The new European Union (EU) privacy regulation, the General Data Protection Regulation (GDPR), will take effect in May 2018.
The GDPR is a very large and complex piece of legislation consisting of 173 recitals and 99 articles. In addition to a multitude of rules, the GDPR contains exemptions to the rules and exceptions to these exemptions. The GDPR is truly the new elephant in the room for any large, multinational organization.
While the GDPR builds on the data protection framework currently in force in EU member states, it tweaks some existing rules and adds a significant number of new obligations for organizations, as well as new rights for individuals. It also expands the territorial scope of its application to organizations established outside the EU as well as the material scope of its application for data controllers, only to both data controllers and data processors.
A Comprehensive Regulation
GDPR requirements apply to all business units, be it HR, marketing, product development, records management, vendor management, accounting or information security. They apply to the entire life cycle of personal data within those business units, from the moment of collection to the moment of deletion or archiving.
The GDPR addresses multiple privacy and security issues throughout the various life cycle stages of personal data. Most of these reiterate past rules, but some are new requirements. To be compliant with the GDPR, organizations need to know the answers to questions such as:
- Does your organization have a legal basis for collecting and using personal data in each distinct processing unit?
- Are the requirements for data minimization met?
- Are secondary uses of the collected personal data compatible with its primary use (e.g., is data that was collected for fraud detection reused for marketing purposes)?
- Does the organization exercise due diligence to make sure the collected data is accurate?
- Does the organization adequately notify the data subject of the fact that personal data is being collected and used? Does it comply with the requirement to notify data subjects of a laundry list of additional information?
- Is there a process in place to respond to the data subjects’ requests for access to or erasure of data within the prescribed time period?
- Is the IT department ready to provide data portability?
- Is adequate information security in place for the data subjects’ personal data, whether it is stored as structured or unstructured data and whether that data is at rest, in motion or in use?
- Is there a data breach response protocol in place?
- Are the many accountability and data governance requirements (e.g., documentation of processing activities, allocation of adequate resources, training of employees, ongoing risk assessments, data protection impact assessments and internal audits) in place?
- Does the organization comply with the requirements for cross-border data transfers?
Reduced to Tiers
The GDPR introduced a tiered fine system for violations of its many compliance requirements. Some violations will incur fines up to 20 million euros or 4 percent of the company’s global annual turnover, whichever is higher. Examples of regulations that could incur high fines include:
- Right of access, rectification and erasure;
- Right to data portability; and
- Cross-border transfers of personal data to a recipient in a third, non-EU country.
The fines will be somewhat smaller — up to 10 million euros or 2 percent of global annual sales — for less severe violations. Information security violations, for example, fall under this lower tier of fines.
The GDPR is a regulation with real teeth, and many organizations are looking for ways to become compliant by the May 2018 deadline.
The Elephant and the Blind Men
Unfortunately, many organizations seem to have adopted a siloed mindset regarding GDPR compliance. Both organizations offering GDPR solutions and organizations to which the GDPR is applicable tend to focus on one or two items, such a data breach response or data security.
The focus on information security is understandable, and security is certainly a key component of the GDPR’s comprehensive data protection framework. One must keep in mind, however, that other data protection requirements, such as providing right of access, rectification and erasure, or compliance with the cross-border data transfer restrictions, incur the largest fines in cases of violations.
By focusing only on one or two areas of GDPR compliance, organizations are acting like the blind men in the famous tale of the elephant and the blind men. This ancient story goes like this:
An elephant comes to town and a group of blind men decide to learn what it is like. They go to check out the elephant and each one feels a different body part. One blind man feels the elephant’s ear and declares, “An elephant is like a big fan.” Another blind man feels the elephant’s leg and says, “No way, an elephant is like a tree trunk.” Another blind man holds the trunk and says, “Nope, an elephant is like a thick snake.”
Then, a man with good eyesight takes the blind men to feel all the other parts of the elephant. The blind men, who before had only a limited understanding of the elephant, now realize that the elephant is composed of many parts.
So it is with the elephant-like GDPR. If organizations only focus on one part, they are acting like the blind men, who believed they understand what an elephant is by touching just one area. The blind men do not see the elephant as a whole. By focusing only on certain components, organizations risk noncompliance with many important aspects of the GDPR.
Preparing for the GDPR
Organizations must prepare for the GDPR not only at the information security data level, but also in terms of the multiple internal business processes, privacy requirements and internal governance requirements.
Ensuring comprehensive, cross-functional compliance with the multiple requirements of the GDPR may seem like a daunting task. However, a useful first step is to conduct a GDPR risk or readiness assessment. The assessment should:
- Review all the organization’s business and governance policies and processes and compare them to the GDPR requirements.
- Identify the organization’s potential risks for noncompliance in all assessed areas.
- Create a road map for remediation of the identified compliance gaps.
A comprehensive and detailed assessment should identify all key data protection risks and pinpoint the remediation required to produce GDPR-compliant methods for handling personal data.