GDPR: Beyond the hype
The GDPR, adopted by the European Commission at the beginning of this year, will apply as from May 2018. The new legislation will update the existing 1995 European Data Protection Directive and set the scene for the protection of personal data. The way personal data is defined is an important aspect of the new law. The new GDPR refers to personal data as data that allows the identification of an individual, directly or indirectly. It’s a quite broad definition and we expect to see this definition even expanding over time. More specifically, this means that also IP-addresses, location data or other factors that can identify a person, are covered by the new law.
The definition of ‘personal data’ in the law gives a good indication of the tone of the new legislation, whereby data is considered as a valuable asset and regulations about it are tightening up. Not coincidentally this goes hand in hand with technological trends such as cloud computing, social, mobile and Internet of Things whereby data gathering and adequate data analysis are becoming strategic differentiators. In that sense, the European regulator is catching up with reality.
4 elements of change
If the existing legislation laid the foundations for data protection, the GDPR is about building a solid house on it. In recent years there have been several data privacy developments – not in the least the invalidation of Safe Harbour – which created a lot of hype about the GDPR. As a result, a lot of organizations have serious concerns about the new legislation but, in fact, there’s no need for that, says Kalliopi Spyridaki, Chief Privacy Strategist Europe at SAS: “The rules are tighter now, but the basic principles are the same as we have had for many years. In that sense, the GDPR is more about reviewing compliance procedures, then about building something from scratch.”
Nevertheless, Spyridaki highlights 4 high-level elements that are changing with the introduction of the GDPR:
1. More enforcement
With the new regulation, law enforcement gets tougher. The Data Protection Authorities will have more resources and will come together in a new pan-European body with binding opinions. Besides, the fines will be so high – up to 4% of the annual global turnover of an organization – that the GDPR automatically shakes organizations across all industries awake. “Actually, in Europe we only find a comparable level of fines in competition law. The fear of being fined should not be the primary reason for compliance, but it’s certainly a reason to pay attention now. Whereas 5 years ago data privacy was a legal compliance issue that didn’t make it to the top 10, today it’s on top of the compliance agenda”, said Spyridaki.
2. Great accountability
The GDPR makes organizations accountable for the protection of personal data. They will have the burden of proof when it relates to whether, how and how well they protect personal data. Today we have a fairly formal process in place to gain authorization to process data: what type of data do you process? Do you transfer it to other parties? In the future it will be more about how well the business processes are organized, rather than formally getting an authorization. In this respect, it will be helpful to have someone, either internally or externally, who understands data privacy and knows how to make changes and apply the law.
3. Privacy by design
The first step for every organization will be a data flow mapping exercise in which the whole organization is involved, because privacy by design requires that all departments look at their data and how they handle it. Once you have identified where your personal data is and what you do with it exactly, you have to secure it in the right way. “Looking at your data from a data privacy point of view, from product development over the supply chain to the end customer, is the essence of the new data privacy law. Most companies already have a system in place to be able to identify personal data, because they should already be compliant with the existing data protection law. The new law forces organizations to go more in detail but, luckily, there are a lot of solutions which can support this reviewing process. SAS is well-placed to support our customers with the identification and management of data flows in order to enable compliance with the GDPR.”
Privacy by design also presupposes that there’s more transparency about data and data transfers. And probably you’ve already heard about the hot potato of the new regulation: the right to be forgotten. That brings us with the fourth big factor of change in the data privacy field: the clear focus on the customer.
4.Putting the individual first
The new data protection regulation empowers the individual by placing the customer in the centre of data protection. For example, the right to data portability foresees that when customers want to change their mail provider, they should be able to move their entire data to the new provider. Today, consumers can already ask to delete their personal information, but the GDPR enhances the deletion right with the so-called ‘right to be forgotten’. “But beyond compliance, the biggest change will be the shift in organization’s attitude towards privacy. Privacy is becoming a business consideration. It will be a key component to build customer trust and to gain a competitive advantage, because customers do value privacy. They also value easy and transparent procedures to enforce their rights”, Spyridaki commented.