Ask Anything About: GDPR

It can be difficult to keep up with every new term or technology available today. Instead of nodding along in agreement, however, it is important to ask questions that will truly help you understand what is being discussed - even if those questions are simplistic in nature.

For this reason, Website Magazine launched its "Ask Anything About" series (inspired by Reddit's popular Ask Me Anything threads) to pair some basic question about a topic with an expert who could answer them in greater detail.

Our first expert for "Ask Anything About: General Data Protection Regulation", or GDPR, is David Thomas who is the founder & CEO of Evident ID, Inc. He is an accomplished cybersecurity entrepreneur, having held key leadership roles at market-pioneers Motorola, AirDefense, VeriSign and SecureIT.




In basic terms, what is general data protection regulation (GDPR)?


David Thomas, Founder & CEO of Evident ID, Inc:


The General Data Protection Regulation (GDPR) is an European Union (EU) edict designed to improve the overall standard for data privacy while synchronizing data privacy laws across Europe. It will change how a wide range of  businesses handle, hold, store and protect personal information.



When is the deadline, and what needs to happen before that deadline to meet compliance?


Thomas: It's official and inflexible enforcement date is May 25, 2018, a mere four months away.


The new rules apply to all companies residing in any of the EU's 28 member states as well as companies based outside of the member states that process and store personal data of those in the EU. Additionally, the regulation takes a wide view of what constitutes personal identification data - ranging from social media posts to an individual IP address.


Several requirements will challenge your security team, but we wanted to highlight three important components that could require major operational overhauls:


1. Stronger consent conditions

Companies are allowed to store and process personal data for a specific use case only when an individual consents. According to the EU's GDPR website, the request for consent "must be given in an intelligible and easily accessible form." And once a company is permissioned to use an individuals data it must only be used for the purpose as defined when the initial consent was given, and if the person no longer wishes to engage with the company for the initial intended purpose, their personal data must be removed from the appropriate systems.


2. Mandatory breach notification

As stated on the EU's GDPR website, companies must report a data breach to supervisory authorities of each EU country within 72 hours of when said breach was detected. Individuals affected also must receive notification "without undue delay."



3. Privacy by design

Businesses are now legally obligated to build data protection into information management systems from the outset rather than treat security as an addition. Patchwork fixes will no longer cut it.



Do U.S.-based businesses need to worry about GDPR?


Thomas: While GDPR pertains to personal data of those in the EU, U.S.-based businesses may also find that they need to comply with GDPR if they are processing personal data of those in the EU or plan to do so in the future.  GDPR is not dictated by where a business resides, but rather by whether or not the data being processed is that of a data subject in the EU.  This can pertain to customers, employees, contractors, etc.  



What types of customer information is included in GDPR?


Thomas: GDPR was designed to focus on personal data. Personal data is defined as any information relating to an identified or identifiable individual (known as a "data subject" under GDPR). This can include a name, identification number, physical address, email address, location data, online identifier, credit card number or health information. While a finite list isn't provided, something can be considered personal data if one or more factors can be linked to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.



Does GDPR mean companies should stop using customer data to personalize experiences?


Thomas: The intent with GDPR is not to limit the personalized experiences that a company is able to offer, but rather that the "data subject" is able to have more visibility and control about where and how their data is used. 

The critical step for a company who is looking to offer personalized experiences based on someone's personal data is to explicitly outline how the data provided will be used. In addition, they need to allow the "data subject" to both modify and revoke their data for that use.



With GDPR in mind, what should companies be looking for in their technology platforms?


Thomas: Privacy, transparency and security are three of the top considerations when determining how to implement the new requirements. The processes and technology that is put in place needs to be considered "data protection by design and by default".  This means that companies should look to achieve the following with their technology platforms:


  1. Only require the collection of personal data which are necessary for each specific purpose identified
  2. Minimize the processing of personal data
  3. Pseudonymize personal data
  4. Provide transparency with regard to the way personal data is processed
  5. Enable the data subject to monitor the data processing
  6. Enable the controller to create and improve security features, including access controls, encryption, and other data protection measures



How are you involved with GDPR?


Thomas: Evident provides a simple, secure platform that lets businesses confidently know who they are dealing with without handling sensitive personal data. With connections to thousands of authoritative sources through a single API, Evident is the only platform that enables comprehensive, accurate and up to date identity and credential verification. Our unique distributed data model, protected with end-to-end cryptography, readily adjusts to meet growing business and security requirements. With rigorous access controls and user consent processes, we minimize risk and help businesses comply with increasingly strict data regulations like GDPR.



What are the benefits of GDPR for organizations?


Thomas: GDPR will be essential for companies that require the collection of personal data of those in the EU. While the new requirements may add additional processes and work for an organization, they will assist a company in reducing its exposure to data breaches and other liabilities. Overall, it will make an organization more aware of its data practices and potential shortcomings that need to be addressed.  In addition, GDPR should bring more consumer confidence. Today "78 percent of consumers think it is hard to trust companies when it comes to the use of their personal data." This tends to cause misrepresented data to be provided or simply abandonment of engagement all together. The implementation of these standardized regulations should provide peace of mind to individuals that their data is being utilized properly and is being protected, allowing engagement to increase.



What are the risks of GDPR for organizations?


Thomas: Non-compliance of GDPR brings with it a harsh penalty.  A company that fails to comply with GDPR can face up to 20 million Euros or four percent of total global annual turnover, whichever is greater. These fines will be issued by the EU supervisory authority and will be calculated on the type of obligation that has been breached, the seriousness of that breach, its effect on individuals and the behavior of the company. It is critical that organization take the proper steps to comply or risk potential significant damage to business.



What question would you have asked?


