TOP 10 GDPR NUGGETS
In 2012, the European Commission began drafting the new General Data Protection Regulation (GDPR). The legislation is designed to be a more compressive and robust replacement for the earlier Data Protection Directive. In 2018, the new GDPR comes into effect, and any company that operates within its legislative zone will need to comply with a whole new set of requirements.
The new legislation requires a transformative approach to data protection, pushing organizations to employ a careful, secure and diligent strategy for end-user data protection. In reality, this means that organizations face several challengs associated with a range of GDPR requirements as described below:
- Data breach notifications – in the event of personal data breach incident, including unlawful destruction, data loss, content alteration, as well as unauthorized transition and access, data controllers must notify the supervisory authority. This notification must occur within 72 hours of the event taking place, but should be made “without delay” where possible. This means that a business must have processes in place to manage data breach notifications in a planned and efficient manner. Without adequate data management and classification tools in place, data controllers may resort to manual processes leading to non-compliance with GDPR data breach notification timeline requirements.
- Designated Data Protection Officer – for firms with more than 250 employees, and for all public authorities, GDPR requires a named Data Protection Officer, to act as a top-level controller of all data related activities relating to GDPR compliance. The new legislation notes that the Data Protection Officer must have “expert knowledge of data protection law and practices.” Firms will now either need to recruit a Data Protection Officer or ensure that a current member of staff receives the training required to fill the job role, as well as empowering them with the necessary tools and technologies to replace manual data handling procedures.
- Consent is mandatory – currently, many companies sit behind a public “opt-out” policy which protects them from the adverse effects of a breach of personal data at a legal level. Under GDPR, this is no longer possible. Instead, the owner or subject of the data in question must sign a statement which clearly describes the way in which their data will be used. This consent is mandatory at even the lowest level of data processing and will generate a significant resource overhead in managing it.
- Cross-border implications – with many organizations operating within a data footprint which crosses many national boundaries, GDPR adds a new level of complication. GDPR does not give a comprehensive set of requirements for dealing with cross-border data transfers, but it does state that cross-border data transfers will be allowed based upon certifications. These certifications, which will be enabled by data controllers and processors applying the proper safeguards.
- Restrictions in data analytics and profiling – one of the key benefits of capturing significant levels of personal data, is found in the ability to mine these large datasets at will, to deduce trends within the data. Once such typical usage is profiling consumers with the aim of targeting them more effectively based upon their “profile”. GDPR specifically restricts stored data from being used in this way, and states that data cannot be used to discern “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements” as described in the GDPR Article 4. This means that many companies will need to entirely rework the way they handle targeted marketing campaigns for example.
- Public access to data and the right to be forgotten – GDPR states very clearly that every data subject should be allowed access to the data stored about them, and that it should be made available in a portable format, which enables the subject to view the data using common tools, such as a text editor or spreadsheet application. Furthermore, every data subject has the right to be forgotten (RTBF), and when doing so, all data stored about the subject must be permanently deleted from every dataset the company owns. Managing both this right to erasure, and providing data subjects with subsets of data relevant to them, will place a resource overhead on the enterprise.
- Taking responsibility for vendors – currently, many businesses grandfather compliance issues via tech vendors. For example, cloud providers must be compliant to sell their services to regulated industries, and therefore when using such cloud services, the client company inherits a significant level of compliance from the vendor. Under GDPR this changes entirely. Every data controller must ensure that each vendor used by the company is managing the company data in a compliant fashion. This means proactively evaluating vendor working practices, rather than simply relying on a statement of compliance form the vendor. This new set of business processes will require additional resources to manage.
- Data must be made anonymous – the concept of pseudonymization is a fresh legislative requirement introduced with GDPR. What this means is that any data stored by the enterprise, unless strictly required to, must be unlinked from individual data subjects. For example, if a company were to undertake a marketing survey, the survey results should be stripped of any data which relates to the identity of the data subject who responded. In many cases, this will require a major restructuring of datasets and data capture streams.
- Workforce awareness and compliance – within GDPR we find a requirement for every enterprise to make sure that employees are fully trained in the new legislation, and this must be demonstrated by individuals becoming GDPR certified. This will mean that every company must carry the cost of certifying each employee involved in GDPR related activities.
- Heavy punishment for violations – GDPR proposes to levy fines which are “effective, proportionate and dissuasive.” On a case by case evaluation. This means that any company which fails in its GDPR compliance could face truly huge financial liability in the form of a GDPR related fine.