On 25th May of 2018, the now-renowned General Data Protection Regulation (GDPR) was fully implemented across the countries in the European Union (EU).
Superseding the 1995 Data Protection Directive, the GDPR addresses the processing, protection and portability of personal data within the EU and the European Economic Area (EEA).
How does the GDPR impact businesses?
Not only does the framework provide more control to individuals over the use and collection of their personal data, it also streamlines data regulations for businesses that are operating in the EU or offering their services to clients located in the EU.
Core dna best explains which companies are affected by the GDPR in the diagram below.
Through the 7 principles of the GDPR – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability, organizations are expected to control and process data, whether consumer or company information, in compliance with the regulations.
To clarify, businesses collecting customer data must document and have evidence of consent for every purpose the data will be used for.
“[The] generic consent or opt-out consent does not comply with GDPR. […] For example, if someone opts into email marketing, you cannot use this consent to send them a letter or call them or their company.”
– GDPR for Business: What is GDPR and How Does it Impact You?
Digital Media Stream
What data does the GDPR cover?
The GDPR protects any private data that identifies a data subject (the customer), ranging from basic identity information and race or ethnicity to biometric data and political opinions. However, data that is irreversibly anonymous and unidentifiable is not considered as personal data and therefore, is not covered by the GDPR.
Thus far, the length of time a business is expected to store the data has not been firmly established, with the GDPR stating that the information should not be kept longer than necessary or required. In this case, organizations need to determine how long to keep the data based on either the national law or the purpose of the data collection and processing.
“Think about what is the purpose you want to achieve, and how long you will need the collected data to fulfill that purpose.”
– How Long Should You Keep Personal Data?
Data Privacy Manager
The only information that can be kept for longer retention periods are data used “for archiving purposes in the public interest, and for scientific or historical research purposes or statistical purposes.”
Who handles the data?
According to the GDPR’s Recital 39, the data controller, an individual or company that controls the processing and purpose of data, is responsible for ensuring that the personal data are not kept longer than necessary, and for establishing time limits for data erasure or periodic review.
There is also the data processor, usually a third-party person or organization, that processes the data on behalf of the data controller, which can include implementing security measures to safeguard the data. The controller must ensure that the assigned processor has sufficient guarantees “to implement appropriate technical and organizational measures” in compliance with the regulation.
Based on the GDPR, the regulation requires companies to assign a Data Protection Officer (DPO) if they store or process data on a large scale or if they are a public authority or body. Either internally or externally appointed, the DPO’s responsibilities include:
- Informing and advising the company and employees on compliance requirements;
- Awareness-raising and training of staff involved with data processing;
- Monitor compliance and conduct related audits; and
- Cooperating and acting as contact point with supervisory authority on issues relating to data processing.
What challenges are businesses facing in being GDPR-compliant?
Although companies are expected to be GDPR-compliant by May 2018, according to research, only 20% have completed their GDPR implementations as of July 2018. More than 2 years later, 27% still have yet to start on GDPR compliance while 60% of tech companies are also not prepared for GDPR.
Many organizations faced, and are still facing, difficulties in their journey to become GDPR-compliant. From changing the way they handle customers’ data to tackling challenges in data retention and deletion, some businesses believe that the regulation limits their ability to operate efficiently or run a profitable company.
-
Lack Of Readiness
Complacency, lack of understanding, competing laws, unfamiliarity with data processes and usage – these are some of the reasons behind organizations’ lagging or partial compliance with the GDPR.
Research also stated last-minute data identification and other preparations in the final months before the deadline as another possible reason for the lack of readiness.
For most businesses, both big and small, it has been no simple feat to juggle the different aspects of being GDPR-compliant, from consolidating the data gathered over the years, training employees in data management, and hiring the different required roles, including talents in GDPR program design and implementation.
It’s even more difficult for international companies that need to comply with differing data privacy laws. And more often than not, all the complexities have led businesses to hiring individuals or companies to specifically handle compliance.
“My concern is that in the rush to be ready for the GDPR before 2018, and indeed since, many companies have engaged with individuals or organizations which haven’t given them proper advice with regards to their requirements.”
– Brian Honan, CEO of BH Consulting,
In fact, according to TrustArc, 87% of companies needed help with GDPR and used external firms to understand the regulations, to gain tools and tech for automation and operationalization of data privacy, and new policy and process creation.
Solution tip: Break the regulations and processes into manageable tasks. Conduct a risk assessment to identify compliance and data security gaps, and establish a formal data governance program to map the type of data collected, its purpose, usage and storage, and how it’s shared.
-
Control of External Parties
Based on the GDPR, all third-parties that are accessing or will access the data of the controller, including vendors, partners and external data processors, must be in compliance with the regulations.
As Ian Evans, the Managing Director for EMEA at OneTrust, aptly put it, “You now have the obligation to ensure that the people you contract with – and who undertake processing on your behalf – are also going to represent you and your views on privacy as well.”
So how should companies maintain data governance and control arrangements of third-parties?
