GDPR Part 2: How the General Data Protection Regulation (GDPR) Expands Privacy Data Scope and Provides New Rights of Data Control to Customers
This is the second blogpost in our series of GDPR related posts. In the first post we discussed the extra-territorial reach of the regulation and why U.S. companies need to understand GDPR. The final blogpost will discuss GDPR’s approach to accountability and data security.
- Any American company that does business in the EU needs to be in full compliance with GDPR by May 25th, 2018. Even if your company has no presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR.
- Personal data, as defined by the GDPR, goes well beyond what U.S. companies typically think of as Personally Identifiable Information (PII). Europe applies a much stricter standard for what is considered personal data.
- The cost of non-compliance could be devastating, and even fatal to many companies as you can be fined up to 4% of global annual revenue or €20 million, whichever is highest. The amount of the fine will be influenced by the nature, gravity and duration of the infringement.
- For example, non-compliance for even a medium-sized bank like Charles Schwab Bank ($5.5 billion rev) that provides online banking services to customers in Europe could potentially cost them up to $220 million, while non-compliance by a retail firm like Abercrombie & Fitch ($3.5 billion rev) that provides upscale clothing for young consumers could potentially cost them up to $140 million.
- To be ready by May 25th, 2018, preparation needs to begin now because it can take up to 16 months to become compliant. Major organizations like Citibank are already preparing for GDPR.
- Most organizations have complicated data landscapes making it challenging to find the data and its usage. Effective ways to discover data and how it flows in systems will be critical to ensuring compliance while controlling implementation costs. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.
In this post we will focus on specific new requirements related to the definition of privacy sensitive personal data, consent and disclosure rules, as well and new customer rights.
EU’s Definition of Personal Data is Stricter Than in the USA
The GDPR expands the definition of personal data well beyond what people in the USA typically think of as Personally Identifiable Information (PII). For example, in the USA, PII is usually thought of as items that can be used to readily identify you, such as name, address, date of birth, social security number, credit card number, passport number, mother’s maiden name, etc. More formally, the U.S. Office of Management and Budget (OMB) defines personally identifiable information as:
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
In contrast, the EU’s GDPR regulations apply much stricter rules to protect its citizen’s personal data. For example, in addition to the expected PII, the GDPR also defines as personal data genetic information, health records, and even your computer’s IP address, your mobile device ID and your biometric data such as fingerprint or facial recognition data used for identity access or even indexing photos on your cellphone.
Data pertaining to criminal offenses is another complicated topic where GDPR implements new rules about how and when this kind of information may be used. Financial services companies will need to ensure that systems specific to their industry are consistent with the GDPR e.g. anti-money laundering systems are in compliance.
Consent Rules, Disclosure, and New Data Subjects’ Rights
Under the GDPR, the rules for consent (for storing / processing of personal data) are tightened and more explicit. Some kind of active consent will be required. Implicit agreement by usage will not be acceptable. The disclosure of how an organization is going to use personal data will need to be more detailed and specifically identify all usages for all purposes. Disclosure notes must also be intelligible, using clear and plain language and not contain unfair, ambiguous or punitive conditions. In addition, there must be a way for individuals to withdraw consent whenever they want.
One of the most debated areas in GDPR is the new “right to be forgotten” and the right to data portability. The right to be forgotten is related to withdrawal of consent but can also be used if an individual can show that personal data has been obtained or used unlawfully. Advocates of this rule have pointed out why this is important, for example immature postings on social media by young people may follow them with negative consequences through their entire life and that there must be a way to control and clean-up your electronic footprint. The right to be forgotten has triggered a lot of discussion about its incompatibility with the first amendment of the U.S. Constitution.
The right to data portability allows individuals to request that their personal data in moved electronically from one organization to another. While this has been in place for some time in the financial services industry, e.g., you want to move your stock holdings from one brokerage firm to another, this is a novelty for most other industries as a company who loses a customer is unlikely to want to do work that helps its competitor to onboard the customer it just lost.
Implementing Broader Scope of Personal Data and Consent Obligations
Our high level recommendations for a company to implement a change management program to meet GDPR was covered in our first blogpost. In addition to these, companies should be aware that the GDPR may also imply unique requirements specific to their industry.
For example, the protection rules for biometric, health, and genetic creates challenges for organizations whose business it is to analyze this kind of data. Life-sciences companies will have to find ways to enable effective analysis while complying with the GDPR privacy laws. As this kind of personal data is sometimes the core of the analytics a life-sciences company performs, it is not easy to mask data and a combination of data protection and process changes with new separations of duties may be required.
The changes for disclosure and privacy notes have to be reviewed and changed. Consent can no longer be obtained by e.g. pre-ticked “I agree” boxes or “if you use this site, you agree” messages.
The requirement that notes must be “intelligible, using clear and plain language” is a game changer as legal considerations need to be married with consumer communication skills.
Overall, consent management has to be improved so you can prove that you have obtained consent fairly, renewed it when you changed usage, and allowed customers a convenient way to withdraw consent.
The changes described above can probably be used globally if your business agrees that the increased transparency is good business. The changes to right to be forgotten and data portability are more controversial and most organizations are likely to only apply them to EU customers.
The right to be forgotten is likely to be challenged constitutionally if applied in the U.S. and implementation of it must clearly be limited to EU residents. Work load considerations is another driver to limit this right to the EU only as it could be a lot of work for certain companies to implement. For example, Facebook would need to expend a lot of effort to erase old postings that an individual posted, as well as all the other posts by people who may have replied to or shared the first post.
Data portability rules are also technically challenging as they state that the sending party has to provide the personal information in machine readable format to the receiving party. In many industries there are not be well defined open standards facilitating the transfer.
Finding and Understanding Your Company’s Personal Data Is the First Step for Compliance
Understanding all of your customer’s personal data elements and data lineage is the first necessary step to implement a compliant data governance process. This is not a trivial task, and historically companies have had to resort to expensive manual work to accomplish this. To help address this, a company called ROKITT has developed a product called ROKITT ASTRA that performs automated data discovery and data flow across an enterprise using machine learning. ROKITT ASTRA goes well beyond the information found at the metadata level of a company’s databases, and is able to discover the ‘hidden’, undocumented data that can make up to 80% of a company’s data assets that often resides in older legacy, siloed or undocumented systems.
Summary and Next Steps
The EU’s General Data Protection Regulation (GDPR) was published on May 4, 2016, and any company that does business in the EU needs to be in full compliance by May 25th, 2018. Failure to be in compliance can result in large fines, which could be devastating to many companies as the penalties can be up to 4% of global annual revenues or €20 million, whichever is highest.
To meet the compliance deadline, companies need to begin now to put in robust programs to find and understand all of their customer’s personal data in order to put in place a comprehensive data governance program. Finding all of your customer related data elements and data lineage across an enterprise is one of the first necessary steps, and can be a highly manual, slow and costly process. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.