GDPR Countdown; Are You Ready?
Hardly a day goes by without news of
some consumer privacy breach in either
the physical or digital realm. While a significant
percentage of these events are the
direct result of attacks from bad actors,
there are other problems related to how
companies are managing the data associated
with consumers today.
On May 25, 2018, however, any company in the European Union (EU) that is not in compliance with the new General Data Protection Regulation (GDPR) is at risk of a fine of up to 20 million euros (or four percent of their company’s global top-line revenue). If that does not catch the attention of the C-suite, and encourage them to begin taking data privacy more seriously, it is likely that nothing ever will. The problem according to an IDC Research survey conducted on behalf of ESET, however, is that 25 percent of companies admitted they were not even aware of the regulations and more than half were unsure of the potential impact. What is perhaps even worse is that 20 percent have not begun preparing for GDPR at all and 60 percent were still getting their systems in line with the new rules.
For millions of digital enterprises in the EU now is the time to ensure they are in compliance. Every digital enterprise, regardless of location, should consider adopting more rigorous protocols when it comes to managing and processing customer data.
GDPR Gives Consumers ControlUnlike initiatives such as the CAN-SPAM Act or Do Not Call registries, the intent of which are to provide consumers with some protection from overly aggressive businesses and marketers, the aim of the GDPR is to provide consumers with a greater amount of control over how their data (from name and email address to other online identifiers such as IP address or other economic, cultural or health data points) is being protected and what can be done with it.
As most Web professionals are likely aware, companies routinely swap access to personal data for use of their services; the GDPR is essentially just seeking to address how that data is protected, processed and managed.
The threat of not abiding by these new rules is significant for but businesses adhering to them does not always require dramatic shifts in operations (only subtle ones). And ultimately, they are likely good business practices anyway, whether a company is in the EU or not.
The Business ImpactThose who should be most concerned with the GDPR are what are known as controllers and processors.
A processor is the one doing the processing of data (for example, a provider of social login services) while the controller is the one stating how and why personal data is being processed. Essentially, any organization can be a controller (including for profit companies, government entities, even non-profit associations). As long as a company is dealing with data belonging to EU residents, including those companies located within the U.S. or elsewhere, it is their responsibility to ensure the processor abides by the GDPR.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they are dealing with data belonging to EU residents. It is the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities.
Once the legislation comes into effect (again, that’s May 2018), controllers must ensure personal data is processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
The Road to ComplianceCompliance will ultimately rest in great part in how consent is obtained from the consumer.
The GDPR requires consent be an active, affirmative action by the data subject rather than a passive acceptance under existing models like pre-checked boxes. Controllers will need to keep a record of how and when an individual gave their consent and those consumers will need to be able to withdraw their consent when they want. Consumers will also be able to ask for access at “reasonable intervals” according to the GDPR, and controllers will need to respond within one month.
The GDPR also requires that controllers and processors be transparent about how they collect data, what they do with it and how they process it as well as be clear (using plain language) in their explanations. What this means is that consumers now have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for and who gets to see it.
Where possible, data controllers should begin to seek out methods to provide secure, direct access for people to review what information is being stored about them (Facebook, for example, provides a way for its users to download a copy of their data – posts, comments, likes, deletions). Fortunately, many website management systems (be they for e-commerce merchants, service providers, or publishers) currently provide some means to at least review their personal information.
Individuals also have the right to demand that their data is deleted if it is no longer necessary to the purpose for which it was collected. This is known as the “right to be forgotten.” Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed. The controller is responsible for telling other organizations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
Controllers must now store people’s information in commonly used formats (like CSV files), so that they can move a person’s data to another organization (free of charge) if the person requests it. Controllers must do this within one month – likely requiring an automation process to comply.
In the Event of a BreachEven with the best intention, bad things can still happen.
If companies suffer a data breach that puts individuals at risk, it is the responsibility of the company to notify a data protection authority (e.g., the Information Commissioner’s Office – ICO – in the UK) within 72 hours of the organization becoming aware of it.
While it may not be possible to detail every aspect of a breach upon discovering it, enterprises should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected, as well as detail the potential consequences for those people and what measures have been taken or those which the company plans to take in the near future.
Companies should also notify the people affected by the breach, even before informing the data protection authority. If the 72-hour deadline is not met, companies are at risk of being saddled with significant fines (up to €10 million, or two percent of the global annual turnover, whichever is greater).