GDPR Part 3: What the General Data Protection Regulation (GDPR) Means for Accountability and Data Protection
This is the third and final blogpost in our series of GDPR related posts. In the first post we discussed the extra-territorial reach of the regulation and why U.S. companies need to understand GDPR. The second post focused on specific new requirements related to the definition of privacy sensitive personal data, consent and disclosure rules, as well and new customer rights.
- Any American company that does business in the EU needs to be in full compliance with GDPR by May 25th, 2018. Even if your company has no presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR.
- Personal data, as defined by the GDPR, goes well beyond what U.S. companies typically think of as Personally Identifiable Information (PII). Europe applies a much stricter standard for what is considered personal data.
- The cost of non-compliance could be devastating, and even fatal to many companies as you can be fined up to 4% of global annual revenue or €20 million, whichever is highest. The amount of the fine will be influenced by the nature, gravity and duration of the infringement.
- For example, non-compliance for even a medium-sized bank like Charles Schwab Bank ($5.5 billion rev) that provides online banking services to customers in Europe could potentially cost them up to $220 million, while non-compliance by a retail firm like Abercrombie & Fitch ($3.5 billion rev) that provides upscale clothing for young consumers could potentially cost them up to $140 million.
- To be ready by May 25th, 2018, preparation needs to begin now because it can take up to 16 months to become compliant. Major organizations like Citibank are already preparing for GDPR.
- Most organizations have complicated data landscapes making it challenging to find the data and its usage. Effective ways to discover data and how it flows in systems will be critical to ensuring compliance while controlling implementation costs. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.
In this post we will discuss GDPR’s approach to accountability and data security.
The basic rule is that each organization needs to be able to demonstrate compliance. If your company is deemed to be involved in “high-risk” processing, you are obliged to perform a data privacy impact assessment (DPIA). GDPR states that such assessments should “evaluate, in particular, the origin, nature, particularity and severity of that risk” and “outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation.” This is an area to watch to understand exactly what is required for different privacy risks in different industries. For example, financial services and health care will have different personal data and probably higher risk profiles than an online retailer.
The minimum company requirement is to 1) create and maintain accurate records of all sensitive personal data storage and processing your organization is involved with, 2) to incorporate processes that account for personal data privacy in your product and service development and fulfillment processes, and 3) be able to demonstrate to regulators that you have put forth a ‘best effort’ to comply with the GDPR.
Securing Personal Data and The New Data Protection Officer
The organization is responsible for the security of the data. GDPR does not specifically mandate technical measures like encryption but holds the organization responsible for implementing technical, organizational, and process controls that prevent breach. Because specific technical solutions are not mandated, it places the burden on the individual company to determine the best solution for its unique circumstances to meet the regulation.
There are also new reporting rules in case of breach. The basic rule is that an organization need to report a breach to regulator (and sometimes to individuals) within 72 hours after detection. Organizations do themselves a service if they proactively define the media communication strategies they will employ in case there is a breach.
To ascertain implementation of controls and demonstration of compliance, organizations should appoint a data protection officer reporting directly to the highest level of management. The data protection officer should be involved in all aspect of GDPR and protection of the organizations personal data.
Implementing GDPR Accountability and Data Protection Rules
The foundational accountability requirement means that you must know all personal data you store and use. This is a major challenge as many organizations habitually store data redundantly.
Sustained compliance means that your product/service development and production processes may need to be updated to consider personal data storing and usage implications from architecture and design to deployment.
For many companies, securing of data is probably already a priority. For them, the new requirement means that they are now responsible to actually demonstrate how all of their personal data is effectively secured.
Rules for disclosure of breach and data protection officers will require implementation or update of operational processes, job descriptions, PR processes, etc.
Finding and Understanding Your Company’s Personal Data Is the First Step for Compliance
Understanding all of your customer’s personal data elements and data lineage is the first necessary step to implement a compliant data governance process. This is not a trivial task, and historically companies have had to resort to expensive manual work to accomplish this. To help address this, a company called ROKITT has developed a product called ROKITT ASTRA that performs automated data discovery and data flow across an enterprise using machine learning. ROKITT ASTRA goes well beyond the information found at the metadata level of a company’s databases, and is able to discover the ‘hidden’, undocumented data that can make up to 80% of a company’s data assets that often resides in older legacy, siloed or undocumented systems.
Summary and Next Steps
The EU’s General Data Protection Regulation (GDPR) was published on May 4, 2016, and any company that does business in the EU needs to be in full compliance by May 25th, 2018. Failure to be in compliance can result in large fines, which could be devastating to many companies as the penalties can be up to 4% of global annual revenues or €20 million, whichever is highest.
To meet the compliance deadline, companies need to begin now to put in robust programs to find and understand all of their customer’s personal data in order to put in place a comprehensive data governance program. Finding all of your customer related data elements and data lineage across an enterprise is one of the first necessary steps, and can be a highly manual, slow and costly process. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.