If you’ve been keeping track of data security regulatory news coming out of the European Union (EU)—or reading some of our recent posts—you’re probably aware that there’s a new EU General Data Protection Regulation (GDPR) about to go into effect on Friday, May 25.
What might be a bit confusing for many is what this new Regulation means for the world wide web and the businesses that rely on it for their continued success—especially since the rule applies to any business that processes the personal data of any EU citizen.
While this post may not cover everything, and should not be taken as legal advice of any sort, I thought it might be valuable to share a few of the potential impacts of GDPR so you can work to prepare your company for them.
One of the biggest impacts of the new EU data protection regulation is that it codifies and guarantees the right of “data subjects” (i.e. the people whose data your company would be processing).
Some of the key rights guaranteed in the Regulation’s guidelines could dramatically alter how companies are allowed to collect information on their customers. First, and foremost, companies will have to not only notify data subjects of their rights, they’ll have to provide a notification each time they collect data and allow the person to opt out.
This means that many existing data collection methods will have to be altered in a way that gives the person whose information is being gathered a clear indication that such is happening—like adding a pop-up notification asking the person if it’s okay for your company collect information. This notification should indicate what information is being collected as well.
Additionally, these data subjects are expected to have the right to access the data you store about them and to be forgotten—meaning that you must delete the data when they opt out of letting you store it.
Providing data subject access to the information your company is storing about them in a way that is still secure enough to meet other regulatory obligations to protect Personally Identifiable Information (PII) from illicit access may prove to be a major challenge—one that demands companies to be extremely careful about the types of data they collect and store about their customers.
This was always the case with regulations like HIPAA, which placed strict controls on data portability and security of sensitive information. However, some companies that may not have fallen under these guidelines previously might end up having to contend with GDPR because they have an EU citizen’s data.
Another provision of GDPR requires that the data being processed by a company is limited to only what is needed to complete a specific task. Companies will need to prepare a Data Protection Impact Assessment (DPIA) for any profiling activities, large-scale personal info processing, or systematic monitoring of publicly-accessible data prior to collecting data.
This basically means more time and money will have to be spent on red tape prior to any effort to collect data to profile customers.
In fact, the rules as specified in the regulation may make it more difficult for businesses to aggregate data about their customers at all. Data aggregators may be especially affected because of the portability rules outlined in the Regulation.
There’s a provision in the Regulation that states:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject… The processor shall not engage another processor without prior specific or general written authorisation of the controller.”
In other words, businesses cannot get around GDPR rules by having another business process the data for them—and they need to have any understandings about the sharing of data worked out in writing beforehand. This may mean having to rework vendor contracts to add specific conditions to them, including:
Article 34 of the Regulation states that: “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
The problem is that the phrase “without undue delay” is vague. It doesn’t set a specific time limit, so whether or not any amount of time between the detection of a breach and the sending of a notification constitutes an “undue” delay will have to be treated on a case-by-case basis by authorities.
Considering that the fine for not complying with the notification requirement could be the higher of either 10,000,000 Euros or up to 2% of the company’s worldwide annual turnover for the preceding financial year, this will likely create enormous pressure for companies to improve their systems for not only detecting breaches, but for identifying which records have been compromised and sending a warning to potentially affected parties.
There is a separate requirement to notify “the relevant supervisory authority” that does specify a 72-hour time limit from the time the breach is detected.
Overall, the new EU data protection regulation is very likely to make processing customer data more difficult for companies in the near future. If you have any more questions about GDPR, please check out our guide to the Regulation at the link below, or contact Compuquip Cybersecurity to talk about how you can prepare right now!