All contracts with third-parties should be revised to define the data processes, including:
- How information is used, managed and protected;
- How breaches are reported;
- What are the customers’ rights;
- Acting only as per documented instructions;
- Agreement to not contract a sub-processor without prior approval; and
- Returning or deleting all data at the end of the contract.
Not only do businesses need to ensure that the external firms follow through on the privacy commitments, they’re also required to know their vendors’ privacy policies and ascertain that they have appropriate security measures in line with data protection compliance.
It should be noted that a data breach occurring at a third party or caused by a vendor is a shared responsibility between the parties – the processor must notify the data controller of the breach, and the controller, in turn, is expected to report the incident to a GDPR regulator within 72 hours.
Furthermore, the controller is responsible for informing the data subjects, or customers, of the breach, where the DPO will act as the point of contact between the controller, the regulatory office and the customers.
According to Soha Systems, 63% of all data breaches can be linked directly or indirectly to third parties. Additionally, only 37% of controllers believe that they will be notified by the vendor if there was a breach of data.
However, less than 20% of companies feel confident in being able to report a breach within the stipulated time while it was discovered that only 45% of EU companies made an effort to report such incidents.
Solution tip: To avoid the heavy costs of a vendor data breach, it’s best to have a solid vendor risk management program with strong technology and clear policies and procedures. Detailed audit records and processes also help to catch any issues before they escalate into a breach.
-
Data Deletion and Minimization
According to Symantec’s State of European Privacy Report in 2016, 90% of organizations believe that deleting customer data will be a challenge for them in regards to GDPR compliance while 60% said they are not equipped with an existing system to delete the data.
As the GDPR dictates businesses from holding unnecessary data and storing data for long periods, companies were determining what data to keep and the data retention period. Since the regulation also provides data subjects the right to data erasure, organizations also need to find the best solutions for permanently removing personal data.
The issue is that some companies may not know where their data is stored within the organization, thus making it difficult to locate and delete the data. There’s also the problem of backups, so how are organizations expected to erase personal data that is “often scattered across multiple applications, locations, storage devices, and backups”?
Aside from data deletion, data anonymization and pseudonymization are data minimization techniques that are used by businesses to comply with the regulations.
Data that has been anonymized disables the data subjects from being identified, and is excluded from the GDPR regulation as it’s no longer considered as personal data.
On the other hand, data pseudonymization “replaces personal identifiers with non-identifying references or keys”, preventing the identification of the data subject without the key. But data processed using this method is still regulated under the GDPR as the data subject can be re-identified through additional information.
While companies are using these methods to protect their data assets, organizations must ensure that they still comply with the data purpose limitation in Article 5 of the GDPR.
Solution tip: Implement automated data discovery software or machine learning technologies that are able to keep track of all the data in the organization’s databases, data lakes and legacy systems. Carefully review if anonymized data is possible for the company’s data use before implementing any anonymization solution or automated erasure software.
-
Data Security
The COVID-19 pandemic brought many challenges to organizations, one of them being the rise of data breaches as remote working continues to be the norm for companies. In fact, the months between March and June 2020 recorded more than 470 data breaches, pushing CIOs, CISOs and other C-suites to strengthen their cyber security strategies.
Breaches not only indicate a lack of data security, whether on the controller or processor’s part, but can also lead to hefty GDPR fines of up to €20 million, or 4% of the company’s total global turnover.
Reputation damage and loss of customer confidence are other consequences of such incidents, which can be hard to rectify even after containing the breach, seeing as “57% of consumers don’t trust brands to use their data responsibly”.
From low employee awareness of cyber threats and lax online behavior to unsecured endpoints and external access, there are many security gaps that hackers can utilize to gain access to a company’s data.
“Data security does not equal data privacy, but it is an integral part in achieving it.”
– Paige Bartley, Senior Research Analyst at S&P Global Market Intelligence,
CIOs are already focusing on maintaining system security while employee training is a topmost priority for 92% of C-suites, according to our findings.
Solution tip: Update policies regarding the access and handling of data when managing it externally, and increase training of employees on the new policies, online safety and rising cyber threats. Limit data access to only authorized personnel, and implement systems to detect illegal access.
How should companies stay GDPR-compliant?
Executive leadership is vital in ensuring the organization remains compliant with the regulations.
While data compliance and cyber security may be in the realm of the CDOs, CISOs and CIOs, all stakeholders that collect and use customer data should be involved – from marketing and sales to finance and operations – along with the assigned DPO.
Clear and detailed procedures must be established and periodically reviewed to ascertain that the processes continue to adhere to the GDPR. This not only includes the handling and use of the data, but also in answering the requests of data subjects exercising their rights.
Furthermore, organizations should demonstrate accountability and transparency in all processing activities, which extend to keeping records of risks and compliance progress, maintaining a strong data protection and breach response plan, and ensuring the continued compliance of external parties.
Although companies might lament over the obstacles and concerns of being GDPR-compliant, studies showed that among the businesses that have implemented their compliance processes, 74% of organizations say the GDPR has a beneficial impact on consumer trust while 73% believe the regulation has actually boosted their data security.
Overall, the GDPR is showing a positive effect on businesses, especially for companies that show they value the privacy of their customers.