After so many years of preparation, the European General Data Protection Regulation (GDPR) will begin enforcement on May 25, 2018, just in time for Brexit. 😉
Unlike the current state of data protection, it is a regulation and not a directive. The difference between the two is that all countries based in the EU, or doing business with EU companies and citizens, must comply or potentially face legal actions. Directives are more like, “meh… you should do this but if you don’t, nothing major will happen.” As such, this issue is much more important now, and with fines ranging up to 4% of annual global turnover or up to €20 Million, this is no longer a “nice to have.”
A Little History
In essence, and according to eugdpr.org, the GDRP “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
But what does this really mean and what is the impact to you and your data, and are you affected by this if your business is not in Europe? Let’s go over the main points.
Who does this affect?
The GDPR applies to all companies processing or controlling the personal data of people residing in the European Union, regardless of the company’s location.
So, a few items to clarify:
Personal Data means any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
Controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. What??? Let me simplify this by using an example:
- Example 1: A bank (controller) collects the data of its clients when they open an account, but uses Microsoft Azure (processor) to store the data.
- Example 2: An email automation/marketing service (processor) sends marketing offers to your customers from your company’s (controller) email/customer list.
- Example 3: If you use ClicData to store personal data about your clients then you are the controller, and ClicData is the processor. Furthermore, because we use Microsoft Azure, we in turn are also the controller and Microsoft the processor.
Fun right?
European Union means the 500+ million folks living in the 28 countries (440 million and 27 countries once UK exits).
Company’s Location means any company, anywhere in EU and outside of the EU! And this is one of the biggest changes and that has the most impact, especially for companies like Amazon, Microsoft, Apple and hundreds of other ones based in the United States, the central hub for all things cloud and SaaS.
Now this last one is where things get interesting for most U.S. tech companies that typically were able to wave the Safe Harbor certificate or some sort of a comparative data protection such as ISO 27001, and more importantly because the data protection regulation in the U.S. is done at a company/state level rather than a federal level.
What Is It Regulating?
It regulates all kinds of things – some very important to the safety of everyone, others which are just to ensure we don’t forget about keeping up-to-date. Here are the highlights:
- Privacy by Design: Means that all systems, infrastructures, and programs must first and foremost assume that all Personal Data is private.
- Right to Access: Irrespective of the security around keeping the data private, at any time the subject may request cancellation of data sharing with third parties from the controller, and demand a copy of the data in an electronic format FREE OF CHARGE. This point is huge for the likes of Facebook and LinkedIn!
- Right to be Forgotten: Basically, anyone in the EU can request their personal data be deleted and that all third parties stop processing their data, although there are some conditions around this depending on the relevancy of the data personally and to the public.
- Breach Notification: If the data breach results in, or has the potential to result in, an infringement in the rights and freedoms of subjects/individuals, then mandatory action that must be taken within 72 hours of first becoming aware of the breach. Data processors must notify those impacted without undue delay.
How and Who Enforces The GDPR?
To investigate a possible violation, the Data Protection Agency (DPA) of each country can order the controller and the processor to provide any information it requires for the performance of its tasks. The DPA may further request access to all personal data and all information necessary for the performance of its tasks. An investigation itself may consist of data protection audits, and when necessary, the DPA can obtain access to any premises of the controller and processor, including any data processing equipment and means. Where it is foreseeable that a manner of processing will not be compliant with the GDPR, the DPA can issue warnings to a controller or processor.
Interesting enough, most of the new regulation and the enforcement of the GDPR is still a responsibility of each individual country, so dependent on their performance and approach to the regulation, the approach is still far from being universally accepted. Considering that each country has different budgets associated with this agency, enforcement may be chaotic.
As an example, I visited all web sites of the 28 countries’ DPA agencies, and from those, only ten had the obligatory popup announcing the usage of cookies on their website (and all of them were using tracking cookies of some sort). This includes Germany’s DPA website, one of the biggest proponent of the GDPR.
Who Do You Talk to About Your Personal Data?
The Data Protection Officer or DPO.
As per this source, here is a little background on the DPO.
“…DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.”
Want More Info?
The full set of the regulation can be found here: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf