A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
What is General Data Protection Regulation (GDPR)?
GDPR is an EU regulation regarding the handling of personal data. This new regulation replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. GDPR was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018.
GDPR is a regulation that will replace Data Protection Directive 95/46/EC in EU for data privacy. GDPR is a broader regulation from the previous directive. Even the main principles of data privacy are included in this new regulation, in GDPR many changes and policies have been added to improve personal data protection.
The GDPR was designed to reconcile data privacy laws across EU countries, but at the same time to provide more protection and rights to EU citizens. GDPR applies to both customers and company employees.
The GDPR applies to EU based companies as well as companies that collect the data of EU citizens, regardless of their physical presence in the country. How to enforce companies outside of the EU to comply with the GDPR, and also follow the data protection rules to handle EU citizens personal data, is not very clear yet.
Note: GDPR is a regulation, not a directive. Regulations are mandatory and an automatic regulation/law in all EU countries. A directive is set to be implemented or adapted to Member States legislation.
What type of data is protected?
To answer the question, Is your company ready for GDPR, you need to understand GDPR and which data is to be protected and handled.
All personal data from all EU citizens. Personal data includes names, addresses, phone numbers, account numbers, and in this new regulation, email and IP addresses. That type of data is typically called personally identifiable information (PII), mainly in the States.
Here, the European Union just used the term "personal data" for PII, which is a wider scope of personal data. But the EU and US have many differences in their privacy laws. In EU, privacy is hailed as a fundamental right, and in US those laws can be a balance between privacy and efficient commercial transactions. For example, in some cases in the US, Cookie IDs and IP addresses are not considered personal data.
The EU approach defines PII to encompass all information identifiable to a person, a definition that can be quite broad and vague. This divergence is so basic that it threatens the stability of existing policy mechanisms for permitting international data flows
Reconciling Personal Information in the United States and European Union
Even for standard Internet form pages, company rules have been changed. Now information needs to be added to those forms so that a person can give consent to personal data collection.
One example is when companies inform you they can share your data with their partners, they are obligated to identify by name which partners, and also give you the right to redraw your consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
What companies need to implement?
Preparation for the GDPR is complex and requires internal or external experts to properly prepare a business. To comply with GDPR regulations, companies will face a financial impact to their budgets. Since there are many changes to implement, companies need to make many changes in the way personal data is handled to ensure they are compliant with the regulation.
Some of these changes are just at an organization level (like DPO or Data Breach Notifications), but many of the changes must be done at a technical level and how business handle data (like Right to Forgotten, Privacy by Design, Data portability or Pseudonymisation).
When a business deals with personal data, these are the main questions for privacy and GDPR rules:
- What data do we have?
- Where does the data go?
- How is the data protected?
- Who is accountable?
After the above questions are answered, you need to deal with that data, and you need to make the appropriate changes in your organization to fully comply with the next GDPR rules.
Data Protection Officer (DPO)
The company should designate someone to take responsibility for monitoring compliance with the GDPR and other applicable data protection laws, and be the point of contact between business and EU (Local Data Protection Authorities - DPA) for GDPR.
A DPO should have management skills, but also a competent expertise in data protection laws (GDPR) and be able to work with internal staff at all levels. The DPO's task is to ensure company data complies with GDPR rules.
- Be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- Can be a staff member or an external service provider.
- Contact details must be provided to the relevant Data Protection Authorities (DPA).
- Be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- Report directly to the highest level of management.
- Not carry out any other tasks that could result in a conflict of interest.
Note: Be aware that "For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory."
- Right of access
The right of access gives a citizen the right to access their personal data, as well as be made aware of how that data is handled or processed by the Data Controller, and for what purpose. The Data Controller needs to provide a copy of any personal data upon request, free of charge and in an electronic format.
Meaning, that a citizen always has the right to access their personal information from companies that handle it and has the right to know how their data is handled, and what for purposes.
- Right to be Forgotten
This is one of the more famous rules because of many requests from individuals who had this type of claim, mainly with Google and Facebook.
