GDPR Part 1: Are You Prepared for the Data Discovery Requirements to Meet EU’s New Costly GDPR Privacy Requirements?
The EU’s General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union on May 4, 2016. It is the biggest overhaul of European data privacy laws in 20 years. This is not just a European event, and U.S. companies that also operate in the EU need to prepare for this today. According to Allen & Overy, a leading international law firm based in London, “Now that the GDPR has been adopted, the shape of the EU’s future data protection framework is clear and preparations for implementing the new regulation should begin.”
- Any American company that does business in the EU needs to be in full compliance with GDPR by May 25th, 2018. Even if your company has no presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR.
- Personal data, as defined by the GDPR, goes well beyond what U.S. companies typically think of as Personally Identifiable Information (PII). Europe applies a much stricter standard for what is considered personal data.
- The cost of non-compliance could be devastating, and even fatal to many companies as you can be fined up to 4% of global annual revenue or €20 million, whichever is highest. The amount of the fine will be influenced by the nature, gravity and duration of the infringement.
- For example, non-compliance for even a medium-sized bank like Charles Schwab Bank ($5.5 billion rev) that provides online banking services to customers in Europe could potentially cost them up to $220 million, while non-compliance by a retail firm like Abercrombie & Fitch ($3.5 billion rev) that provides upscale clothing for young consumers could potentially cost them up to $140 million.
- To be ready by May 25th, 2018, preparation needs to begin now because it can take up to 16 months to become compliant. Major organizations like Citibank are already preparing for GDPR.
- Most organizations have complicated data landscapes making it challenging to find the data and its usage. Effective ways to discover all personal data and how it flows in systems will be critical to ensuring compliance while controlling implementation costs. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.
In this blogpost – the first in a series of three – we will focus on the global reach of GDPR. GDPR has impact on many other areas such as personal data scope, customer consents, disclosure, new rights, accountability, data protection organization, data security, 3rd party processing, etc. The second post will cover changes in what is considered sensitive personal data and consent rules. In the final post we will discuss GDPR’s approach to accountability and data protection.
GDPR Applies to Anyone Who Operates in the EU or Serves EU Customers
The GDPR rules applies to organizations that operate in the EU. That is organizations with activities that either store or process personal data pertaining to EU residents. Subsidiaries of non-EU organizations are included. The regulation talks about ‘controllers’ and ‘processors’. The rules are most onerous for controllers – i.e. someone who collects, stores, and/or uses personal data. However, it also has rules for 3rd party processors. In earlier legislation, responsibility rested solely with the controller. Now there are direct obligations for processors as well as new obligations for controllers contracting with processors.
The biggest news is that the GDPR also applies to anyone dealing with personal data of EU individuals even if they are not established in EU territory. Organizations not located in the EU who offer goods and services to EU residents or monitor behavior of data subjects in the EU need to comply with GDPR. An obvious example would be internet banks or retailers and any kind of internet service company offering its products and services to EU individuals.
The question about the UK and Brexit is mostly interpreted as that GDPR will be applicable in the UK at least for the short and medium term. If your European establishment is in the UK only or if you only have UK clients in Europe, you should follow the evolution of Brexit and GDPR closely.
Implementation of GDPR Changes in Non-EU Organizations
The high amount of potential fines and risks makes GDPR a board level issue. Some companies with limited European business exposure and complicated legacy systems may be better off taking steps to avoid being subject to GDPR. If you want to continue to do business with EU clients and haven’t started to implement GDPR changes, you need to act now.
The first step is to understand the impact of GDPR on your organization; form a team comprised of business, legal, and IT specialists with enough authority to drive the complete change program. We recommend that sponsorship, program charter, and governance is led by a C-level executive.
GDPR could mean that your company has to treat data belonging to different geographies or categories of customer’s differently from a privacy standpoint or apply the most stringent rule to everyone. For example, you might apply expansion of what is considered privacy data to everyone but limit implementation of “right to be forgotten” to EU residents as it could be in conflict with US laws and the first amendment of the U.S. Constitution.
For each GDPR related change, you have to decide if it has to apply to EU individuals only or if you should apply it to everyone. The latter is probably simpler technically as it reduces complexity and avoids the problem of determine individual applicability but it can also be less desirable from a business standpoint and in some cases be in conflict with laws in other countries.
Finding and Understanding Your Company’s Personal Data Is the First Step for Compliance
Understanding all of your customer’s personal data elements and data lineage is the first necessary step to implement a compliant data governance process. This is not a trivial task, and historically companies have had to resort to expensive manual work to accomplish this. To help address this, a company called ROKITT has developed a product called ROKITT ASTRA that performs automated data discovery and data flow across an enterprise using machine learning. ROKITT ASTRA goes well beyond the information found at the metadata level of a company’s databases, and is able to discover the ‘hidden’, undocumented data that can make up to 80% of a company’s data assets that often resides in older legacy, siloed or undocumented systems.
Summary and Next Steps
The EU’s General Data Protection Regulation (GDPR) was published on May 4, 2016, and any company that does business in the EU needs to be in full compliance by May 25th, 2018. Failure to be in compliance can result in large fines, which could be devastating to many companies as the penalties can be up to 4% of global annual revenues or €20 million, whichever is highest.
To meet the compliance deadline, companies need to begin now to put in robust programs to find and understand all of their customer’s personal data in order to put in place a comprehensive data governance program. Finding all of your customer related data elements and data lineage across an enterprise is one of the first necessary steps, and can be a highly manual, slow and costly process. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.