By Cassandra Balentine
Part one of two
The European Union (EU) is placing the spotlight on its constituent’s data privacy with the General Data Protection Regulation (GDPR), which officially takes effect this May.
“Data breaches and related identity thefts have become epidemic in recent years,” states Jessica Zhou, general counsel, Ayla Networks, Inc. “According to a recent global survey by KMPG International, 55 percent of consumers said they had abandoned online purchases due to privacy concerns, and less than ten percent of respondents felt they had control over the way organizations handle and use their personal data.”
Most of us have heard the buzz surrounding GDPR, but it’s time to take action. Even U.S.-based companies need to pay attention, as the regulation stipulates that the personal data of subjects in the EU’s 28 member states must be protected—regardless of where in the world it is sent, processed, or stored.
“GDPR is about delivering consumers better accountability on how their data is managed by organizations by ensuring better accounting around their data,” comments Dimitri Sirota, CEO, BigID.
According to Craig Payne, security and privacy officer, Ayla Networks, Inc., the regulation applies to “pretty much all processing of personal data of people in the EU, or personal data that is sent to the EU. Personal data is widely defined and can include even such things as dynamic IP addresses associated with individual internet-connected devices.”
GDPR is intended to strengthen and unify data protection for all individuals in the EU. However, the requirements have a far-reaching impact outside of the EU. “All organizations that target goods and services to EU citizens, regardless of where a company is headquartered, are affected by GDPR,” stresses Shawn Rogers, senior director, analytic strategy, TIBCO.
Mark Woodhams, managing director, EMEA for Oracle NetSuite, points out that the EU has had data protection laws in place for more than 20 years. “However, as the volume and potential value of data has increased, so has the risk of it falling into the wrong hands.”
Many believe GDPR is just the start to a data management revolution, and few organizations are ready.
Need to Know
GDPR is designed to help people better manage and protect personal data. When the regulations are in place, Jean-Michel Franco, senior product marketing director, governance products, Talend, explains that consumers must give consent for organizations to use their data for a specific purpose.
Todd Wright, global product marketing, data management, SAS, says while the GDPR is dozens of pages long, the main areas it entails are the following. Personal data should be accurate and, where necessary, kept up to date; processed in a manner that ensures appropriate security of the personal data. Conditions for consent should demonstrate that the data subject has consented to processing his or her personal data and the data subject shall have the right to withdraw his or her consent at any time. Right of access by the data subject includes the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where personal data is transferred to a third country or to international organizations, the data subject shall have the right to be informed of the appropriate safeguards. The right to erasure or the right to be forgotten secures the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. The right to data portability requires the right to transmit data to another controller without hindrance.
Each industry has its own unique risk and operational challenges because the depth of the GDPR is broad. It ranges so widely under the regulation, even just the storage of personal data of EU persons constitutes processing and is therefore subject to the requirements, explains Greg Sparrow, SVP/GM, CompliancePoint. For example, a cloud services provider that only stores information of EU data subjects on behalf of the company and doesn’t do anything with that data would be subject to certain requirements under the GDPR.
Adam Prince, VP global product management, compliance and migration, Sage, says the regulation applies to all companies, individuals, corporations, public authorities, or other bodies that collect and process personal data of anyone in the EU—for example, a company whose website is accessible to those in the EU or a human resources manager that collects data from applications and employees.
“One interesting wrinkle, which is commonly misunderstood, is that GDPR protection applies to all natural persons without regard to their nationality or place of residence. This means that the processing of data from U.S. and end users in the EU are also covered by GDPR,” explains Zhou.
Richard Hogg, global GDPR evangelist, IBM, explains that GDPR may apply to wherever personal data is stored or processed. “The GDPR may significantly change how companies handle and process personal data, whether the data belongs to clients or their own employees.”
Any organization based inside or outside the EU that uses personal information from EU citizens, whether as the controller of that data—such as a bank or retailer with customer data, or a third-party company handling data in the service of a data controller—such as technology company hosting customer data in a datacenter, needs to comply with its obligations under GDPR, explains Woodhams.
GDPR includes broad security and privacy guidelines and imposes steep penalties for non-compliant organizations, says Theodore A. Miracco, CEO, SmartFlow Compliance Solutions.
“Regarding who needs to worry about GDPR, I would argue that every person within an organization,” shares Wright. “While certain departments like legal, human resources, IT, and marketing will be in charge of the GDPR strategy, it should be the concern of every employee that the actual strategy is successful.”
Carole Winqwist, GDPR compliance officer and VP marketing, Bonitasoft, agrees, adding that GDPR compliance likely touches every department in a company as there are many processes involved. “Managers responsible for those processes will also be responsible for auditing and documenting compliance.”
Zhou says it is important to note that the implications of GDPR will likely go far beyond a regional legislation and lead to a broader expectation by people outside the EU that the level of protection and transparency required by GDPR should become the new norm throughout the world.
Policing and Consequences
In order to be effective, GDPR must be properly policed and refractions reprimanded.
