In about 10 weeks (on May 25, to be exact), General Data Protection Regulation (GDPR) goes into effect not only across European Union member countries, but anywhere personal data originating in any of these countries is stored, processed, or retained. This is important. STORED, PROCESSED or RETAINED.
(Quick aside: The phrase "personal data" is defined as "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, and includes an obviously broad array of information from government-issued ID information to IP addresses. While you may think this has little relevance to North American-based businesses, it's an important and timely subject to have at least some understanding of so that you can prepare your enterprise for what's potentially a very costly series of mistakes. The GDPR's reach goes far beyond residents of EU countries (both before and after Brexit), and at least a working knowledge of what's required may help enterprises avoid both unnecessary aggravation and deal-breaking expenses, in the form of massive fines, down the road for non-compliance. Read on.)
Background Basics
First, a little historical perspective. The GDPR became EU law in May 2016, with parties in all countries required to implement the requirements by no later than May 25, 2018. The new law is the successor to the EU's Data Protection Directive of 1995, which had been designed to regulate the processing of personal data within the EU. The need for revised processes and rules can't be understated given the huge changes in Internet access and Web applications, as well as the sheer volume of personal data stored, processed, or retained (seeing a pattern here?) online in the ensuing years.
The underlying tenet of the new rules is that personal data belongs to the person and that third parties are obligated to respect that ownership. It's also important to understand that privacy is generally considered a human right in most of the EU, which creates a much higher standard than exists in North America and many other places in the world. As a consequence of the convergence of all of these distinct but related elements, the EU created and adopted the GDPR. And it's about to be enforced.
What Are Your Risks?
As with many pieces of legislation, affected parties need to understand their respective levels of risk, which will continue to evolve. Enterprises whose customers and operations are solely based in North America are at the lowest levels of risk, while those with more global presences in terms of both customers and operations have the greatest amount of exposure, particularly those that sell and provide services to EU citizens and individuals who participate in transactions in the EU. It's important to remember that the GDPR rules address personal data, so the focus is on the protection afforded to the individual, not the entity.
A variety of well-respected international sources have gone to great lengths to make clear that taking a "wait and see" approach to implementing safeguards is, in the kindest possible terms, ill-advised. Those in the medium-risk category should take an initial step of performing a gap analysis not only to identify vulnerabilities, but also to be prepared to address them with the resources necessary. Entities that are at high risk should, by now, recognize the risks and be taking steps to mitigate them. Yesterday.
Why? Because the fines for non-compliance are potentially draconian. Failure to comply can cost up to 4% of global revenue (that's not revenue in the location where the violation occurred, but GLOBALLY) or 20,000,000 euro, whichever is GREATER. Fines like this can cripple -- if not annihilate -- an otherwise robust entity. Got your attention now?
Where to Start
The first steps, of course, are to identify the issues and risks. Let's start with the most obvious:
- Whose data is being handled?
- What type of data is involved?
- When was it obtained?
- Where is it being processed?
- Why is it being processed?
The next steps revolve around what sort of entity is doing the processing. If third parties are doing the processing, which is -- or will often be -- the case:
- Are they using state-of-the-art equipment, software, and methods?
- Where does the processing occur?
- Do the same levels of attention that apply to the security and sanctity of customer data in the primary operations exist in back-up operations as well?
Particularly in the third-party model, each provider must determine whether, and to what extent, it's a "data controller" or a "data processor."
The data controller is the person (or entity) who determines the purposes for which -- and the ways in which -- personal data is processed. The controller must be subjected to rigorous oversight from the entity on whose behalf it is controlling data, at least in part because the penalties for non-compliance are so severe that an entity opting to use a third party must know what's going on. The data processor is the entity that processes personal data on behalf of the data controller (excluding the data controller's own employees). For the first time, both processors and controllers have defined legal obligations covering their work and record keeping under Article 28 and Article 30 of the GDPR; the processor must guarantee compliance.
A working knowledge of these rules matters because of the inherent liability associated with each type of work.
One final point. From a process perspective, some entities, by the nature of what they do, will have greater exposure to risk than others. Regardless of risk level, it's imperative to understand that GDPR requires that all data processes must be identical across the board, including among different segments of a multinational entity. This is both costly and burdensome, but an entity's acceptance, acknowledgment, and performance of these metrics will mark the difference between its success or failure.
Related posts: