An Eye on GDPR

Think Equifax. Think Uber. Now think about how to notify those tens and hundreds of millions within 72 hours. That is the sort of headache you are going to have to deal with.

There is a lot of talk about the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679).  And rightly so, because it will impact a great many organizations, many of which reside in the U.S.  Set to come fully into effect May 25, 2018, the GDPR has understandably caused a lot of headaches because it is wide-sweeping and costly regulation, especially if you are in violation.

Clearly, the first question to ask is if the GDPR applies to you. If it doesn’t, you are in the clear (but that is not an excuse to relax your data protection measures).  If it does, well, you have work to do if you haven’t been on top of your GDPR compliance. This is especially true if you are a big organization, are not based in the EU, and have a lot of EU customers and clients.

I would like to take a step back here for a moment and perhaps calm some of the GDPR hysteria out there. Yes, some commenters and compliance professionals are rightly having heartburn over the GDPR. And some others have said not to freak out, like Elizabeth Denham, the UK Privacy Commissioner, stating that the GDPR should just be looked at as an “evolution” in data protection and not a revolution.

My humble opinion is that if the GDPR applies to you and you are a non-EU country, your worry should be greater than zero.  Here is why: the EU needs money. And who do you think they will fine first?  EU-based organizations or non-EU-based organizations?  Option 1 seems like it could be detrimental to the EU economy (something about hurting your own) but Option 2 seems like a nice windfall being extracted from a competitor.  If I’m the EU, I know who I am fining first.

But the fines can’t be that bad, can they?  Yes, they can be that bad. Violators of the GDPR can be fined up to 4 percent of annual global turnover or €20 Million, whichever is greater. That sounds like some industrial strength motivation to take the GDPR seriously, especially if you could end up near the top of the pecking order.

Apart from all your usual data protection and cybersecurity grief, the real shift of power of the GDPR comes in the form of individual rights, specifically in terms of privacy. This nuance is important culturally, because Europeans have generally had more constitutional protections that relate to privacy than say freedom of speech.  And from a business perspective, what that means is that individual consumers will have incredible leverage over organizations.

The GDPR will give individual consumers the following powers:

– The right to be informed

– The right of access

– The right of rectification

– The right of erasure

– The right to restrict processing

– The right to data portability

– The right to object

– Rights related to automated decision making and profiling

All of this sounds pretty straightforward, but think of all the resources required to implement and comply.  To begin, anything that could be considered “personal data” is swallowed up by the GDPR. This could be a name, a credit card number, IP address, and preferences.  As you can imagine, the list can go on and on. This begs the question: have you identified all possible pieces of “personal data” within your organization?  By the way, charities are not exempt from the GDPR, so if your thought is that your well-meaning good-cause not-for-profit will be given a pass, I wouldn’t bet the farm on that sort of wishful thinking.

Of course, each of the rights presents its own set of headaches for the organization, but I will pick the first “the right to be informed” as an example. Think Equifax. Think Uber. Now think about how to notify those tens and hundreds of millions within 72 hours. That is the sort of headache you are going to have to deal with.

A single blog post is not going to give you all the answers you need regarding GDPR, but I will close with this: the Data Protection Officer (DPO), could end up making or breaking you. The comparison to the Chief Compliance Officer is not right, because the DPO has some incredible powers that other C-Suite officers may not have.  For example, the DPO must:

– Act “independently”

– Not take instructions from their employer regarding the exercise of their tasks

– Have expert knowledge of data protection law

– Be provided with sufficient resources

– Not be dismissed merely for performing their tasks

– Report directly to the “highest management level”

And guess what?  You could be fined for not allowing your DPO to do their job!  If this GDPR thing is starting to give you some unexpected heartburn, it would be completely expected.

While I would like to believe the intent of the GDPR is to instill some good data protection and cybersecurity habits into all of us, remember what is driving it: a focus on privacy and a very big stick (with no apparent carrot in sight).  The coffers in Brussels need to be refilled, so don’t be surprised if the bureaucrats are looking across the pond for a way to do just that.

Also available on SDICyber