With the European Union’s GDPR regulation coming into effect on May 25, we sat down with Online’s legal counsel/privacy consultant, Laura Sulymosi, to discuss the biggest questions being asked by organizations looking to be compliant.
1. What is GDPR and when is it coming into effect?
GDPR is a hot topic in the data protection/privacy world. While most organizations have already begun thinking about GDPR compliance, they may not have the right tools or expertise in place to truly appreciate its significance and impact on their organizations’ operations.
GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679). This new data protection and privacy law of the European Union is meant to provide a fairly harmonized regulation across the Union. I say “fairly” because in certain areas (e.g. protection of personal data in the context of employment law) national laws may impose additional or different rules. It replaces the previous data protection Directive (EU Directive 95/46/EC) and includes significant changes. Two of the many “significant changes” that many organizations have difficulty wrapping their heads around are that GDPR (1) has an extraterritorial scope so it can apply to organizations established outside of the EU (a topic we plan on covering in length in a future blog) and (2) imposes direct obligations and responsibilities on processors.
Organizations are getting a bit more apprehensive with the GDPR compliance deadline fast approaching as they are realizing that becoming compliant is no doubt an onerous and time-consuming task.
2. Who needs to be aware of GDPR? Is it only relevant to European companies?
GDPR must be on the radar of any organization that handles (even if it just potentially stores e.g. as a no-view cloud service provider) personal data that belongs to EU residents regardless of whether the organization has a physical office in the EU. Many organizations outside of the EU still assume that GDPR does not apply to them because their operations were not caught under the previous Directive. This might be a wrong assumption as GDPR represents a huge paradigm shift from and has a much broader scope than the previous Directive.
A few examples of situations when organizations need to comply with GDPR:
- if you have employees who are EU residents
- if you provide goods or services in the EU
- if you transfer or receive personal data out of the EU
- if you track EU residents on the Internet for the purposes of profiling to the extent that such behaviour takes place in the EU.
In short, even if your businesses/organization is NOT located in the EU, you very well may need to be concerned about GDPR.
3. What exactly is “personal data”?
The definition of “personal data” under GDPR is very broad. It covers any information that relates to an individual and how that individual can be directly or indirectly identified. Personal data under the GDPR encompasses a large variety of information, including name, photo, ID number, location data, online identifiers, physical, physiological, genetic, mental, economic, cultural, or social identity related information. This new definition claws in cookies, email addresses, posts on social media, IP addresses, medical, banking information, and much more.
4. How can an organization ensure they are compliant?
Rather than trying to interpret this extremely long and complex regulatory text on your own and guessing what you have to do to ensure compliance, I would recommend you retain an expert company that specializes in security and privacy risk and compliance or impact assessments. This way your organization can discover whether there is a risk of material infringement of GDPR and what the areas of non-compliance or so-called gaps are as a first step. Given the complexities of GDPR, getting to this first step is not easy. Once you understand to degree to which operational areas, systems, processes, documentation align with GDPR, you can begin your remediation efforts, taking into account effort and risk level.
Your security and privacy advisor should provide high-level recommendations on what needs to be done to bring your organization into compliance with GDPR and should also provide you with ongoing support recommendations pertaining to implementing the required organizational changes, documentation, training, and so on.
When GDPR risk and gap assessments are carried out by Online we use our proprietary framework that has “translated” the text of GDPR to straight-forward privacy and security requirements/controls and mapped the GDPR’s Recital/Preamble and Article sections to such requirements/controls. After our assessment is completed, we create a customized business-centric remediation strategy and roadmap which can include the development or refinement of training and awareness materials, policies, procedures, checklists, and recommendations for contractual clauses and agreements you need to put in place to ensure that every department of your organization is aligned with your end goal having the right amount of privacy and security infused into your business/operations and being compliant with GDPR.
Our remediation strategy and roadmap also provides you with a solid foundation for establishing or refining a more robust privacy program and its framework that aligns with your business. Because GDPR is most likely one of the strictest compliance frameworks, if your organization complies with GDPR, it is very likely to be compliant with other privacy regimes as well.
5. What are the main challenges in demonstrating compliance with the GDPR?
First and foremost, your organization must be very clear on what kind of personal data it handles, where that data is located, and how that data is being processed. That entails mapping out data flows and creating data and process inventories and detailed use cases. Without those, it is difficult to assess how GDPR applies to your organization’s processing activities. Based on the assessment of your data flows, access controls, related policies, processes, roles, and responsibilities, the maturity and effectiveness of your privacy and security practices and their alignment with GDPR can be measured.
The major challenges include: (1) making sure that individual can exercise their data protection rights; (2) applying the data protection principles to your organization’s operations, such as data portability, complete erasure, limits on storage periods, transparency and data minimization; (3) third party management – ensuring that your service providers (platform/solution partners) who are likely to be found to be processors or sub-processors are also GDPR-compliant; (4) being ready to adhere to the 72-hour breach notification rule; (5) demonstrating a lawful basis for processing (be it consent, contractual necessity or legitimate interest or others); (6) conducting privacy impact assessments for new technologies and in case of any major business/operational change (7) putting adequate measures in place to ensure GDPR-compliant data transfers and reception out of the EU.
6. What are the penalties if found to be non-compliant?
If GDPR non-compliance is detected either by an EU resident or a supervisory authority, they both have the right to initiate legal proceedings against your organization. Individuals may pursue damages in court or lodge a complaint with a supervisory authority. A supervisory authority can initiate its own proceedings against a non-compliant organization and issue administrative fines. These fines, as you probably have already heard, could be staggering (20 million Euro or 4 % of your organization’s worldwide turnover) and ultimately cripple your organization. In addition, EU member states may set their own additional rules on criminal sanction for infringement of GDPR.
Beyond these “official” penalties set out in GDPR, your greatest loss resulting from non-compliance is undeniably reputational risk, including brand damage, and losing customers.
7. What is the number one reason for pursuing GDPR compliance?
TRUST. With capital letters. Privacy is coming more and more into the forefront of everyone’s attention. The very first thing that comes to everyone’s mind when it comes to privacy is how trusted an organization can be in terms of safeguarding people’s personal information. Why wouldn’t they be concerned or fear for the safety of their personal data? We have all heard about many infamous leaks. When their trust is breached, people tend to avoid doing business with or initiating contact with those businesses or organizations that did not protect their personal data properly.
When your organization is GDPR-compliant it can claim its customers trust and customers can feel confident in your use of their personal information, putting them in the driver’s seat in terms of their privacy.
In our next blog, Laura Sulymosi is going to walk us through how GDPR has an extraterritorial scope that may apply to organizations established outside of the EU, something contrary to EU’s previous and similar data protection Directive. Stay tuned for that in the coming weeks.
If you have any questions or insights in the meantime, please feel free to leave a comment below!