This right was changed to a more limited right compared to that adopted by the European Parliament in March 2014. This means that an individual has the right to request erasure of their personal data, regardless of the company's interests. But at the same time, it states: "It should also be noted that this right requires controllers to compare the subjects' rights to the public interest in the availability of the data" when considering such requests.
- Data breach notifications
When a business suffers a data breach, the business must report within 72 hours of first having become aware of a breach to the protection authority (should be done by DPO). Customers must also be notified within 72 hours if customer data is at risk.
- Privacy by Design (PbD)
Privacy by design is a concept that is well known in the IT area and business. Mainly it is a mechanism that ensures personal data is only accessed or processed when necessary. An example in the public domain is personal data regarding citizen taxes. This information should not be accessed by anyone unless there is a reason to do so. No one should have access to this type of data just for curiosity or other non-legal intentions.
- Data portability
The right to move data from one Data Controller to another, without the refusal by the Data Controller. Companies need to provide to the individual or Data Processor, personal data in a structured and commonly standard readable format. Meaning, any individual has the right to move their data as it is in a company, to another company without the source company having the right to refuse the request.
This strange word is regarding some kind of encryption by change data from its original. Pseudonymization replaces the identifiable of the data subject with one or more artificial identifiers, or pseudonyms in a way that we need adicional information to re-identify the original data. Using pseudonymization data cannot be identifiable and we could say is "anonymous" to ensure non-attribution to an identified or identifiable person.
Most companies while using pseudonymization "encrypt" their data so it is not possible to read that data outside of their systems. By doing this, it is considered technically impossible for an individual to access data without having the decrypted key (in this case the adicional data). To prevent this, GDPR requires that this additional information (such as the adicional data) be kept separately from the pseudonymized data.
Data Controller - Individual or identity who controls and is responsible for the keeping the personal data. Can be either individuals or "legal persons" such as companies or Government Departments.
Data Processor - A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The concept of a "processor" does not change under the GDPR. Any entity that is a processor under the Directive likely continues to be a processor under the GDPR.
These are the main changes that your company needs to comply with and will need to handle in the future after GDPR is officially out.
Not complying with any of these rules (these are just the primary rules, full GDPR has 99 articles, so your company should comply to all) will could cost you and your company huge fines.
Those penalties are:
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement
To read all about GDPR and the full regulation check EU official GDPR page. But you can also find useful readings in the following pages: GDPR Info (listed article by article) and also GDPR org portal GDPR Portal.
After we went through most of the GDPR changes and rules, most of them mandatory, can your company answer the question: Is your company ready for GDPR?
If we focus in my area, IT companies (the big boys or Small and Medium-Size) are more aware of this process. Companies like Google, Microsoft, Facebook, Amazon, VMware, etc., have already started an internal process to be compliant with GDPR.
Cloud Providers may say they are just "Data Processors" but also need to be compliant with GDPR. AWS or Azure is a "Data Controller" but also a "Data Processor," Small Cloud Providers are more "Data Processors." Like Cloud Backup companies (Veeam, Vembu their customers and Cloud Partners), all of them are preparing their business for the GDPR deadline. But some of them have already failed some initial tests regarding GDPR compliance. So even those big companies still have a lot of work to fulfil in order to comply with GDPR rules.
It is three months until the deadline and we still read that many companies are noncompliant with GDPR, or some of them don't know if they need to comply. Worse, some of them think that they are not obligated to comply with GDPR.
Most organizations do not fully understand the consequences of not complying with GDPR. According to SAS study survey (6 months ago), 45% of organizations have already started a plan to comply with GDPR, but 58% of the organizations are still not entirely aware of the consequences of noncompliance.
There is also another one-year-old study from Veritas regarding GDPR that shows similar statistics regarding businesses across Europe, the U.S. and the Asia Pacific.
Surprisingly (or not for the ones who know inside Government organizations) Government organizations have the lowest percentage (26%) regarding GDPR compliance. With these statistics, we realize there is still is a big gap between what needs to be done, and what has been done by companies.
Hope this helps you to understand GDPR.