In May 2018, the General Data Protection Regulation of the European Union (GDPR) comes into force to improve the protection of personal data.
The RGPD will have a significant impact for organizations and their way of handling data, with potentially very large penalties for those companies that suffer a violation, reaching up to 4% of global revenues.
The GDPR directly affects the storage, processing, access, transfer and disclosure of a person’s data records and affects any organization worldwide that processes personal data of people from the European Union.
1. What is the RGPD, to whom does it apply and with what information?
The General Data Protection Regulation (GDPR) (Regulation 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all people within the European Union (EU). It also deals with the export of personal data outside the EU. The main objective of the GDPR is to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU. When the RGPD comes into force, it will replace the Data Protection Directive (officially Directive 95/46 / EC) of 1995. The Regulation was adopted on April 27, 2016. It comes into force on May 25, 2018 after Two years transition and, unlike a directive, does not oblige national governments to pass any enabling legislation, making it directly binding and enforceable.
The proposed new EU data protection regime expands the scope of EU data protection legislation to all foreign companies that process data from EU residents. It provides a harmonization of data protection rules across the EU, making it easier for non-European companies to comply with these rules; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of global turnover.
Why was the GDPR written?
The reasons behind the GDPR are two. Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook and Google exchange access to people’s data for the use of their services. Current legislation was enacted before the Internet and cloud technology created new ways to exploit data, and the GDPR seeks to address that. By reinforcing data protection legislation and introducing stricter enforcement measures, the EU hopes to improve confidence in the emerging digital economy.
Secondly, the EU wants to give companies a simpler and clearer legal environment to operate, making the data protection law identical throughout the single market (the EU estimates that this will save companies a collective of 2,300 million euros a year).
So who does the GDPR apply to?
Data “controllers” and “processors” must comply with the GDPR. A data controller indicates how and why personal data is processed, while a processor is the part that actually processes the data. Therefore, the controller could be any organization, from a for-profit company to a charity or a government. A processor could be an IT company that performs actual data processing.
Even if controllers and processors are outside the EU, the GDPR will continue to apply to them as long as it concerns data belonging to EU residents.
It is the controller’s responsibility to ensure that its processor complies with data protection law and processors must comply with the rules to keep records of their processing activities. If processors are involved in a data breach, they are much more responsible under the GDPR than under the Data Protection Act.
What is personal data under the RGPD?
The EU has substantially broadened the definition of personal data under the GDPR. To reflect the types of data organizations now collect about people, online identifiers, such as IP addresses, are now considered personal data. Other data, such as economic, cultural, or mental health information, is also considered personally identifiable information.
Pseudonymous personal data may also be subject to GDPR standards, depending on how easy or difficult it is to identify what the data is.
Everything that was considered personal data under the Data Protection Act also qualifies as personal data under the GDPR.
2. How to prepare for compliance?
The introduction of GDPR is set to bring data protection to the top of companies’ priority lists. So how can companies ensure that they comply and what steps should they take? Let’s look at the six steps below.
Understand the GDPR legal framework
The first step in ensuring compliance is understanding current legislation, as well as the implications of not meeting required standards, conducting a compliance audit with the GDPR legal framework.
Part of this compliance audit, regardless of the size of the company, is performed by hiring a data protection technician to explain the rules to us and apply them to the company. It is preferable that this person has a combined legal and technological background so that they understand both the regulatory framework and the technical specifications necessary to comply with it. As each organization is unique, the path to GDPR compliance will also be different. The correct direction of leaders within the business must adapt to this.
Create a data record
Once companies have a clearer idea of their willingness to comply with regulatory requirements, they should keep a record of the process. This must be done by maintaining a data log, essentially a GDPR journal. Each country has a Data Protection Association (DPA), which will be responsible for enforcing the GDPR.
It is this organization that will judge whether a company has been compatible with the determination of possible penalties for non-compliance. In case of non-compliance during the initial implementation phase, the company must be able to show the DPA its progress towards compliance through its Data Record.
