Serious legal challenges await organizations as the EU’s future data protection law, GDPR will become enforceable in May 2018. Experts believe that there will be no other law with as much breadth and scope on data protection like GDPR. The law imposes multitude of compliances and obligations on entities failing to protect data of subjects. Entities need to make difficult choices of priorities and prepare themselves for the regulation to avoid damages.
General Data Protection Regulation (GDPR), which was adapted by the European Parliament in April 2016 will enter into full force and protection on 25 May 2018. It is believed that this regulation will be the biggest shake on data protection and ensure greater regulatory and citizen control over personal data. The law imposes multitude of compliances and onerous obligations on businesses and entities regarding protection of personal data. The European Union’s (EU) future data protection law is complex and organizations have some months time left to prepare for its impact.
How Will it Affect an Organization?
The Upside: In the last few years we have seen threat actors using new attack tactics to breach security gateways and getting access to sensitive data. The new data protection law will urge enterprises to prioritize data security and secure data movement with end-to-end layered approaches. Experts believe that for protecting their sensitive data, organizations will revise the existing data protection practices and increase expenditure on data security. Companies need to consider building new systems and data security solutions for data protection to align with GDPR.
An Uphill Task: A recent research from Veritas Technologies reveals that nearly 86% percent of companies will be operating under a fear that non-compliance to GDPR will bring reputational damage and disrupt their business. There are also many companies which will be struggling to understand the data, its location and relevance to business. The report shows that many organizations are not prepared for the new regulation and lack the vision to manage personal data.
Territorial Scope and Jurisdiction: GDPR is comprehensive and committed to protect the personal data of natural citizens. Article 3 speaks about the territorial scope and extends the act to:
- 1.Organizations outside the EU which are processing data in relation to offer goods and services (even for free) to EU subjects.
- 2.Organization storing the EU data or monitoring the behavior of EU subjects.
- 3.Organizations established in the EU, whether storing the data in EU or not.
Moreover, the definitions like ‘offering goods or services,’ and monitoring of behavior’ have been described in detail by the regulation.
Obligations: The act places onerous accountability obligations on organizations to ‘protect the fundamental rights of personal data,’ mentioned in Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). The regulation asks data controllers:
- 1.to maintain documentation
- 2.Conduct Privacy assessment, to assess kind of data is being monitored
- 3.Implement measures to safeguard data protection.
Article 83 (General conditions for imposing administrative fines) specifies a tiered approach for breach and infringement of regulations. For some data breach violations (international data transfers and conditions for consent), it imposes infringements up to 4% of annual worldwide turnover or EUR 20 million, whichever is greater. Other specified infringements will be liable to a fine of 2% of annual turnover or EUR 10m, whichever is higher.
Data Breach Notification: Data holding organizations must inform the EU data subjects about a data breach within 72 hours of awareness. Organizations need to notify breaches, potential risks, and adopt internal measures for handling breaches.
Appointment of Data Protection Officer: In certain cases, organizations need to appoint (employed or contract) a Data Protection Officer (DPO) with sufficient expert knowledge in the EU as a part of their accountability program. The threshold is:
- Data processing being conducted by a public authority.
- The processing requires tracking and monitoring of subjects.
- The core operations consist of processing of a large and special categories of data.
Conditions for Consent: Organizations must send the ‘Request for Consent’ in a plain language.’ Consent by the EU data subject must be specific, clear, informed and freely given. Explicit consent must be given by the subjects regarding sensitive and confidential pieces of data. The data subjects can object if their data is being used for marketing or other purposes. It must be remembered that the consent is not free consent if the data subject had no free choice of withdrawing it without detriment. Expert believe that this will heavily impact e-commerce services badly.
Codes of Conduct: Article 40 of GDPR talks about fair processing of data and compels organizations to provide transparent information to subjects. Organizations need to restructure their existing notices of fair processing as per new obligations. Organizations should provide the information in a clear and easily accessible format to the EU subjects.
