At the end of May 2018, the new EU General Data Protection Regulation (GDPR) will come into full effect across all EU member states. Generally speaking, this regulation defines the purposes, processes and use of technology when collecting, processing and storing data related to natural persons. It applies to every organization that stores data about their clients or employees, as long as they are from EU Member states, so – almost everyone.
This currently is a hot topic in many boardrooms and in the media, and there is more than enough confusion and legalese to go around, so today we’ll try to explain what to expect in as simple terms as possible.
The stated goal for GDPR is to harmonize the protection of fundamental rights and freedoms of natural persons in respect of data processing activities and to ensure the free flow of personal data between EU Member States. Regulation also states that the existing nationally defined personal data protection regulation is not consistently enforced. So, while it’s true that many of the principles and rules have been in place for some time, so far at least in the Baltic States there have been no real effort to enforce them, and therefore almost no organization is currently compliant. That is likely to change as the now the national governments will be held accountable before EU institutions. For example, the Latvian Ministry of Justice has already confirmed to Digital Mind that moving forward the capacity of Data State Inspectorate will be significantly increased and that the compliance to the new EU regulation will be strictly monitored and enforced.
When compared to the existing Personal Data Protection Law in Latvia, GDPR focuses more on best practice principles in data procession as well as defines stricter obligations for every party involved in processing of the personal data. It also significantly increases the fines for not complying with the regulation – now organizations will face fines up to 20 million euros or 4% of a total group (!) turnover.
Among most important improvements for individuals – a right to be forgotten (a right to request data processor to delete all of your personal data) and a right to know exactly what will be done with your data (purpose of data collection, length of data storage, data protection methods used, etc). Before collecting any data (in a web based form, for example), the data processor will have to clearly identify the purpose of data collection, as well as have proof that it was expressly and voluntarily authorized by the individual.
This regulation, at least in theory, will enable each and every one of us to request that those annoying telemarketers calling at the worst possible moments cease their calls and messages, and delete our contact information from their databases. Consumer, when switching to a new bank, ISP or other service provider, will also have the right to ask the old provider to forward all his personal data, collected over the years, to the new service provider anywhere in EU, and then delete it.
Organizations will have to make significant investments in legal consultations, business process audits and IT infrastructure to achieve full compliance with the GDPR. The biggest challenges will likely be faced by organizations that until now never really thought about the legal aspect of their data collection practices – it is more than probable that they are now sitting on large amounts of so called “dark data”, which is a serious compliance issue.
It will fall on companies to prove that they comply with the GDPR. Not just by formally having written procedures in place, but also by engaging in practical activities, such as registering all data collection activities, ensuring data pseudonymization and immediately reporting all potential personal data breaches to both the regulator and affected individuals. Many organizations will be legally obligated to hire certified data protection officers and do frequent data protection audits.
GDPR also defines “data minimization and privacy by default”principles, which essentially means that, before creating a product or service that requires collection of personal data, company will have to evaluate and clearly define their data collection methods and goals. For now many organizations still collect as much data as possible, and only then try to figure out what to do with it all.
GDPR’s impact on every organization’s business processes and profit margins is inevitably going to be very significant, so this is an issue that needs to be addressed at the highest possible level. Personal data protection is clearly no longer something that can be addressed by IT or data protection officer, C-level executives must take notice and get involved. Without their engagement and support there is little chance any company will be able to make the necessary investments and changes in business processes to achieve GDPR compliance before May 2018.
To conclude, here is a handy infographic from IT Governance.
