GDPR: Avoiding the High Costs of Non-Compliance
In today’s global, digital economy, companies are collecting more data than ever on their customers, and that data is becoming more diverse and complex, from different sources and in different formats. The creation and exchange of data has also increased significantly as BYOD and enterprise collaboration software have grown to become a mainstay in the modern workplace.
Once the General Data Protection Regulation, or GDPR, takes effect on May 25, 2018, it will greatly influence data management throughout the world. While the US doesn’t have a comparable data protection law, every company conducting business within the EU will need to incorporate proper safeguards into their business practices in order to avoid the high cost of non-compliance. Depending on the infringement, organizations can be subject to fines up to 20 million euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Evolution of GDPR
In 1995, the EU adopted the Data Protection Directive to regulate the processing of personal data within the EU. The primary goal of the directive was to protect all personal data collected for or about EU citizens, specifically related to the use, exchange and processing of said personal data.
With the expansion of the Internet and the increased distribution of personal data, new regulations were required to provide EU citizens with the right to control how personal data is stored, processed and shared. To accommodate the increased traffic and include non-EU organizations within the legal framework, the EU developed GDPR.
GDPR is aimed to protect all EU citizens and transform the way organizations approach data privacy, by mandating that companies maintain much tighter control over the data, and be able to understand its history, current use, and purpose.
Although an EU regulation, GDPR will have a global effect on data management practices as any organization conducting business within the EU will be required to meet its stipulations, regardless of where they’re headquartered. Meaning, if a company collects data on any EU citizen, it’s subject to GDPR, whether or not that company has an official EU presence. As such, US organizations need to ensure that they are prepared to meet these strict requirements if they want to avoid accruing costly fines for non-compliance.
What is “Personal Data”?
Before organizations can determine whether or not their data management practices are compliant, they first need to understand how GDPR classifies “personal data”.
In GDPR Article 4, personal data is defined as “any information relating to an identified or identifiable natural person…who can be identified, directly or indirectly…by reference to an identifier.” Examples of these identifiers include name, identification number, location data and other identifying factors, such as physical, mental, and cultural, among others.
Not all data collected or processed by an organization is personal by nature. In addition, previously collected personal data that has been fully anonymized and cannot be re-identified to an individual is not subject to GDPR requirements.
BYOD and the Collaborative Work Environment
The protection of personal data is a significant challenge, for several reasons.
Collaboration software has seen a rise in widespread adoption since the Data Protection Directive took effect and is showing no signs of slowing down. According to research firm MarketsandMarkets, the enterprise collaboration market is estimated to grow to $49.51 billion in 2021, up from $26.68 billion in 2016. For global organizations, this should come as no surprise. Collaboration software allows teams to easily work together and exchange data across multiple regions through a variety of methods, such as file sharing, instant messaging and enterprise video. One of the most difficult kinds of customer information to manage is data associated with communications taking place through numerous customer touch points. With the number of communications channels rapidly expanding to include IM, social media, encrypted messaging apps like WhatsApp and WeChat, and more conversations happening on collaborative tools that allow simultaneous group communication, the task of capturing, indexing, and retrieving customer data becomes increasingly daunting.
In addition, the popularity of BYOD has made data more accessible to employees on the move and allows them to work using the tools and devices of their choosing. Benefits of BYOD include increased productivity, employee satisfaction, and cost savings for the company. Cost savings can occur on the company end because they now would not be responsible for furnishing the employee with a device. IT consumerization can provide real business benefits, but clearly also brings significant risks, by putting aspects of data management literally in the hands of the employees.
The reality is that BYOD and collaboration software are not just “nice to haves” but are critical in order for organizations to compete in today’s business landscape. And while these technologies have greatly improved an individual’s efficiency, these practices have also created an increase in data distribution, making data management more complex. Which means that organizations will need to carefully evaluate this more complex environment to determine what changes they will need to make in order to properly prepare for GDPR.
GDPR’s Effects on Global Data Management Practices
What this really spells is a need for an enterprise data management strategy designed to gain complete control over all customer data. Companies need ways to automate these processes as much as possible, and they also need to ensure that they can to scale their storage to handle an influx of data.
This is going to require some work, as many companies currently don’t even have full insight into all the customer data they have stored in various departmental siloes, much less the ability to retrieve it or prove that it’s been deleted. Preparing for GDPR will not be a quick and simple task as the requirements of GDPR span across 99 provisions, including:
- Article 5: Principles relating to the processing of personal data, which limits the collection of data solely to the purpose for which the data was requested. This means that organizations must maintain silos to prevent data from being processed and stored in departments for whom that data is irrelevant. While this is at odds with the generally accepted goal of maintaining data that can be used across departments, it’s less about maintaining the silos as it is about ensuring full control over who sees the data. While the data might be readily accessible to the entire organization, it can also be strictly limited in terms of access and permissions.
