Unless you have been living under a rock –a big one– you know user privacy has become the key issue of our tie. But in spite of scandals like the Equifax data breach of 2017 and Cambridge Analytica this year, American regulators have largely dismissed their user’s privacy concerns.
European regulators, however, are another story. Luckily they took this issue very seriously and have taken steps that directly affect US-based IT managers and how they deal with European citizens’ data.
The General Data Protection Regulation
The step we are talking about here is Regulation 2016/679 of the European Parliament, AKA the General Data Protection Regulation (GDPR).
Its goal? To protect the personal data and privacy of individuals within the European Union (EU), in addition to the export of personal data outside this region.
Additionally, it replaces the Data Protection Directive (DPD) of 1995 and directly binds EU members without having to pass new legislation, since it’s a regulation rather than a directive.
Adopted on April of 2016, it won't become enforceable until May 25 this year (2018). This means you need to get ready. Now. What is the impact of GDPR for IT managers you may ask?
Well, let’s first see what could happen if an organization doesn’t comply with GDPR.
Enhanced Sanctions for non-compliance
Article 83 of the GDPR describes the sanctions for organizations in the EU that violate its terms. These sanctions include a written warning for first and unintentional offenses as determined by regular audits.
Repeated intentional offenses carry a maximum fine of 20 million Euros or 4% of the organization’s annual worldwide turnover for the previous financial year, whichever is greater.
Some of the possible violations to GDPR are the insecure transfer of personal data to a recipient outside the EU, lack of consent and disclosure of personal data gathering and utilization, or the failure to provide users the proper tools to execute their rights over personal data (e.g. a deletion or data portability request).
Now, what about the way the organization handle this data?
Stricter Rules on Collection Consent and Data Reuse
Consent to collect personal data must be specific to the data being collected and purposes for which it is being collected. Consent to use data on a child must be obtained from the child’s parent or custodian and verified in writing. The most crucial aspect of this point? Users can remove their consent at any time.
This requirement means that, for example, the standard “calls are recorded for training and security purposes” warning will no longer be sufficient to obtain consent to record a call.
This applies to any process in which there is a personal data exchange between a user and a provider, including cookies, mailing lists, newsletter subscriptions, and in-application requests. 'Less is more' will become the standard, since GDPR asks companies to collect only what's necessary and justify it with a reason valid according to Article 6 of the legislation.
Enhanced Individual Rights Over Their Personal Data
One of GDPR's greatest focus is to empower users with new rights and tools that allow them to have a say over their data's usage.
The legislation utilizes the ARCO rights as a strong base:
- Right to access my personal data
- Right to rectify my personal data
- Right to cancel the use of my personal data
- Right to oppose to any data gathering process
And expands the user's rights with the right to deletion, and the right to portability, the latter allows users to request all personal data relevant to their persona to the collector/provider, who will need to provide it in a common readable format ready for download or export.
What's more, data controllers will have to provide an overview of all data categories, their purpose, their acquisition process, and all parties that have access or handle the data itself. The applications of these rights, especially the right to deletion and portability, could require the development of proper platforms to automatize the process.
Now, let’s have a look at how GDPR impacts IT’s turf.
International Data Transfers
Personal data can’t be transferred to countries outside the European Economic Area (EEA) unless they guarantee the same level of data protection as the GDPR, according to the European Commission (EC). Countries in the EEA include members of the EU, Iceland, Liechtenstein and Norway.
GDPR also requires safeguards to ensure that the required protection travels with the data, which includes a variety of mechanisms that were adopted in 2016 as part of the EU’s reform on data protection. These mechanisms include adequacy decisions, binding corporate rules, certification mechanisms, codes of conduct, and standard contractual rules.
The architecture of the rules on international transfers is similar to those in the Data Protection Directive, except it introduces new tools and expands the use of existing mechanisms for international transfers.
Data Security Breach Reporting
Article 33 of the GDPR requires a data processor to notify a data controller of a personal data breach without undue delay. It also requires data controllers to report security breaches to the supervisory authority within 72 hours, unless the breach is unlikely to pose a risk to the individual’s rights and freedoms.
Article 34 generally requires the controller to notify the data subject of a breach if it will have an adverse impact. However, such notification isn’t required if the data controller has already acted to render the personal data unintelligible to any unauthorized personnel (e.g encryption).
Changes to Internal Privacy Compliance Policies
The Data Protection Working Party addresses the changes to internal privacy policies required by the European legislation. The designation of a Data Protection Officer (DPO) is the most significant of these changes; since the DPO must perform all process audits, except for those done by judicial authorities acting in their official capacity.
This official’s primary duties include monitoring data processing operations; and assisting the controllers to ensure internal regulations are enforced and followed.
A DPO must have expert knowledge on both data protection practices, and the laws that require them. Additionally, they should be directly involved in day-to-day security efforts, to ensure external threats are diverted.
Additional Processor Obligations
Article 25 of the GDPR describes additional obligations of data processors. For example, it requires organizations to include data protection measures in their business processes, such as adjusting privacy settings for data to a high level by default.
It Comes Down to...
Assessing your current status and creating a readiness plan
Yes, IT managers might find themselves under an extra quota of stress when trying to follow GDPR's directive. And yes, if your organization isn't ready yet... It probably won't be when the deadline comes.
But don't be discouraged! The global tendency on privacy is heading that way, and users will be more than happy if you help pave the way to healthier data processes. On the other hand, we can guarantee that failing to react will become a gigantic risk as time goes by.
Better late than never! Even if GDPR's reach doesn't apply to your institution, it is a great opportunity to ready-up for policies that might become a global standard in the future.