If there is no evidence that the company has initiated the process, the DPA could impose a fine between 2% and 4% of the company’s billing, depending on the sensitivity of the data that is violated. The nature of the data could make DPA move the fine to the company much faster.
Sort the data
This step is about understanding what data companies need to protect and how it is being done. First, companies must find Personally Identifiable Information (PII), information that can directly or indirectly identify someone, from EU citizens. It is important to identify where it is stored, who has access to it, with whom it is shared, etc.
They can then determine which data is most vital to protect based on its classification. This also means knowing who is responsible for controlling and processing the data, and making sure that all the correct contracts are in force.
Start with the main priority
Once the data has been identified, it is important to start evaluating it, including how it is produced and protected. With any data or application, the first priority must be to protect the privacy of the user. When analyzing most applications or private data, companies should always ask themselves if they really need that information and why. These data always have the highest value for a hacker and therefore have the highest risk of being breached.
Companies must complete a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA) of all security policies, evaluating the data lifecycles from source to destruction. In doing this, it is important to remember the rights of EU citizens, including data portability and restriction of processing. The “right to be forgotten” must also be considered as part of the RGPD.
This is third party data that can be used to identify someone and should be removed if requested. It is vital that this data is properly destroyed and cannot be accessed.
From here, companies must evaluate their data protection strategies: how exactly they protect data (for example, with encryption, tokenization, or pseudonymisation). This should focus on the data that is being produced, the data that has been backed up, either in-house or in the cloud, and historical data that can be used for analytical purposes.
Businesses must ask themselves how they anonymize this data to protect the privacy and identification of the citizens with whom they interact. It should always be kept in mind that data should be protected from the day it is collected, until the day it is no longer needed and then destroyed in the correct way.
Evaluate and document additional risks and processes.
In addition to the most confidential data, the next stage is to assess and document other risks, with the aim of discovering where the company may be most vulnerable during other processes.
It is vital that companies maintain a roadmap document to show DPA how and when to address these outstanding risks. It is these actions that show DPA that the company is taking data protection and compliance very seriously.
Review and repeat
The last step is to review the result of the previous steps and remedy any possible deletion, modification and update when necessary. Once this is complete, companies should determine their next priorities and repeat the process from step four.
3. Master Data Management can be your ally
The transition to full law enforcement will not be easy or cheap, but if companies choose to view this period of change as an investment in their data management, they could benefit from this process.
Master Data Management (MDM) is the foundation that can make the transition to GDPR much smoother and can even add business value that goes far beyond GDPR.
GDPR AND MDM, How are they connected?
Many companies still maintain their customer data on isolated systems across multiple departments, regions, and systems. The problem with this is that it is often the cause of duplicate, incomplete or conflicting information, with sources being updated while others remain in silos to become increasingly obsolete.
The basis for complying with GDPR requirements is for the organization to break these data silos. First of all, you must ensure that the personal data you store and process are correct and up-to-date. Second, all associated data must be identified and the company must know where it is stored, what it is used for, and who has access to it.
That is precisely what MDM does. Customer MDM creates a single, reliable source of customer data. It does this by combining technology, processes and services to establish and maintain an accurate and complete representation of each client across multiple channels, lines of business and companies, generally from numerous associated data sources derived from multiple application systems and databases.
How can MDM support GDPR efforts?
There are many situations that you are likely to encounter under the new regulation. Here are a few examples:
Data Violation. You will need to report any infractions to the supervisory authority, as well as possibly report them to affected individuals, but to do so, you must be able to answer some basic questions.
- Who exactly is affected?
- How are they affected?
- What is the role of the company?
- Who currently has access to the data?
- What do you need to do to contain the violation?
- How can you prevent it from happening again?
- Individuals exercising their new data rights. If someone requests to see your data, they must provide it in a readable format. If any person requests that their data be erased (applying their “right to be forgotten”), they must delete all their data. That means not only canceling your marketing subscription, but deleting everything, including metadata. If someone requests that their data be corrected or completed (applying their “right of rectification”), the organization must do so immediately, while ensuring that there are no conflicting, outdated, or duplicate versions of that individual’s data profile stored elsewhere.