- Article 15: Right of access by the data subject, which grants EU citizens the ability to inquire whether or not personal data pertaining to them are being processed and the purposes in which said data is processed. Organizations will need to prove that they can effectively search and retrieve this data in order to respond to citizen inquiries in a timely manner.
- Article 17: Right to erasure (“right to be forgotten”), which requires organizations to be readily capable of the search and extraction of EU citizen data deemed no longer necessary in relation to the purposes for which they were collected or otherwise processed without delay. This implies that you have to be able to quickly identify all data being collected on a customer through a wide variety of channels–it may not be so easy to tell if a particular communication coming from email is from the same customer as another one coming from a social channel, etc.
- Article 25: Data protection by design and by default, which requires organizations to integrate the necessary safeguards to protect the rights of EU citizens. For organizations utilizing a cloud service provider to host their data, they need to understand what features their services offer to protect personal data, such as access controls and classification, and be able to submit this evidence to the regulator upon request.
Taking the Steps Towards Compliance
With less than a year left before the rules take effect, organizations should
begin allocating additional resources towards preparation, unless they want to be left scrambling to meet the deadline. For those wanting to avoid the costly fines of GDPR, there are four main steps I recommend they take towards achieving GDPR compliance:
- Assess what the new guidelines mean for the way data is held and processed within their business. Before an organization can become compliant with GDPR, they need to first understand the full scope of the stipulations and how their data management practices are affected. Once they have a full understanding of how intensive the stipulations are, they can determine the gaps in their current methods they need to fill. Decide whether compliance means making iterations to the current data infrastructure, or whether an entirely new, fully integrated infrastructure should be adopted. In accordance with the general principle of Article 25 of the GDPR, data protection must be “by design and by default.”
- Monitor which employees and departments have access to the data and how they’re managing it. As noted earlier, GDPR Article 5 requires organizations to ensure that sensitive data does not extend beyond its required use. By limiting data access to the departments working directly with it, organizations are assuring their customers that user data is not being accessed and stored recklessly. This highlights the fact that achieving GDPR compliance is not something the IT department can do alone. Compliance will require a set of coordinated and appropriate responses from the organization as a whole, with strategy, policy, training, and governance processes needed based on expertise from various groups. An example of this would be establishment of ethical walls across all communications channels.
Evaluate which service providers embrace privacy by design vs. those who approach privacy as an afterthought. Within GDPR, some of the obligations firms have also extend to the service providers they work with. Today, rather than storing business-critical data like customer transactions on-premises, many companies store data on more flexible cloud platforms like Amazon Web Services (AWS). Data analytics is increasingly moving to the cloud as well, with compute as well as storage functions on platforms not directly under a company’s control. All are potentially subject to GDPR regulations (and fines for non-compliance). Of particular concern is the need to work with a cloud service provider that has standards in place to handle GDPR Article 17 (Right to Erasure) requests – this is essential for ensuring compliance. Working with a cloud provider that makes submitting erasure requests easy allows companies to avoid bottlenecks in responding to requests that are out of their control.
- Look at the full number of channels where customer conversations are actually taking place. Ask whether you have full visibility into these channels. For example, maybe you know what’s said through standard channels like email, but do you know what’s being said through IM, social channels, and newer channels like WeChat and WhatsApp? And, possibly even more importantly, can you “connect the dots” so that you can understand that communications coming through multiple channels are actually coming from the same person? The ability to have this cross-channel data view will be critical for GDPR compliance.
Every organization affected by GDPR needs to undertake a significant reexamination of its organizational data strategy related to personal and sensitive personal data. Specific requirements in the GDPR need to be planned for, and organizational and technological approaches implemented to resolve problems, strengthen policy and protections, and mitigate against the worst outcomes. Remember, non-compliant organizations can be subject to fines up to 20 million euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Failure to prepare for GDPR will result in firms being in expensive non-compliance status once May 2018 arrives.
About the author: Robert Cruz is Senior Director of Information Governance for Actiance. Mr. Cruz leverages more than 20 years of Silicon Valley experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction. Prior to Actiance, Mr. Cruz was Senior Director of Information Archiving & eDiscovery for Proofpoint, Inc. Earlier in his career, Mr. Cruz served in a variety of management capacities at Electronic Evidence Discovery (EED), FileNet/IBM, BroadVision and Hewlett-Packard. Mr. Cruz holds an MBA degree from the Stanford University Graduate School of Business.