GDPR Facts & Challenges

Let’s list some of GDPR facts and challenges:

  • Estimated time of engagement will be end of 2018
  • All recent cyber incidents in US made Europe totally suspicious to US privacy and cyber reliability
  • GDPR is simply a data privacy compliance regime to force other countries to comply with Europe. Cyberspace was 100% ruled by US in the past, compliance requirements in that regards were also largely driven by U.S.-based regulations, but that has changed in recent years
  • No current initiative or certification can ultimately fulfill GDPR compliance by default, however every step to accomplish makes the entire process smoother, cheaper and easier to enforce and implement gradually
  • Regulation is about “structured data running through enterprise”, the flow of data and how it is organized
  • Requires extensive record keeping to enable ‘Proof of Compliance’. GDPR requires companies to maintain records of all processing of personal data
  • GDPR believes in embedding privacy measures into corporate policies and everyday activities that involve personal data
  • You must document privacy measures and keep records of compliance
  • Train employees on privacy and data protection and regularly test and audit your privacy measures. Then use the results to improve policies and controls
  • Every single person act like a customer, individuals can, for example, request that businesses provide their data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller as their “right to data portability” or delete their information by exercising, their “right to be forgotten”. So the result is much stricter rules in terms of, what is called “privacy by design and by default”: Consent, notification of data breach, and mandatory privacy impact assessments
  • Technology won’t solve the issue at the first place. It is more about understanding of what businesses need to do, and then a lot of changes in processes. Technology is the last part perhaps only to enforce and support the system.
  • Migrating to Cloud Computing will ease compliance but it won’t necessarily refine internal workflows. So even if your company is already a cloud entity or ready to be, do not rely so much on what cloud vendors claim
  • Utilizing US Privacy Shield as a final solution is not applicable. US PS only applies to transferring of data over Atlantic. US had negotiated an agreement called US-EU Privacy Shield with EU regulators that enabled more than 2,000 U.S. cloud companies to transfer the personal data of EU citizens to the U.S. for processing without risk of breaching fundamental European privacy rights. But in January, President Donald Trump signed an executive order that modifies the Privacy Shield agreement in an attempt to avoid running afoul of the EU privacy rules when spying on non-US citizens
  • Standards are good to comply, but regulations are mandatory. GDPR is not good to comply, it is mandatory if you seek Europe business
  • Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater
  • GDPR is one of the strongest competitive factors in business, it is like a metric, it drops companies off of the list, or can add them as the only qualified candidate to negotiate a business
  • The GDPR compliance is a journey which better starts sooner if you want to conduct business with Europe

EU GDPR And Businesses

New European Union General Data Protection Regulation affects most US businesses

New European Union General Data Protection Regulation affects United States businesses

EU GDPR will be enforced effective May 2018 after a two year post-adoption grace period. This raises some concerns about how US businesses might be affected. This is a brief evaluation of all aspects of this regulation in terms of trade with member countries in Europe, and potential impacts on business processes. GDPR will be a new challenge for business owners in United States and actually all over the (cyber) world.

GDPR applies to all companies (regardless of their physical location) which process and hold the personal data of individuals residing in the European Union member countries (Data Subjects).

Global perspective: what others are doing about GDPR?

It is good to know what others are doing about GDPR. Some data from surveys collected in November 2017 gives us an understanding of what is happening in other companies around the world:

  • 50% do not know about the impact of GDPR on their business
  • 9% of US firms say they have allocated more than $10 million for GDPR compliance
  • 77% budgeted at least $1 million to comply with the regulations
  • 83% of US privacy professionals expect GDPR spending to be in the six figures
  • 61% of US companies did not begin to implement compliance program yet
Which departments are affected, and is that only IT staff that should be worried about GDPR?

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, you are subject to GDPR requirements.

Depends on your products (goods or services) and business model, simply all departments of a company are affected by this regulation. This in minimum includes but not limited to Marketing and Sales where primary contact with an EU entity would be initiated. Every single marketing email or sales event has the potential of gathering EU citizens information. Any communication with EU member countries virtually through phone, email or websites ends up storing citizens information in some form and fall into GDPR boundaries. The most external layers of a business are the first affected business nodes.

In order to identify the scope of your journey to compliance or even luckily not being affected at all, you need to review your business workflow in deep, and that is a systematic approach rather than blindly jumping only tech-wise in the middle of battle! Today’s businesses are more and more relying on technology and mainly software, but that does not mean you need to start with your tech departments (IT engineering, software development, webmasters…) first. The very first step is to know your workflow. if you already have this piece then your are so ahead of others.

