3-4 April 2019 / Manchester Central

First Access >>

The EU’s General Data Protection Regulation

Wednesday 14 March 2018

By Chris Adams, President and COO, Park Place Technologies


May 25, 2018 is the date. After years of development, an April 2016 adoption, and a delay period to allow affected parties to prepare, the European Union’s General Data Protection Regulation (GDPR) will go into effect next spring. This sweeping new oversight is designed to strengthen data privacy and security for EU residents and also covers export of data outside the EU.

Some are comparing the change to Y2K, a looming event with potentially serious and costly ramifications. (Or as it turned out, maybe not.) And just like Y2K, there are myriad firms willing to assist—for a fee.

This leaves many IT leaders wondering what’s really coming down the pike. Do they need to invest massive amounts in GDPR compliance? Should they be hiring consultants? Or can they ignore the GDPR altogether?

According to the UK’s information commissioner speaking to Wired , the GDPR is “an evolution, not a revolution.” So not scary? Maybe, but then tell that evolution story to the T-Rex.

The biggest problem may be lack of knowledge. An NTT survey of over 1,300 business decision-makers worldwide found most are largely unaware of the GDPR and its impacts on their companies. A little information can go a long way in settling nerves and helping organizations prepare, so we’ll do our best to cover the basics here.

Together in Perfect Harmony

Let’s start with the overarching goal of the GDPR. The regulation replaces 1990s era policies, which have not been significantly updated and are not, in most experts’ estimation, up to today’s privacy and data-protection challenges. In the wake of the Equifax breach , word that Google was secretly collecting smartphone location information even on users who had that feature turned off, or any other of the recent privacy-busting revelations, it seems that, yes, some work needs to be done to protect consumers’ personal information.

The GDPR aims to harmonize data protection, ending the “patchwork” of laws across the 28 EU member states. Although there is some debate over the policy’s tension between standardization and member-state flexibility, it is commonly accepted that flexibility will be highly limited.

This may be a win for enterprises, even as they work to understand and comply with the GDPR’s nearly 100 articles. As it will become the world’s most stringent regulation on most counts, it is expected to have global impact, becoming the de facto international standard. “GDPR-compliant” may become a consumer catchword for “safe.”

Once the multinationals—or any business operating or collecting data across borders—can get accustomed to the new rules, the simplicity of a single dominant standard, not to mention the bolstering of consumers’ flagging confidence, may be beneficial.

Achieving compliance will, however, take time and attention. We will devote the next three blogs to covering who is affected, the central GDPR requirements, and what some organizations are doing to come into line.

Most businesses are seeking to answer one simple question: Is the GDPR something I have to worry about? Here are some basic criteria for assessing whether the GDPR applies to your organization:

  • Do you have any business involving EU residents? The GDPR formally extends only to EU citizens’ personal data, although organizations are welcome to extend the protections to all consumer information if they so choose. If your operations are fully and completely isolated from Europe, the GDPR may not need to be on your radar screen. But keep in mind, it’s difficult to wall off much of a continent in this internet age. Your company needn’t be located in the EU or have any physical presence there. If a simple newsletter sign-up, for example, could capture email addresses from French, German, or even British citizens (the U.K. appears set to implement the GDPR, Brexit aside) or any other EU residents, that activity must be GDPR-compliant .
  • Do you collect or process personal data? The regulation covers “personal data,” which refers to essentially any information that could be used to identify an individual, such as name, address, email address, or IP address. The GDPR also covers “sensitive personal data,” which would span genetic information, religious or political views, images uploaded to the internet, and much more. Overall, “handling data” is a pretty low threshold to meet. A wide range of companies collect, use, process, or otherwise engage with the numerous types of data covered by the GDPR.
  • Are you a data owner or processor? In a significant change, the regulation includes requirements for data processors. In the past, only so-called data controllers—organizations with ownership of particular data—were held accountable for privacy and security regulations. These data owners were expected to oversee any data processing partners, but the processors themselves were largely ignored. Now privacy and data protection requirements fall on both parties. Again, if your organization touches personal data in the EU, the GDPR likely applies.

What about Small Companies?

The GDPR is sweeping in terms of the companies and other organizations it will affect. Any organization involved with any EU resident’s personal information had better get informed. In fact, many experts are counseling startups and small businesses to get on board, as the protections required by the GDPR may be easier to establish in the early stages of IT systems and process development.

