David Warburton, Senior Systems Engineer, F5 Networks, explains why the EU General Data Protection Regulation’s revolutionary intent is showing genuine teeth.
The EU General Data Protection Regulation (GDPR) is the most comprehensive and far-reaching piece of legislation of its kind.
The central seismic shift hinges on the premise that citizens’ private and sensitive data is not an asset owned by organisations to use as they see fit. Citizens’ data is now rightfully their exclusive property to be shared according to their wishes. Data-centric reliability and trust are the new corporate kingmakers.
Anyone doing business with the EU or its citizens (wherever they reside) are affected. Those that fail to adapt and comply with the law will soon fade into obsolescence as data savvy consumers flex their newfound rights.
Initially, many firms believed a regimen of perfunctory policy updates would suffice. Big mistake. The GDPR requires intensive analysis of a vast range of nuanced issues, such as the legal basis for data collection, the nature of consent and the right to be forgotten. Essentially, organisations must reconfigure their data policies to become world-class data stewards and provide transparency at every juncture.
There is also a robust requirement to report data breaches to the regulators within 72 hours, irrespective of whether it is employees or customers that are affected. This includes the nature of the breach, likely impact to privacy of the affected subjects, contact information of directors responsible for data and the measures that the company intends to take to address the issue.
Yet, despite the GDPR’s epochal muscular disposition, many are still scrambling to get their houses in order.
In a February 2018 survey by legislation experts, The GDPR Institut, 42 percent of businesses reported that compliance would take longer than 12 months. In addition, only 38 percent doubted they would be compliant by 25 May 2018.
According to The GDPR Institut, 52 percent of organisations are finding data governance to be the biggest headache. For many, this will be the first time they accurately identify all held data for both external customers and internal staff members. Central to this process is determining the legality of data ownership, collection and usage processes.
The GDPR Institut figures also highlight the sheer complexity of ensuring all company systems can cope. 48 percent of surveyed businesses flagged the logistical nightmare of verifying GDPR readiness for every process, piece of software, contract, third party et cetera. Other major challenges cited include data and content analysis (44 percent), data storage comprehension (28 percent), and consent management (24 percent).
The top priority for any business capturing and processing customer data is to have a defensible GDPR position. This requires demonstrating compliance to supervisory bodies (i.e. ICO in the UK), including a clear legal basis for data capture, a current DPIA/PIA, a mandated processing activity list, and a detailed employee/staff policy list that clearly indicates legislative due diligence.
At any given moment, organisations must be able to drill down to the detail if prompted, including proving watertight Data Subject Access Request (DSAR) procedures, data protection officer (DPO) details, breach procedures and notification timelines – not to mention security and monitoring solutions.
The latter is particularly important. The data companies are expected to protect is becoming harder to monitor and track as workforces become increasingly mobile, cloud and app-centric. For example, companies looking to store data in the cloud need to maintain ownership and control over that centralised data, address policy management issues, and effectively deploy encryption solutions to ensure only the controlling company can unlock the relevant files.
Ultimately, businesses that ignore the GDPR’s requirements for fair, transparent and responsible data processing will suffer severe reputational and financial consequences.
If the failure is significant, or there is willful contempt, the regulator will stop all data processing and effectively fine and shut down the business. Prison sentences could also be handed down if there is provable negligence from senior management. Fines vary and depend on factors, such as level of failure, history of compliance to date, exposure levels, risk to data subjects, number of data subjects, and data type. Penalties range from warnings and imposed corrective procedures to fines amounting to up to 2-4 percent of annual turnover or EUR 10-20 million, whichever is greater.
Most realise that that the GDPR is legislation with genuine teeth. Expect some highly visible public non-compliance examples to be made very soon.