In less than 20 months, all companies handling personal data belonging to residents of the European Union will be expected to comply with a new set of privacy requirements under the EU General Data Protection Regulation (GDPR).
The GDPR introduces tough new privacy requirements for companies handling EU data and vests consumers with significantly greater control and rights over the manner in which their data is collected, shared, retained, and destroyed. The GDPR gives EU regulators the authority to impose fines ranging from 2 percent to 4 percent of a company’s global revenues for violations of the regulation.
“The May 2018 deadline for GDPR compliance may seem like a long way off,” says John Crossno, product manager at enterprise technology vendor Compuware, which did a recent survey on the preparedness of US firms for GDPR. “Given the complexity of change it will require in the way organizations handle personal data, it’s really not.”
Two-thirds of the CIOs at large companies in the survey said they had no plans yet for implementing critical GDPR requirements like data anonymization, customer consent, and the right to be forgotten.
Here, in no particular order, are the issues that US companies must be addressing right now to prepare for GDPR.
Under GDPR, companies must provide clear notice to their customers of the purpose for which their data is being collected, says Dana Simberkoff, chief compliance and risk officer at software vendor AvePoint.
In that policy, they need to clearly indicate what personal information is being requested or collected from consumers, says Simberkoff. Consumers have to be given a choice of whether or not to provide it, and any data that is collected needs to be clearly marked for the specific purpose for which it was collected.
In addition, any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained, she says.
The obligation to meet this requirement flows from the entity that collected the data to any other organization that might process or handle it. Both will be held jointly liable in the event the data is used inappropriately or if there is a data breach.
“The GDPR requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you have done so,” Simberkoff says. “Companies should already be practicing transparency around why you want to collect data and ensuring all data is only used for the exact purpose and within the boundaries of consent.”
Enable An Opt-In Requirement For Data Sharing
Most US companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default.
GDPR will require organizations to do just the opposite. They will not be allowed to collect or share EU consumer data by default. The EU consumer would specifically have to consent to such data collection and sharing by opting in. The consent must be “freely given, specific, informed and unambiguous” Simberkoff says, quoting from the directive.
“Privacy policies must be clear and concise, and companies must provide consumers with an opt-in option to having their data shared with third parties,” she says. “Just offering an opt-out option will no longer be acceptable.”
In addition to requiring affirmative consent, GDPR also places restrictions on the ability of companies to obtain consent from children without specific parental authorization.
Start Implementing Privacy by Design
GDPR is big on the notion of privacy by design, a requirement that emphasizes the importance of baking in, rather than bolting on, privacy protections into products, processes, and services.
"Software and development practices that don't follow privacy by design principles put organizations at major risk in light of GDPR,” says Dan Blum, a senior analyst at KuppingerCole.
The earlier developers can implement privacy-friendly practices the more they can lower risks, reduce costs of compliance, and future-proof their software, he says.
Examples of privacy friendly software features under GDPR include opt-in, data use minimization, purpose-specificity, data anonymization and the right to be forgotten.
Larger organizations would benefit from establishing a privacy and data governance practice, if they don't already have one, to keep track of software and development requirements as to manage change, Blum says. “They will need developer awareness and training to get developers to align with these processes and do their part,” Blum notes.
The Information Commissioner’s Office in the UK recommends eight foundational principles for privacy by design that include fair and lawful processing of personal data, minimization, data retention, and data security controls.
Prepare For New Data Breach Reporting Requirements
GDPR requires companies to inform consumers about data breaches impacting their personal information. While that requirement is not particularly new for American companies—most states mandate it currently—the breach reporting requirements under GDPR are strenuous.
“At 72 hours, the timeline to report a breach is the tightest that we’ve seen with any regulatory measures,” says Eldon Sprickerhoff, founder and chief security strategist at eSentire.
The potential fines that companies face for non-compliance are also the highest, he says. Importantly, non-compliance fines aren’t issued because of a data breach. “The fines are issued because an organization failed to properly report a data breach within the designated timeframe,” he says.
The key to preparedness for this requirement is knowing what data you have and what legislation covers that data Spickerhoff says. Also key is a good understanding of the threats against your organization and the ability to describe how well you are able to defend against those threats.
“Do you know what access risks exist? Can you demonstrate that you’re doing what you’ve claimed?” Spickerhoff asks. Ensuring that your organization has adequate measures to protect against cyber attacks is important, he says. “Including compliance reporting timelines as a part of incident response plans and policies is another vital exercise.”
Implement Controls For Tracking And Managing Data
GDPR gives consumers the right to ask companies holding data about them to erase that data upon request. It also gives them the right to ask for a copy of their digital data so they can transfer it to someone else if they choose to do so.
The so-called right to portability and the right to erasure or right to be forgotten provisions impose new requirements on companies doing business in the EU, says Eve Maler, vice president of innovation and emerging technology at ForgeRock.
“IT managers need to be asking themselves: can we track a customer’s personal data as it travels through our systems? Can we erase it if they request us to do so? Or better yet, can we provide them the tools to do this on their own?” Maler says. “These capabilities will be required under GDPR, and it’s a significant departure from business as usual.”
Be Ready For Data Protection Impact Assessments
The GDPR requires companies to do data protection impact assessments (DPIAs) to identify “high risks” to consumer data privacy that might surface during data processing, says AvePoint’s Simberkoff.
Only some types of data processing involving personal data will trigger the requirement. Some time between now and when GDPR goes into effect, EU data privacy authorities will release a public list of the types of processing they consider to be high-risk and needing a DPIA.
The impact assessments can be incorporated into the standard planning, development, test and deployment, and monitoring, processes, Simberkoff says. They will allow privacy teams to implement privacy by design and enable a risk-based approach to data protection.
Online tools are available that allow organizations to conduct DPIAs and the goal should be to go ahead and conduct the assessments in advance of GDPR, Simberkoff says.
When risks are identified, companies should implement measures to mitigate those risks, which under GDPR include data encryption and pseudonymization or anonymization of data.
- EU’s General Data Protection Regulation Is Law: Now What?
- What Europe Tells Us About The Future Of Data Privacy
- Why You Can't Ignore Privacy Shield