We are currently midway through an information and digitization revolution that could be possibly compared to the mechanical impact of the Industrial Revolution. Despite the many great advances it brought, the Industrial Revolution had harmful impacts on the environment and working conditions, among other areas. It took 150 years or more for the issues from the Industrial Revolution to be recognized and addressed with legislation, by which time untold damage had been done. Similar things are possible with the current “information revolution.” The big issues of today are concerns over privacy and data protection. Given that Europe has a history of personal information being used to enforce totalitarianism and even genocide, it is no surprise to find that Europe is on the forefront of making data protection legislation more suitable to the age we currently live and work in.
On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect, strengthening and unifying data protection laws for all individuals currently within the European Union. I use the word “currently” because, despite the UK’s invoking Article 50 to leave the European Union, the enabling legislation will be already adopted by the time the UK leaves, and will still apply (although possibly copied and pasted to a different name, something like “UK GDPR” or the like). The regulation will replace the current data protection directives in place throughout the EU.
This isn’t something that simply applies to companies based in the EU. The scope of the law also applies to “all foreign companies processing data of EU residents.” The law specifically applies if the data controller (the organization collecting the data), the data processor (an organization processing data on behalf of the controller), or the data subject (the person to whom the data relates) is based in the EU. There is no limit on company size, either: any company that handles any kind of personal data comes under the umbrella of the regulation.
From the perspective of the organization, the biggest change that GDPR brings is that is has teeth. Big teeth. Megalodon teeth. The penalties for failing to abide by the strictures of the GDPR legislation are extremely punitive from a financial perspective. Companies can now be fined up to 4% of global turnover, or £17 million, whichever is the greater. Recently, TalkTalk, the British ISP, was the subject of a well-publicized data breach. This breach resulted in its receiving a fine of £400,000—but under GDPR rules, the fine could have been up to £70 million. Companies that can currently ignore the potential cost of a data breach—because the fines would be mere drops in the ocean on their balance sheets—have been forced to actually sit up and take notice of what will be required of them.
The GDPR legislation is governed by six core principles:
- Personal data shall be processed lawfully, fairly and transparently
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes
- Personal data shall be adequate, relevant and limited to what is necessary for the purposes of collection
- Personal data shall be accurate and kept up-to-date; inaccurate data must be erased or rectified without delay
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary
- Personal data shall be processed in a manner that ensures appropriate security, using appropriate technical or organizational measures
The key part is that “the controller shall be responsible for, and able to demonstrate, compliance with the principles.” If you aren’t able to demonstrate this, then expect to be judged as non-compliant.
There are a few specific pointers within this that enterprises may want to take note of:
- Data subjects must give consent to the collection of their data, and it is given only for the purposes specified (children’s consent must be given by parent or custodian). Consent may be withdrawn. Using currently existing collected data to gather said consent via email is probably not a good way to approach this (as Honda and Flybe found out recently, and for which they were fined—they were breaking one law to prepare for another).
- Retention time for personal data and contact information for the data controller has to be provided. This is something worth thinking about when it comes to handling backups and regulatory compliance.
- Another GDPR tenet is the “right to erasure,” which has replaced the previous “right to be forgotten.” Data subjects have the right to request erasure of personal data on any one of a number of grounds. Again, this is something that makes for an interesting thought process when considering backups, archiving, and regulatory compliance.
- Data controllers need to make sure that privacy is covered by design, and by default. They also need to implement effective measures for compliance within processing activities, even if the processing is carried out by a data processor on their behalf (so no saying “it’s all in the Azure cloud” and expecting using Microsoft as a proxy to take care of your GDPR responsibilities).
- A data protection officer (DPO) is required in GDPR, and not just for companies over of over 250 employees as specified in the draft GDPR. Anyone who is a public authority, or whose core activities involve “regular and systematic monitoring of data subjects” must appoint a DPO. This raises questions around conflicts of interest; for instance, could your CIO become the DPO without facing conflicts when it comes to IT procurement and budgets? You can, thankfully, appoint external DPOs, which may take away some of the overhead of this part for SMEs.
- Breach notification is also very important. Any breaches must be reported to the DPO within seventy-two hours, and the DPO must then notify the “relevant supervisory authority.” In the UK, this is the ICO.
- Portability is another specific point of interest. Data subjects should be able to transfer their personal data from one processing system to another without any hindrance, and the data must be maintained in a structured Open Standard electronic format.
Keeping all this in mind, GDPR looks like a minefield for businesses, which may soon find themselves playing catch-up. The deadline is looming fast. How can you ensure that you are ready?
Firstly, it’s not enough to simply implement a technical solution that will solve this. While encryption and security software have a big part to play in securing data, it’s not a case of “pay the money, install the software, and you’re covered.” Processes and procedures also need to be updated. You need to consider privacy notices, data protection policies, information sharing agreements, information retention policies, and many more areas. There is no “magic bullet” technical solution to GDPR.
Secondly, burying your head in the sand also won’t work. Some people have expressed opinions that the fines simply won’t be ramped up to the fullest possible level. This is a dangerous path. Given the noises the ICO is making in the UK, it seems to intend using the GDPR powers to their fullest extent, if necessary. It wouldn’t be good business to be the unfortunate that gets made an example of!
Awareness is the first step, followed by putting in place the relevant staff to deal with GDPR. Auditing and identifying the information you are holding and processing is the next step. Developing, expanding, and testing processes and procedures should follow, and then tightening up the security around your data to ensure it is as safe as possible. It’s not normally a case of if you get a breach, but when, and when it happens, your response to it will determine how you are ultimately judged.
GDPR is the biggest change to data protection laws in over twenty years, so it is vitally important to get ahead on it. The penalties for repeated non-compliance are big enough to threaten any enterprise in the world—so it’s time to get ahead and make sure you’re ready.