GDPR is the European regulation that’s making companies, including our US clients, sit up and pay attention. Sadly, it’s become commonplace to hear of companies being hacked and exposing private information. Poor security design, lack of a data usage standard, and limited security update procedures are all rich areas for hackers to identify vulnerabilities and exploit them. With cyber-attacks becoming more commonplace, it’s a step in the right direction to see a group acting to strengthen security.
What is GDPR?
GDPR is the General Data Protection Regulation. IA regulation in the European Union regarding data protection and privacy for all individuals in the European Union.
If you’re thinking, “I won’t need to worry about that, I’m not in the area affected”, think again. GDPR addresses the use of personal data outside the European Union by companies that might reside in the US, for example.
Personal data is any information relating to a person who can be identified directly or indirectly. This includes online fingerprints such as IP addresses and cookies if they’re capable of being traced back to the data user. Mind you, there is no clear line drawn between personal data regarding a private individual in their personal, public or work life; all these areas are covered by the GDPR. GDPR protects the user data and operates with an understanding that data collection and processing is the very spark that gives life to companies. It also strives to protect data at each step while providing the user with ultimate control over what happens to their information.
What Does This Mean?
The implementation of GDPR, which went into effect on May 25, 2018, means that significant changes need to be made by global companies within operational standards to comply. Fines for companies will be substantial as a means to force changes. At a corporate level, that’s never an easy pill to swallow. Depending on the level of violations of record-keeping, security breach notifications, and privacy impact assessments, fines can reach up to ten million Euros. It gets worse. These penalties can be doubled to twenty million Euros for violations related to the legal justification for processing, lack of consent, data subject rights, and cross-border data transfers.
According to the regulations, companies are required to “implement appropriate technical and organizational measures” when it comes to the nature, scope, content, and purpose of handling and processing of personal data. Protection and safeguards for data must be designed directly into products and services from the very beginning stages of development. As a result, companies will be forced to reevaluate their product and service planning process and thus be incredibly mindful of security risks. For the user, this is a definite win/win scenario. However, for companies, it requires deep dive investigations that are often extremely costly.
How Does This Work?
Companies that store or process personal information are considered a controller. Those that store or process personal data on behalf of another organization are considered a processor. In some cases, companies perform both duties and they are accountable for the safety of said data. It can be a difficult task. Accountability is at the heart of GDPR. Organizations are required to demonstrate they have analyzed the GDPR’s regulatory rules in accordance to their processing of personal data as well as implemented a system that allows for compliance.
A large part of the regulation requires consent to be given by those whose data is being held and/or processed. Consent is defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. We’ve all seen the frequent consent requests that were sent out during the period of May 25, 2018, when this went into effect.
Think about how often information is given freely to social media sites alone, nevertheless other apps. With the ruling, individuals must be able to withdraw consent at any time and have the right to have their information be removed completely. Much like the Canadian Anti-Spam Legislation (CASL), where electronic messages (emails, texts) that are sent by organizations with a “commercial activity” requires consent from the recipient before being sent. The user must always have the ability to opt out of all types of communications sent by organizations or third-party partners.
With the changes under GDPR, there are six key points called as outlined below.
1) Breach Notification
These notifications will be mandatory and must be completed within 72 hours of first having become aware of the breach. Data processors are also required to notify their customers and the controllers “without undue delay” after first becoming aware of a data breach
2) Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation from the data controller as to whether personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
3) Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subject’s rights to “the public interest in the availability of the data” when considering such requests.
4) Data Portability
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.
5) Privacy by Design
Privacy by design as a concept that has existed for years now, but only just becoming part of a legal requirement with GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall…implement appropriate technical and organizational measures…in an effective way…in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
6) Data Protection Officers (DPO)
Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR, it will not be necessary to submit notifications/registrations to each local DPA of data processing activities, nor will it be a requirement to notify/obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal recordkeeping requirements, as further explained below. A DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
Importantly, the DPO:
- Must be appointed based on professional qualities and expert knowledge of data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest
This process must be clearly communicated and done with the explicit consent of the data providers. To comply, GDPR promotes pseudonymization, anonymization and encryption.
What Next?
Wasted opportunities are only visible with hindsight. GDPR is an opportunity to show how adaptable companies can be to the real world. It doesn’t have to be viewed as a negative impact on business, but more so as a chance to further connect with users and provide corporate transparencies to avoid miscommunication. QA Consultants helps our customers identify gaps in GDPR compliance, possible vulnerabilities, and a process to become compliant. We have the skilled people, software, diagnostic tools, systems, hardware platforms and devices necessary to audit compliance for our customers. We can provide comprehensive reports that demonstrate an organization’s intent to meet these requirements while working closely with your in-house development teams and outside vendors to correct non-accessible web pages and interfaces.
While not yet a requirement for US and Canadian companies only conducting business within our borders, the groundwork has been laid for future possible regulation. While geographic based enforcement protocols can be put in place to limit access to usage of applications by those under GDPR, that only works to limit users of a particular application, not increase its security and usage. By working to adopt sound data security and privacy policies in line with GDPR, US and Canadian companies can embrace this regulation as a manner of communicating with their customers in a positive, proactive light. Further, as more and more agreements require Cyber-Risk insurance policies to be in place, having a sounds data security strategy will positively impact such requirements.