by Michael D. Sarlo, EnCE, RCA, CBE, CCLO, CCPA
I know, I know – that title might come across as hyperbole or sensationalism. However, there have been several relatively scary findings in recent studies that show the General Data Protection Regulation, which the European Union will implement May 25th, 2018, is a lingering juggernaut that comes with significant repercussions for all those who are not ready to comply – and many are painfully unprepared.
For example, consider these survey and research results:
- Info Security Magazine cited one survey finding that revealed 84 percent of entrepreneurs in the United Kingdom were not aware of key points within the GDPR.
- Forbes reported that one study revealed 86 percent of executives are fearful regarding the disruptive impacts that could result from noncompliance.
- Gartner asserted that, globally, roughly half of all organizations that have to comply with the GDPR will not be prepared to do so by the May 25th deadline next year.
Couple these findings with the fact that fines under the GDPR are as high as 4 percent of global annual revenues or €20 million, it should be clear that leaders need to begin moving on strategies to prepare.
Let’s take a look at some of the best ways to do so.
What needs to happen?
Because the regulation does not go into effect for another year, there are several topics leaders are still weighing. However, there are a few matters that will definitely be in the final GDPR that organizations should work to oblige as soon as possible.
Perhaps the most important adjustment is the increased scope and jurisdiction involved. The E.U. explains that the new GDPR will clarify otherwise debatable statutes to ensure that every single company processing data of entities residing within member countries will be subject to this legislation. It makes no difference where the processor is located, meaning all firms doing this type of work in the E.U. need to abide by the new laws.
The GDPR will also force companies to completely change the ways in which they acquire user consent, essentially demanding much simpler and easier to read requests, all the while giving individuals greater control. The language the E.U. provides in terms of entity empowerment is “it must be as easy to withdraw consent as it is to give it.”
Additionally, as mentioned before, potential fines will be the greater of either 4 percent of global annual revenues or €20 million. Now, in terms of steps firms can take right now, the following should be high priorities:
- “Privacy by design”: This is a big one – Article 23 of the GDPR mandates that data security functions and controls be built into the foundation of a system rather than as an afterthought. A piece of this is related to the proper archiving and destruction of data, with companies needing to possess the absolute minimum of electronically stored information necessary at all times.
- Portability, access, erasure: Data will need to be highly portable to ensure easy transfer to subjects, while subjects will have more significant rights with respect to requesting copies of files pertaining to them. Additionally, the “right to be forgotten” clause under Article 17 means that companies must respect subject wishes to withdraw consent by ensuring controllers swiftly cease processing and delete data promptly.
- Data Protection Officer: The GDPR includes a mandatory call for covered entities to have a Data Protection Officer in place that fits strict criteria, including possession of data protection and legal expertise. This individual can be internal or external, but must be accessible, have no conflict of interest, and be directly under the authority of the firm’s executives.
- Notification standards: Simple enough but somewhat weighty, the GDPR demands that parties impacted by a data breach be notified within three days of the event.
Now is the time to get moving on policy changes, technological overhauls, and other actions to align the organization’s core systems and practices with the demands of the new GDPR. These matters, however, are not the only complexities likely to present management challenges once the law is in effect.
Where member states meet GDPR enforcement
Keep in mind here that the GDPR will supersede member state regulations whenever an intersection of the two arises, with the exception of certain statutes that specifically grant individual nations authority. It will be worth watching a few different nations’ adjustments to their individual data protection laws, as they will likely impact the final copy of the GDPR and specific responsibilities when processing information from those countries.
Here are a few of particular interest:
- Ireland: This nation’s Data Protection Commissioner released the annual report for 2016 last month, which clearly indicated that all efforts are going into preparation-related activities for the GDPR. Ireland is also trying to be a leader in broader E.U. readiness endeavors, so keep an eye out.
- France: A bit more conceptual at the moment, but notable because of the recent election of President Emmanuel Macron. President Macron had a campaign promise to work more closely with major IT firms in efforts to improve national security and general data protection. SC Magazine provided a good analysis of certain changes that might take place as well.
- Germany: I previously wrote a thorough analysis of Germany’s major overhaul of national privacy and security legislation, as well as the relevant implications in the context of the GDPR. Check that article on Bundesdatenschutzgesetz for more on the topic.
Virtually every other member state will have at least one major change in legislation ahead of the GDPR to fulfill the components regarding individual rules and regulations. For example, member states are responsible for dictating their own human resources and other internal corporate guideance matters per GDPR mandates. So, companies need to focus on both the GDPR and each individual nation in which they have business.
In addition to the other moves organizations must make in the near future, they should also ensure that every single vendor or third-party service provider they work with obliges these mandates and maintains optimal control of data from abroad. Many American firms use data centers in Europe, for example, and the vendors in charge must follow a range of local, national, and international regulations.
These include Privacy Shield and the forthcoming GDPR. So long as policies are practices are swiftly shifted in the right direction and organizations only utilize the best, most secure services, May 25th, 2018 will be just another day rather than a nightmare.
Michael D. Sarlo is HAYSTACKID’s Vice President of eDiscovery & Digital Forensics