The impact of GDPR for companies dealing with EU citizen data

“This was a major breach of trust and I’m really sorry that this happened. We have a basic responsibility to protect people’s data and if we can’t do that then we don’t deserve to have the opportunity to serve the people. So our responsibility now is to make sure that this doesn’t happen again.”

Software Engineer

Testimonial Author

Leshan Bashitha

~ Mark Zuckerberg on 21.03.2018 over the Cambridge Analytica scandal

The above apology was made by the CEO of Facebook over the Cambridge Analytica Scandal incident, where millions of Facebook users’ data were misused over a security and policy breach. You may wonder what the above incident has in connection to the EU GDPR (European Union General Data Protection Regulation) that has effected from May 25, 2018. In fact, this is a major reason as to why one should be aware about the EU GDPR

If you are a CEO of a company, would you have liked to be in the same shoes as the Facebook CEO after the data breach? I’m sure the answer is “NO”. This is why the EU GDPR provides a great opportunity and framework to think twice about the security of people’s data that your company is dealing with. The other major reasons why you should be aware about EU GDPR is described below. Are you an organization (within, or outside of Europe and

the EU) that deals with confidential and sensitive data of citizens (data subjects) belonging to the European Union? Then do you know about the EU GDPR? If not, do you know that your organization could be fined up to 20 million euros or 4% of your company’s annual global revenue for non-compliance of the major regulations of the EU GDPR? Did you know GDPR took effect on 25th May 2018

If not, it’s high time to get your organization ready for the EU GDPR. Why? Recent research and surveys show that:

  • 58% of US and 62% if German survey respondents believe their companies will be fined.
  • 87% of surveyed CIOs believe their current policies and procedures leave them exposed to      risk under the GDPR.
  • IDC projects that by 2017 had only unstructured data, will comprise 79% of all business -      related data.

GDPR has been conceived to strengthen European citizens’ rights in the digital era and to make it easier for businesses to comply, as it ends the fragmentation of European data protection laws caused by its predecessor (Data Protection Directive 95/46/EC) and provides one single set of laws for the European Union member states (and associated countries like Norway and potentially also the United Kingdom after Brexit). Other countries, like Canada and South Africa, might adopt a similar regulation. It is important to understand that GDPR affects every organization globally that handles data of European citizens (who are known as “data subjects” under the regulation).

GDPR sets the bar for privacy protection high, so it is important to understand some of the key principles of the regulation.

Right to be forgotten (Article 17).

If the data subject specifically requests access to his/ her data and asks for the data to be deleted, or data is no longer necessary for the purpose it was collected for, or the data subject withdraws his/her consent, the organization (data processor) needs to delete the data. For this purpose, there should be a mechanism to search for every place where this data subject’s data is contained. While identifying the relevant data in primary applications and data stores might seem straightforward, keeping track of all copies of data in test and development environments, business intelligence and analytics applications, and particularly data protection and storage systems, is a major task and requires good data management practices.

Data minimization principle (Article 25).

Keeping the minimum necessary data to perform customer services is a challenge for most organizations, given that they have a tendency to collect and keep data, just in case. Identifying and deleting redundant, outdated, and trivial (ROT) data is a key first step to minimize the data footprint and make data governance more operational and manageable. The data minimization principle needs to be balanced with other regulations, which require retention of data (health records, criminal records, etc.).

Defining use cases and managing consent (Article 6).

Whenever organizations want to collect data from European citizens, they have to define a clear use case for the data and get the person’s consent. Once the use case ends, the data needs to be deleted. This requires an end-to-end process, from the collection of the data to the storage infrastructure, to ensure the correct data retention spans and deletion policies.

Data transfers (Articles 44–50).

It is important for organizations using cloud services to understand the articles on data transfers to countries outside of the European Union. Data may only be transferred to countries with similar standards in data privacy protection, like Canada. When data is transferred to countries such as the United States, binding corporate rules are recommended, although there are several other mechanisms. In preparation for this requirement, it is important to understand whether organizations have data in the cloud already, where the data resides, and whether compliance mechanisms are already in place.

Data protection by design and by default (Article 25)

Organizations handling data of European citizens need to ensure when they review and design their processes that only the minimum amount of data necessary for the specified use case is collected, and that the data is only kept for the minimum duration necessary. Processes need to be designed so that organizations always provide data protection by default. Strong data governance processes, retention management, and stringent process documentation are critical for compliance.

State of the art (SOTA, Articles 25 and 32).

This principle is “future proofing” GDPR, as IT technologies are developing faster than the regulator can respond. Therefore, the burden is on the individual organization to prove that it has a view on what SOTA is, in order to justify why it did or did not implement certain technologies, based on an assessment of SOTA on the context of cost, risk, and context. This understanding needs to be reviewed on a regular basis, to keep up with technology innovation. SOTA encourages organizations to implement appropriate IT solutions and develop good processes within reasonable cost, risk, and context, so that they always protect personal data in the best possible way. Investing in market-leading IT security, data protection, and analytics solutions with an innovative road map will make it easier to comply with SOTA, and will also make the job of the data protection officer much easier.