Do you need help implementing GDPR? Do you need a gap analysis?

The answer can easily be determined via a gap analysis but first evaluate the level of knowledge in your organization in regards to regulations and particularly GDPR. Chances are there is a tech savvy with basic understanding of subject, otherwise you have to seek external consultation to do the primary analysis and write a plan for implementation.

For implementation itself, it really depends on the result of analysis. If Systems and Workflows are clearly documented, the implementation will be connecting dots from system to technology. You may need help choosing the technology but that is not a big deal as long as you could define the problem and know exactly what is missing.

Without bright understanding and documented systems and workflows, starting right off the bat with Data Mapping will be tedious and based on company size it requires extra help.

There are some generic actions described mentioned here.

GDPR: Primary Actions

GDPR: start from scratch with these primary steps

Following steps can be helpful identifying where you are in GDPR Compliance Journey. Consider that as a quick audit towards a more comprehensive gap analysis to understand your current situation:

  • Role identification: Identify whether you are a a data controller, data processor, or both.
  • Identify all data collection/processing systems and workflows, knowing where the data came from, every entity it has been shared with, and every location where it is stored.
  • Conduct a full audit, which can be a labor intensive and time-consuming but it is inevitable: how you currently process customers private data e.g. financial information, marketing facts…
  • Determine whether you need to appoint a Data Protection Officer and designate a contact that will cooperate with the GDPR supervisory body.
  • Develop consent and disclosure forms covering all possible uses of data.
  • Ensure you have policies to notify EU citizens of potential breaches when their data is affected.
  • Revise Privacy policy and privacy practices to meet GDPR requirements.
  • Awareness: make sure business associates and subcontractors are aware of their requirements under GDPR.
  • Review policies on data retention. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
  • Other initiatives: utilize your other regulatory initiatives or privacy and security programs.
  • Consider utilizing Privacy Shield If data transfer across borders is required. You may need start participating in this program.

First challenge is to identify your definition under GDPR: data controller or data processor or perhaps both. This changes many things going forward because obligations are different and each have different set of requirements. As I mentioned multiple times, know your workflow to locate where data is residing within systems and processes. This is going to be the biggest audit of your organization. Even if you sign off of GDPR later for any reason, the values of this Journey affects your business in a positive way forever.

GDPR In A Glance

A Summary of New European Union General Data Protection Regulation

The story of this legislation is to protect the personal data of the EU citizens, including how that data is collected, stored, processed/used, and destroyed once it is no longer needed.

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.

EUGDPR.ORG

The main purpose of the regulation is to give individuals enough power to choose how their persnal information is kept, processed or discarded.

GDPR defines personal data as “Any information relating to an individual or identifiable natural person” including names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, biometrics and genetic data, location data, an individual’s IP address and other online identifiers.

The rights afforded to EU citizens and the major GDPR requirements include:

  • Data is only collected when there is a legal and lawful reason for doing so
  • Obtaining consent before personal data is collected, stored, or processed
  • Implementing controls to ensure the confidentiality of data is safeguarded
  • Training employees on the correct handling of personal data
  • Ensuring individual’s right to be forgotten can be honored and that it is possible to permanently erase all collected data
  • Ensuring individuals are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA
  • Making sure data transfers across borders occurs in accordance with GDPR regulations
  • Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data
  • May be necessary to appoint a Data Protection Officer
History

The European Union’s parliament approved the GDPR in April 2016, it was entered into force by May 2016 and now the two years grace period will end by May 2018.

GDPR applies to all companies regardless of their physical location, that process and hold the personal data of data subjects (individuals, citizens) residing in the European Union member countries.

GDPR is literally a risk-based framework focusing on PII, personally identifiable information; anything from name, gender and address, to bank account info, even sales and marketing transactions which are collected normally during the course of any typical business interaction.

What is the potential loss of non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements: i.e. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Cost of GDPR noncompliance is high but how about more positive incentives to be compliance?

The details of how EU is going to enforce GDPR and how noncompliant businesses are going to be proactively identified is not clear now, but community believes any company around the world that has a Web presence and markets their products over the Web will have some homework to do.

Does your firm need to become GDPR compliance? not necessarily if there is zero business relation with EU, but that is very unlikely for most businesses even in USA.

References

EU member countries

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • UK

For details refer to official publications:

EU GDPR 2016_679 General Data Protection Regulation

GDPR glossary of terms