- Management of people’s consent. You must be fully controlled and informed about which person has consented to what. For children under the age of 16, this becomes even more urgent and complex. Managing consent requirements requires strict data workflows and business data rules, as well as a clear data governance framework.
- Data storage limitation. According to the RGPD, you must ensure that all personal data is kept in a format that allows the identification of data subjects for a period that does not exceed that necessary for the purposes for which the personal data is processed.
- Sending documentation to the authorities. Upon request, you must be able to document that all legal aspects of the GDPR are followed. Doing this requires well-organized and reliable data. In the text of the GDPR, you must “apply appropriate technical and organizational measures” to “demonstrate that the processing is carried out in accordance with these Regulations”.
Addressing all of these aspects effectively and with the least possible risk comes down to the quality of the organization’s data, data processes, and data governance framework. An MDM platform should not be considered a complete GDPR solution, but it lays the basic foundation for GDPR requirements and, in doing so, eases the transition to these new regulations.
MDM can be the platform from which the organization stores, manages, collects and shares trusted personal data, be it customer, potential customer or employee data.
4. Best practices for GDPR compliance
Know the definitions of data protection
The main definitions of the current Law will generally remain unchanged under the GDPR. If you understand well the concepts of “personal data”, “confidential personal data”, etc., you can transfer them to your understanding of the GDPR.
However, there are some caveats. For example, “confidential personal data” now includes biometric and genetic data, but excludes criminal convictions. Additionally, data controllers now have legal obligations under the GDPR, and organizations must understand what those responsibilities are and distinguish them from the obligations of file managers.
Know your processing ground
The processing base your company currently depends on will likely be the same as the GDPR. The “legitimate business interest” is still present in the GDPR. However, you must be careful to ensure that it is executed correctly as the GDPR imposes new and greater obligations.
For example, processing with legitimate interests should be weighted according to the rights of the person concerned and companies should take into account why they consider that their legitimate interests are not overridden by the interests of the interested parties. The GDPR also clarifies that “affirmative consent” is required for consent to be valid. In other words, silence, pre-marked images, or inactivity can no longer be interpreted as consent. Data protection authorities will have a bad image of companies that apparently process consent.
Learn about our high risk activities.
Under the terms of the GDPR, organizations must adopt a risk-based approach to data processing activities. In relation to security, there is an obligation to carry out a privacy impact assessment to determine the level of risk of a certain activity. In practical terms, this generally means that a company needs to evaluate all its activities to identify those that are high risk: a potentially long exercise.
Know when to report a violation
If you are processing data within the EU and a data breach occurs that could cause harm to data subjects, the organization is legally obliged to notify the local Data Protection Authority. However, not all violations require notification, and the deadline (72 hours) could be very difficult to meet. It is necessary to review the infraction management procedures to be sure.
Know the rights that those affected
All of the current rights of those affected will remain in effect, and most are expanding. To manage these rights, you should focus on providing correct and detailed processing notices, streamlining data subject access requests, ensuring efficient procedures for handling “rectification and deletion” requests, as well as processing restrictions when a subject has submitted an application. rectification that has not been resolved.
Know our profile
Profiling is an automated form of decision-making based on personal data. Those affected do not have the right to avoid being profiled, but they do have the right not to be subject to a decision based on purely automated profiles.
There are numerous guidelines on the profile of saved data. Among them are the need to:
- Notify the data subject at the time the data is collected, that the profiling will take place, the rationale for preparing these profiles and the expected consequences of profiling.
- Respond to those affected interested in knowing if they have been described and the consequences.
- Have a human review the automated decision if the interested party requests it.
Learn about international data transfers
Companies with subsidiaries inside and outside the EU should take note of the inclusion of the Binding Corporate Rules (BCR) in the GDPR. A mechanism of transfers within the company worldwide. Given current threats to other mechanisms, such as standard contractual clauses and the Privacy Shield, BCRs will be an attractive option for many companies after May 2018.
5. Supplementary material
- GDPR. What is it, who does it affect and how is it resolved with MDM
- Protection of company data in the framework of GDPR and Big Data
- The cloud as a transforming element