Bracing for the immediate impact of the GDPR
The one certainty with the EU’s new General Data Protection Regulation that takes effect this week is that it is complicated.
It seemed like there was plenty of time to prepare for compliance when the GDPR was adopted in April 2016, but numerous studies since have shown that many organizations simply aren’t prepared for the new data management and privacy mandate.
For those that aren’t, here are some elements of the GDPR that you need to be immediately aware of.
The goal of GDPR is to strengthen and harmonize data protection for all citizens in the European Union. Data-containing devices have become more ubiquitous, so the GDPR updated the EU law to reflect these changes. Many parts of the GDPR are not necessarily new but are strengthened and unified throughout the EU.
GDPR is an update to The European Data Protection Directive 95/46/EC which was adopted in 1998. In 1998 smartphones didn’t exist and the internet was still relatively new. The world has since seen a revolution in technology reliant on backend data centers. With all this change, GDPR is an attempt to update these regulations to reflect the state of technology today.
GDPR will be enforced as a regulation
Understanding the difference between a directive and a regulation is important. A directive establishes a goal that is to be achieved but gives member states the broad flexibility on how achieve the goal.
A regulation is immediately applicable and enforceable by law in all EU member states and is more prescriptive on how it is done.
No business will be excluded from this regulation
GDPR will be directed at companies with an establishment in the EU. However GDPR will still apply to establishments outside Europe if they:
- Offer products and services in Europe.
- Process personal data from Europe.
- Monitor the behavior of people in Europe.
Out of these three categories, the processing of personal data is the least straightforward. The definition of personal data is expanded under these requirements along with strengthened rights of individuals. GDPR defines personal data as any form of identifiable information. This could include basic details such as name, email or phone number and could also represent other additional elements such as location, gender, age and IP address.
Even if you have data that isn’t directly linked to an identity, it may still be considered “personal data” under GDPR. In addition, sensitive categories, such as health data, require special treatment.
Penalties for non-compliance will be severe
The most concerning risk of non-compliance are the substantial fines. A lower-level breach could result in fines up to 10 million euros or two percent of worldwide annual turnover of the entity, whichever is greater. For a lower-level penalty, this still has quite a bit of liability. Upper level fines could be 20 million euros or four percent of the annual revenue. This is a huge amount of liability for a company and is the reason many are expending resources to become compliant.
Additional risks will include reputational damage and loss of trust with partners and clients.
The risks are significant and as such attention is being given to this new regulation. The best chance of lowering your exposure, even during non-compliance, will be to show you have a process in place and are taking preventative measures.
In regards to IT asset disposition, you can update (or create) your ITAD policy to incorporate these measures as a way of documenting your process in place.
Sixty percent of U.S. companies expect to spend $1-10 million to meet GDPR requirements. While this is a significant expense, it is small relative to the cost of potential fines and reputation erosion of a breach.
This regulation is focused on improving data management
Implied vs. explicit consent
In the past, companies have had pre-selected check boxes with consent being the default. Moving forward action has to be taken, such as checking a box before consent can be given.
Implied consent is when consent is provided along with a few other details. According to GDPR, consent must be freely given, specific, informed and unambiguous, and must indicate the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.
Explicit consent is when a business obtains data in a manner that leaves no room for misinterpretation. Permission must be provided in a clear statement either written or spoken. Companies will no longer be able to use long illegible terms. Conditions must be easily accessible with the purpose for data processing attached to that consent. In addition, rescinding consent must be just as easy as giving consent.
The “Right to be forgotten”
The “Right to be Forgotten” made headlines in the United States in 2014 when a citizen of Spain wanted judgement against Google telling them they had to take down their personal information. GDPR will extend this right much further, requiring companies to delete even non-publicly shared data under a variety of circumstances, one being if the user asks to be “forgotten.”
If a data subject gives a business consent to use their data for email marketing purposes, but the data subject no longer wants to receive the emails or be a part of the database, companies are required to remove their data from the database entirely.
Data management infrastructures
GDPR will be a good opportunity for businesses to improve their current data management infrastructure. Every company needs a plan that maps its data processes and data handling procedures. Those procedures must:
- Identify gaps.
- Outline actions to close gaps.
- Prioritize actions based on risk.
It will be very important to have clear procedures in place so in the event of a vulnerability you are prepared to communicate effectively to ensure compliance as soon as possible.
IT asset disposition (ITAD) companies will be involved in GDPR compliance when it comes to data eradication. The disposal of IT and electronic equipment is only one piece of the puzzle, but it is equally as important as the rest.
No matter where your business is located you should consider the following regarding your ITAD program:
- Conducting a risk assessment on all stored data – Review your current disposition program and determine if there are any potential security gaps.
- Documenting the process – Include the ITAD process in your privacy impact assessments.
- Auditing your ITAD vendor – Make sure the vendor you are working with has processes in place that will ensure security throughout the disposition process, as well as your compliance with GDPR.
For a global company you need to have a seamless end-to-end solution to manage your data, the value of your assets, and the current soon-to-be-implemented regulations in terms of GDPR. Australia has finally passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 as well, enforcing notifications to Australian citizens if their data is inappropriately accessed.
Managing data stored on retired IT assets will only be one part of GDPR, and statistics show three out of four companies are unprepared at this time. Awareness is a start, now it is time to take some action.