72-hour data breach notification (Articles 33 and 34).

Organizations need to notify their data protection authority within 72 hours of them noticing a material personal data breach, providing the nature of the breach, an estimate of how many people are likely being impacted by the breach, and measures taken to mitigate the breach. For example, a lost laptop is a potential data breach. With a laptop backup solution in place, you can search the laptop and understand what data it contains, which makes it easier to understand the impact of the breach and provides important information for the data breach notification.

Designation of the Data Protection Officer(DPO) (Article 37,39).

A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:

  • Educating the company and employees on important compliance requirements
  • Training staff involved in data processing
  • Conducting audits to ensure compliance and address potential issues proactively
  • Serving as the point of contact between the company and GDPR Supervisory Authorities
  • Monitoring performance and providing advice on the impact of data protection efforts
  • Maintaining comprehensive records of all data processing activities conducted by the company, includng the purpose of all processing activities, which must be made public on request
  • Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information
Data portability (Article 20).

European citizens have the right to receive all their data in a machine-readable format, so that they can transfer it to another company. This is particularly challenging for data kept in legacy systems with proprietary file formats.

Accountability (Article 5).

At the core of GDPR is the concept of accountability, where both controllers and processors need to be able to document how they comply with the data protection principle, and which technical and organizational measures they have put in place. Keeping records of decision-making processes about the implementation of GDPR, collecting technical documentation about products and services used, and using products with strong reporting capabilities, enable organizations to demonstrate compliance with the accountability principle.

Common challenges for GDPR Compliance and How to Resolve them?

Data complexity hinders compliance:

The biggest challenge in complying with the GDPR is the fact that personal data can be located anywhere because the data keeps spreading as shown in the figure above. Just think about how many copies of someone’s personal data might be spread across your organization: If an individual asks you to delete their personal data, do you know where it all lives?

So, Identification of applications that process privacyrelevant data is a key first step. In addition, an overall classification system needs to understand data as structured and unstructured data, where they reside (onpremise or in the cloud, in which countries), who owns the data, what the retention periods are, the sensitivity of the data and whether conflicting regulations apply. This is far more challenging for the unstructured data which is nearly 80% of the whole data. A consolidated data protection platform will resolve this issue as all the data is indexed upon ingestion into the data protection platform, hence searchable. Data assessment and analytics can be conducted on the data protection copy of data without impacting the availability and the response times of the production copy of data.

Internal communication and education about the impact of GDPR are of paramount importance, as GDPR compliance is just as much about process improvements as it is about technology. However, understanding the data ownership helps to target employees who directly needs the awareness of GDPR.

Documentation of GDPR-related processes and decisions. To pass a GDPR audit, you need to document every process and decision related to GDPR. Driving policy from a single data management platform with extensive reporting capabilities facilitates documentation.

• Right to data access requests and the right to be forgotten(RTBF). Driving a single policy in data management across all unstructured data irrespective of their data location by consolidating down to a single vendor for backup and archive with a single index helps drive compliance and pass audits, even in a diverse IT environment with flash storage. This makes RTBF much easier. Consequently, organizations are able to find the data, handover the data, delete the data upon requests by the data subject within the given time frame without the need to employ extra staff. In addition, getting the organization’s data under control brings benefits for the digital transformation, business intelligence, and analytics efforts.

With data dispersed across production, business intelligence (BI) and analytics, test and dev applications, and secondary storage systems for backup and disaster recovery (DR) purposes (both on-premise and in cloud applications), it can be hard to determine where to start.

Good data management practices are key to GDPR compliance success. Understanding where you have personal data (in which applications, on-premise or in the cloud, which processes use this data, and who owns it) is an important first step. The fragmentation of data stores is making it very difficult to get an overview of data and manage data efficiently. Using a consolidated data management platform helps you understand your data landscape, define and drive policy across your data estate (both on-premise and in the cloud), and of course meet the new requirements for data access, data erasure (right to be forgotten [RTBF]), and data portability.

So as a conclusion if you are an organization that deals with data of EU citizens then it is high time to pay attention to GDPR regulations and prepare yourself for the compliance of the regulations. Otherwise the penalties will be very huge. Additionally, if you prepare yourself for the regulations enacted by GDPR then your organization will also have a competitive advantage over the global market, as you will care a lot about the data protection of the citizens, and people will trust their data with your business on a more solid footing. Also if you build a single platform to collect data then the business will be far more easier since accessing data is not complex as before. So think of this as an opportunity to grow your business, and to become competitive in the context of being an organization that can protect personal data.

Get in touch