Policing occurs in one of two ways, explains Hogg. One is around any data breaches and notifications of that breach for further investigation, analysis, and then enforcement. Second may be from any data subject. “If we have issues around consent used or not used by a vendor, or any failure to have our data subject access requests processed within one month,” he explains.
Woodhams comments that GDPR does not come with a checklist of actions that businesses must take, or specific measures or technologies they must have in place. “It takes a ‘what’ not ‘how’ approach, setting out standards of media handling, security, and use that organizations must be able to demonstrate compliance with.” He says for example, GDPR encourages businesses to consider security controls such as data encryption to have in place appropriate controls regarding who can access data and to provide assurances that controls are implemented to help restore data in the event of an incident. It also states that businesses must be able to comply with these requires from individuals. “It is up to the organizations how they meet these requirements, and ultimately it is up to them to determine the most appropriate level of security required for their data handling operations.”
GDPR will be controlled locally. Miracco expects an uneven approach to the interpretation of the rules and the strictness of the enforcement efforts. “In general, GDPR seeks to safeguard privacy in many key areas; higher consent standards, stronger rights for individuals, local accountability, expand security requirements, processor obligations, cross-border transfers, and breach notification requirements.”
Franco says GDPR elevates data protection to the board level. “It initiates a principle of accountability because organizations have to prove that a customer gave consent and keep track of that consent and right-to-be-forgotten requests. In addition, if an organization experiences a data breach, they have to alert affected parties within 72 hours of discovering the breach.”
A supervisory authority—Data Protection Authorities (DPA)—will enforce GDPR and have the authority to audit data controllers and processors for any violation, says Venkat Ramasamy, COO, CodeLathe.
Under GDPR, Paul Farrington, director, EMEA solution architect, CA Veracode, points out that the supervisory authority will have certain investigative powers, including the ability to carry out data protection audits and review certificates, as well as corrective powers, such as to order the controller to communicate a data breach and impose a temporary or definitive limitation including a ban on processing. “However, as the enforcement will be handled by individual countries, no one is entirely sure how the rules will be enforced. In Germany, for example, it’s expected that law enforcement will be tougher than in the U.K., which has previously overtly pushed against data-privacy regulations that could impact global trade.”
While DPAs police compliance in each country, GDPR also allows individuals legal rights to access, port, correct, and erase their data. “Failure to do any of these within 30 days of a request is a violation. That places compliance within the hands of consumers, making the possibility of penalty far higher,” says Sirota.
Financial penalties are the consequence for noncompliance. Hogg says fines can potentially be up to 20 million Euros or up to four percent of global annual revenues, whichever is larger, per incident.
Wright comments that consequences for noncompliance vary depending on the level of neglect from the organization that has violated the GDPR. “The EU authorities want to work with organizations to make sure that the residents of the EU are protected. Come May 25th, organizations should not worry about regulators traveling the world looking for those to fine. Those that have an enterprise approach to GDPR and move quickly to resolve GDPR complaints from EU residents will have little to worry about pending they keep up with the work that will need to be done past May 25. However, organizations that have made little effort to comply with the GDPR, or do not work to resolve data privacy and protection complaints, will be those that run into the greatest possibility of being fined and suffer the loss of reputation from customers,” he says.
Sparrow points out that data subjects also have the ability under GDPR to receive compensation from the violator for the damage suffered. “Based on what we’ve seen with regulators in the past, we can assume that once an organization is in the spotlight for violations of data subjects right to privacy, it will remain in that spotlight and all future data practices will likely be scrutinized and closely watched by the European regulators,” he shares.
Prince says that the GDPR also allows individuals to join together and launch a joint action for liabilities similar to U.S.-style class-action lawsuits.
In addition to a monetary penalty for non-compliance, Rogers adds that it also brings organizations under the scrutiny of both regulatory bodies and customers. “Potential fines for noncompliance dwarf the usual regulatory penalties and in turn present a real prospect of extinction for businesses that do not get a handle on what is expected.”
Sparrow suggests one might ask how EU regulations will be enforced in the U.S. “Enforcement may come from regulators restricting an organization’s ability to do business in the EU due to violation or refusal to pay the penalty amount, as well as cooperation between U.S. and EU regulators. Further, organizations that have self-certified under Privacy Shield for data transfers of EU data are also subject to FTC enforcement and the FTC has pledged its commitment to enforce the framework to the European Commission,” he explains.
“GDPR has real teeth,” comments Zhou. “Many commentators believe that 2018 will be remembered as the year organizations finally started paying for any loose handling of personal data.”
Taking the First Step
Since nearly every organization requires some form of client data to operate, nearly every organization should understand the implications of GDPR. For those just starting out on the compliance journey, a risk assessment should be the first step.
In part two of this series we look at the role of data management and how software tools will help organizations in their journey to GDPR compliance. SW
Click here to read part two of this exclusive online series, Getting to GDPR.
May2018, Software Magazine