired electronic data.
Not complying could cost you, big time. The maximum penalty is the higher of 4 percent of annual worldwide turnover, or 20 million euros. Yes, the EU is really serious about privacy.
Despite the hefty penalties, analyst firm Gartner warns that by the end of 2018, less than half of companies affected by GDPR will be fully compliant. Many are confused about their responsibilities under the regulations.
Assistance is increasingly available. For example, InfoSecurity magazine offers a webinar to help clarify requirements, Microsoft has a set of resources on the Microsoft Trust Center, and Atlanta-based EPI-USE provides tools that help SAP users find the personal information that must be protected in their databases.
In addition, Gartner has published a five-point guide to help companies prepare. And it says organizations need to start now, or risk trouble later.
Here's a summary of what it recommends:
- Determine Your Role Under the GDPR
Any organization that decides on why and how personal data is processed is essentially a "data controller."
- Appoint a Data Protection Officer
Many organizations are required to appoint a data protection officer (DPO).
- Demonstrate Accountability in All Processing Activities
Very few organizations have identified every single process in which personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity; this will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities.
- Check Cross-Border Data Flows
Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries (Andorra, Argentina, Canada (for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) the European Commission (EC) deemed to have an "adequate" level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clause should be used.
- Prepare for Data Subjects Exercising Their Rights
Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g., in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and the data subjects exercising their rights, now is the time to start implementing additional controls.
Individuals' rights in particular could be a challenge for unprepared companies, should citizens choose to ask questions of a data controller. Under the regulation, they have the following rights:
- Data controllers are required to inform individuals when they collect personal data about them;
- Individuals have the right to know the name of the controller, what the processing is going to be used for, and to whom their data may be transferred;
- Individuals have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;
- Individuals are entitled to ask the data controller if he or she is processing personal data about them;
- Individuals have the right to receive a copy of this data in intelligible form;
- Individuals have the right to ask for the deletion, blocking or erasing of the data, and
- Individuals have the right to know if their data has been hacked.
Some of these rights should be easy to fulfill, but others will require corporate process changes. As Gartner says, it's time to prepare.
The concept of Privacy by Design is baked into the regulations as ‘Data protection by design’ and ‘Data protection by default’, which are now essential elements in EU data protection rules. They decree that data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example, on social networks or in mobile apps.
Facebook has already been penalized for a privacy issue, even before GDPR; it was just fined 110 million euros (about $122 million USD) for misleading the EU during its 2014 acquisition of messaging app WhatsApp – it had told regulators that it couldn't combine WhatsApp and Facebook data, then proceeded to do so last year.
This is but one indication that privacy, and thus GDPR, are being taken very seriously by members of the EU, and that it will not cut companies who are sloppy about privacy and security a lot of slack. And that means another large item on the corporate to-do list. If you haven't yet looked into the GDPR and made any necessary process or technology changes, it's time. Failing to do so could be an expensive mistake.