  • Why was GDPR created?
  • The scale of the collection and sharing of personal data between public and private actors across the Union has significantly increased since Directive 95/46/EC was put in place. Rapid technological developments and globalization have brought new challenges for the protection of personal data. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Therefore, these regulations were designed to protect the data subject and provide a standard way to address some of the most critical privacy issues.



Our second expert for "Ask Anything About: General Data Protection Regulation", or GDPR, is Pieterjan Bouten, CEO of Showpad, a sales enablement platform. Let's get started!


In basic terms, what is general data protection regulation (GDPR)?


avatar-pj-(1)Pieterjan Bouten, Showpad: GDPR is the EU General Data Protection Regulation. This regulation centers around the privacy of individuals and the protection of their personal data, requiring businesses to be more transparent on the way personal data is processed, to better protect the personal data of their customers, and to better safeguard the rights of each individual towards his personal data. The primary purpose is to give people more control over their personal data and the extent to which it is processed, a move meant to address the changes in the digital landscape as technology has become more prominent in everyday business interactions. Similar privacy legislation has been in place in the EU since 1995, but with the current GDPR, legislation is becoming more strict and its scope is expanding to include non-EU business (including US businesses) that interact with EU data subjects.



When is the deadline, and what needs to happen before that deadline to meet compliance?


Bouten:The deadline for GDPR compliance is May 25, 2018. To ensure compliance, companies need to assess and think about the full scope of their data. This means doing a complete audit and determining what personal data they currently process, what personal data they need and how they will process it and for how long, as well as potentially re-thinking their organizational set-up. It's important to determine the current state of one's personal data usage and figure out what information is essential to your business, as well as strategies for making the most out of the processing of personal data in a GDPR compliant way.



Do U.S.-based businesses need to worry about GDPR?


Bouten: Yes. Any company that has a Web presence or is marketed in the EU, or that is monitoring behavior of an individual in the EU, will be impacted by this regulation, even if they are U.S.-based. Beyond this, data privacy is becoming more and more of a concern for customers across the world. Whether or not a company will be impacted by this specific regulation as of May 2018, it's essential for organizations to prepare for a world in which this is a universal rule whether stated officially or by customer demands. The better they are able to show timely compliance with GDPR standards, the more prepared businesses will be to meet the inevitably escalating demands of customers as they become more aware of the scope in which their data is being processed.



What types of personal data is included in GDPR?


Bouten: Personal data regulated by GDPR includes any information that can directly or indirectly identify a "data subject" (which is generally defined as any individual residing in the EU). It can be anything from a name, birth date, a photo, an email address, bank details, posts on social networking websites, medical information, geographic data, physical appearance, genetic makeup and cultural or social identity. Basically any information that, by itself or in conjunction with other information, can identify a specific individual is covered under this regulation.



Does GDPR mean companies should stop using customer data to personalize experiences?


Bouten: Not at all. It just means that they need to think more deeply about how they process the personal data they possess. Personalization is still a top strategy for marketers and sellers, and GDPR shouldn't be the cause for them to abandon these tactics. Though, some people might choose to be less forthcoming with providing their personal data, so the personal data that companies do process will have to be processed more wisely in a way that the customer will find most valuable. Companies will also have to be mindful of being transparent enough and not being "creepy" about how and which personal data they process, and know when to use it for personalization or process improvement.



With GDPR in mind, what should companies be looking for in their technology platforms?


Bouten: Companies need to make sure that their technology platforms are designed using the principles of "privacy by design" and "privacy by default" as well as taking into account relevant data security principles  as foundational elements. Since GDPR aims to give individuals more control about how their personal data is processed, companies have to understand that this is a shift in mindset, and is going to be a defining feature of how software is going to be designed in the future.



What is Showpad doing about GDPR?


Bouten: Showpad was initially designed with privacy in mind. We've always had the privacy and security of our users and their personal data as key priorities, and we're "ahead of the curve" when it comes to GDPR (e.g. Showpad's principle hosting infrastructure is located within the EU at a first-class world-renowned hosting partner). 


However, in close conjunction with the Showpad data privacy officer, we are rolling out several key changes to our product to make sure we stay at the forefront of this shift, which focus on empowering our users and provide them with more transparency to understand how their personal data is processed.


Our product will feature extended privacy settings allowing our customers to adjust privacy settings to what they require, seek both our users' and their prospects' informed consent before we track interactions with content shared through the Showpad product (e.g., providing them with high level information about the type of processing and easy access to the respective privacy policy before confirming consent in a compliant manner), as well as enabling the individuals whose personal data is processed to exercise their rights.


We've also added features that let users opt out of cookie tracking capabilities, along with a feature that anonymizes data for entire user groups.


Also thanks to the effort of our data protection officer and information security team, our internal organization will remain a first-class organization when processing personal data as well as when dealing with its suppliers.



What are the benefits of GDPR for organizations?


Bouten: The benefits of GDPR for organizations are twofold. First, at a simple level, organizations that embrace GDPR and implement it throughout their organization, even U.S.-based businesses, are seen as more user friendly and more trustworthy from the consumer side. That has many benefits.

Second, GDPR is a way for the EU to give businesses simple and clear rules for the processing of personal data. The regulation will make processes standardized throughout the EU to avoid claims of misunderstanding and reduce confusion for companies that operate in multiple geographies.



What are the risks of GDPR for organizations?


Bouten: One of the biggest risks for organizations when it comes to the upcoming GDPR is the time and money it may take to comply. Updating IT infrastructure is typically a challenging process, and while the May 2018 deadline still seems far away, that date will come much quicker than expected. Companies have to make sure their systems are updated in time, and that their capital and labor investments are utilized correctly and not wasted, otherwise they may face fines and even more investment decisions.