European Data Protection Board: Under Article 68, a European Data Protection Board (the ‘Board’) will be set up with head of one supervisory authority of each Member State and European Data Protection Supervisor. The Board has been given wide-ranging powers to ensure consistent application of the regulation. The Data Protection Agencies (DPA) can issue advice or notice to an organization if it believes that any processing will be of potential risk.
Rights of Customers: GDPR extends the fundamental rights of personal data mentioned in Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). It provides the following safeguards to customers:
- Right to be forgotten
- Right to data portability across service providers
- right to sue for infringement or breach of law
- Right to rectification of errors, etc.
Preparing for GDPR
Entities need to make difficult choices and have a vision and strategy in place for complying with the strictest data protection law ever passed. Here is a checklist that can help organizations in aligning their internal policies with GDPR.
Strategic Planning: The legal and IT teams should combine their efforts to evaluate the internal measures which need to updated. Organizations should evaluate the kind of data they are holding and prepare a standard privacy impact assessment process. Organizations need to encrypt the existing data flows across the enterprise-wide business systems and processes. Also, efforts must be made to update the existing incident response plan, breach management and reporting procedures in line with the GDPR requirements.
The Data Protection Officer (DPO): A data protection officer must be appointed for the following cases:
- 1.A public authority (except judicial organizations)
- 2.Organization which conducts regular monitoring of individuals on a large scale, health records, criminal convictions, etc.
- 3.An organization that performs large scale processing of special categories of data, i.e., health records, information about criminal convictions, etc.
Experts are estimating that nearly 30000 DPOs will be required in 2018.
Create Awareness: Entities must create awareness within the organization about the new requirements of data protection law. Organizations should highlight the areas which could pose serious legal challenges and expose them to risks. The awareness campaigns should educate employees on:
- 1.Privacy & Design
- 2.Risks to Data
- 3.Legal Aftermath
- 4.Rights of the Customer
- 5.Data Governance, etc.
Type of Business Data You Share: Entities should make a report of the personal data their business systems hold. Organizations should conduct information audits across the core business areas and maintain a report of data processing operations. In simple and clear ways, an organization must be able to demonstrate that how it meets the requirement of GDPR.
Examine Threats: Study different models similar to your business which were exposed to data breaches previously. This will give you a clear picture that how your organization is positioned to deal with similar threats. Prepare a mechanism to report data breaches within 72 hours of discovery.
Establish Triggers to Obtain Consent: Prepare a comprehensive notice which adheres to GDPR regulations for obtaining consent for gathering personal data. The request for consent form should be in plain and simple language and specify how the data will be used. It should also specify that an individual can complain to authority if he believes that request for consent is coercive or inappropriate.
More importantly, the consent must be freely given, specific, informed and clear. It cannot be presumed from silence, pre-ticked boxes or inactivity. You must enable simple ways to enable subjects in withdrawing consent. Companies need to alter their consent mechanism if it is not verifiable, granular, clear, prominent, documented and easily withdrawn.
GDPR carries some provisions specifically for children and underage subject. For children under 16, the guardian’s (person with parental responsibility) verified consent must be available to process data lawfully. The language should clearly convey the message to underage subjects that the service requires verified consent from parents.
Organizations Operating in More than One EU Member State: Organizations with more than one establishment in EU state and involved in cross-border data processing should document their lead data protection supervisory authority. The lead authority is nothing but the supervisory authority where the main establishment is located. This will help authorities in determining your ‘main establishment’ and lead supervisory authority.
Data Life-cycle Governance: Companies need to have a standard data governance framework for adhering to GDPR requirements. The systems must provide a clear view of how personal data is being captured and monitored across different systems. Information solution experts recommend:
- A centralized view for global governance of personal data during the electronic data interchange (EDI) operations.
- workflow capabilities for classifying and defining personal data.
- End-to-end tracking and monitoring of personal data across the IT architecture.
- Secured workflows and configurations for data sharing.
Our global team of B2B integration experts are vastly experienced in data protection and consulted by leading brands across the globe. Contact our experts, to build a robust data governance & connectivity framework which determines how data flows safely between different systems & processes.