Even so, the mention of companies “250 or more employees” within parts of the GDPR text has led some smaller entities to ignore the regulation. Most experts say this is a mistake. According to Naked Security , “GDPR requires that any company doing business in the EU—no matter the size—more securely collect, store and use personal information. And like the big guys, smaller companies face fines for violations that may occur.”

Some provisions, such as requirements to employ a data protection officer (DPO), may apply primarily to larger companies, except where an entity is involved in “regular and systematic monitoring” at large scale. If data is a significant part of the business or central to its activities, however—or if there is involvement of such highly sensitive data as health, racial/ethnic, political, biometric, or genetic information—it’s probably best to assume the DPO requirement and other GDPR provisions will apply.

It’s also important to note that companies using cloud providers will not be exempt, so blaming AWS or Microsoft Azure will not qualify as an excuse for GDPR-related shortcomings.

The bottom line, many SMEs along with larger and multinational corporations will need to get a better handle on their data ASAP. In the words of one commentator, “the GDPR protects any and all personal user data across virtually every conceivable online platform.”

Power to the People

The thrust of the GDPR is to put control over one’s own personal data back in the consumer’s hands. The regulations establishes a number of rights, which include:

  • The right to be informed one’s personal data is being collected and processed, notice of which must be provided in clear language
  • The right to demand an organization confirm that it has collected and retains one’s personal information
  • The right to access the information the organization has about the individual
  • The right to correct inaccurate or incomplete information
  • The right for a consumer to demand that their data is deleted if it is no longer necessary for the purpose for which it was collected
  • In certain cases, the right to object to the processing of data
  • The highly publicized and debated “right to be forgotten ”—in other words, to have data erased if the consumer withdraws consent for data collection or objects to some aspect of its collection or processing
  • The right not to be subjected to automated decisions using personal data to evaluate work performance, credit score, conduct, or other types of life-changing judgments.

What Does the GDPR Require?

The foundation of GDPR compliances lies in making the switch from an “opt-out” to an “opt-in” approach to data collection. Organizations will need to ask for permission before collecting data and provide details about how that data will be used, stored, and protected. Even signing up for an email newsletter will need to be accompanied by appropriate permissions and notifications. Companies must:

  • State why personal data is being collected
  • Describe the information being held
  • Detail how long the data will be kept
  • Outline the technical security measures in place

Perhaps the more complicated technical feat will be to keep tabs on data collected once it’s “in the system,” so to speak. When asked by a consumer to retrieve personal information, organizations will need to be able to find it, not simply assure the consumer it’s been lost. When asked to delete personal information, that data will need to be permanently eliminated and cannot be allowed to return, such as through a restore-from-backup procedure.

The complexity may be part of the reason why companies with 250 or more employees will be expected to appoint a data protection officer (DPO) to be held accountable.

Responding to Equifax (before Equifax)—Data Breach Notification Rules

In addition to granting consumers new rights over their personal information, the GDPR also demands that all organizations handling personal data take steps to guard that data against loss, theft, or unauthorized access. What’s more, the regulation stipulates how organizations should behave if a possible security breach should occur.

Specifically, the GDPR states that any breach likely to have resulted in unauthorized data access is to be reported to oversight authorities within 72 hours. If the breach is likely to have individual privacy risk, affected individuals must be informed as well.

Action that has galled the millions of consumers suffering in recent breaches, from Equifax and Yahoo to Uber and others—namely, waiting weeks or months to reveal there was a problem—will no longer fly in the EU come May.

Some Complicated Requirements

Some of the GDPR’s provisions are more difficult to parse. For example, a new data portability requirement promises to allow individuals to transport information from one organization to another. A given company or other entity must provide the personal data in a common, machine-readable format and it’s recommended they assist with the transfer.

Among the questions about this rule are business and technical issues raised by Deloitte . They ask, “What does it mean commercially when your client can ask for a copy of all his personal data and take it to your competitor?” And also, “Are you able to provide an individual with a copy of all his personal data, can your systems handle that?”

Especially organizations collecting or processing large quantities of data or engaging with highly sensitive data, such as genetic information, may want to seek outside counsel to assist with the more difficult elements of GDPR compliance.

 Come down and visit Park Place Technologies at Stand N312 exhibiting at IP EXPO Manchester 2018.