An Introduction to the GDPR
Designed to provide a common legal framework for data protection law and to protect the data assets and privacy of individuals within the EU, the GDPR represents the biggest shake-up of data protection regulation in more than twenty years. What is the GDPR? The General Data Protection Regulation 2016/679) is a new regulation which is intended to strengthen and unify data protection law within the European Union. Through a range of far-reaching provisions, the European Commission aims to give data subjects across Europe increased ownership and control over their personal data assets – ensuring the right to a private life – and to provide a simplified “One-stop shop” regulatory environment for the acquisition, the use and the storage of the personal data of European citizens. The GDPR will bring data protection regulation into the 21st century; designed with today’s technology in mind, it will replace the outdated Directive 95/46/EC, which dates back to 1995. Who Will Be Affected by the GDPR? The GDPR will apply to any business or entity, regardless of their geographical location, that holds or processes the personal data of EU citizens. “All data formats will be regulated by the GDPR – audio, video, photographs, IP addresses, device ID’s and cookies – are all covered by the regulation.” “Personal data” is defined as any data which may be used to identify an individual, either directly or indirectly, or as part of a collection of data spread across multiple systems. The GDPR has a broad definition of personal data and includes genetic, biometric, cultural, political, economic, social, mental and religious information. The requirement to appoint a Data Protection Officer Increased sanctions: the GDPR gives regulators the right to impose substantial fines for non-compliance – up to 4% of global turnover. The GDPR was published in the EU Official Journal on May 4th, 2016 and entered into force 20 days later on the 24th May. The regulation will become applicable on May 25th 2018, which gives all affected entities less than two years to ensure that their data storage and processing operations meet the new compliance requirements. An enterprise-wide review of all data acquisition, storage and processing practice is a vital first step in understanding how and where the GDPR will affect the business. Organisations should consider how they will locate and access all of the data that they hold – all held data that can be used to identify an individual, including voice calls and video recordings, must be easily located and distinguishable from the data of other individuals. A proactive approach to risk management is a common theme across many emerging regulations, such as the GDPR and MiFID II. Increasingly, businesses are being expected to demonstrate to regulators that they have taken all reasonable steps to mitigate exposure to risk, whilst customers and data subjects demand the best possible security for their valuable data assets. For all entities facing the GDPR – and other similar regulations – this inevitably means tackling some considerable challenges ahead. But, the technology available to businesses to address these issues has never been more capable and by taking advantage of advanced data security coupled with best-of-breed search and analysis technologies, these are challenges that can not only be overcome, but turned into exciting new opportunities. Through the aligning of modernised data protection law across Europe, in tandem with increased transparency and greater rights for individuals, the GDPR will enable businesses to capitalise on these opportunities as they take a step closer to a Single Digital Market and reap the benefits of a boost in consumer confidence.
CIOs Discuss Protecting Privacy and the GDPR
Increasingly in these forums and as I talk with CIOs and other business leaders, the conversation comes back to protecting privacy. Recently, in light of Data Privacy Day, Sharon Pitt, CIO of the Binghamton University, started off an interesting #CIOChat by saying how really important it is to think about safeguarding personal data. Peter Salvitti, CTO of Boston College, agreed, but then asked whether one day a year alone is really enough to safeguard data and maintain privacy awareness. Echoing Protegrity’s CEO Suni Munshani’s sentiments, Stephen diFilipo, CIO of the Institute for Transformational Learning, responded to Pitt and Salvitti by saying that, “Every day should be data privacy day.” Isaac Sacolick, former Global CIO for Greenwich Associates, said in turn that, “Organizations that define proper use of data drive greater business benefits and earn customer trust.” At this point Theresa Rowe, CIO of the University of Oakland, added to the discussion by asking everyone about new sources of data saying, “We need to help people understand how beacons and other sensor technologies may end up compromise privacy.” Salvitti suggested that we also should not forget the metadata created: “We need to remember that everything we are doing is being tracked.” Individuals’ awareness of this kind of digital surveillance in light of their Right to Privacy is at the heart of the EU’s General Data Protection Regulation. When asked about the Regulation, Pascal Viginier, CIO of the European telecom company Orange, said that for them it “Is a top initiative and a real opportunity for building customer trust.” He went onto to say that data privacy and opt-in are the most respectful ways to support customer privacy and freedom and begged the question, “How to make it the main stream in all regions?”. “On the flipside,” said David Chou, Chief Information and Digital Officer at Children’s Mercy Hospital, “People are willing to give up some privacy for a great experience.” This lead to a discussion on what marketers at firms like Nordstrom or services providers like Uber are doing with data and the steps they will take to meet customers’ expectations that personal information be protected. Ed Featherston, VP Principal Architect at Cloud Technology Partners, said at this point that privacy is, “a huge challenge in today’s world, a delicate balance of privacy vs. convenience, walking tightrope over shark tank.” He added that “Privacy is the rules, security is the mechanism to and enforce the rules.” I could not agree more with his contextualization of security and privacy, especially with respect to the GDPR. Delivering on the promise? Larry Larmeu, Managing Director L2 Digital, said that the GDPR is hugely important because most technology is not built for consumption by IT. Larmeu argues here that as technology always has a business purpose, privacy should always be considered during implementation. Brian Katz warned that “Only those that study GDPR will be ready,” complaining that it “Shouldn’t have to be just EU citizens” whose privacy is respected. Clearly data privacy needs more attention than one day a year; it needs to be part of an organization’s DNA and culture. I agree that more education is needed for brands to meet their custodial obligations to privacy. It is important that IT organizations focus their attention upon protecting data itself, rather than just protecting infrastructure; especially under the terms of the GDPR. If this is important to you, here is a nice summary of how to overcome GDPR challenges. Extending COBIT 5 data security and governance guidance.