The clock is ticking. We have under one year until the greatest shakeup of data protection laws comes into force. The European Union’s GDPR (General Data Protection Regulation) will be law on May 25, 2018. It covers not just organizations based in the 28 countries of the EU, but anyone who has data on individuals living in those countries – that’s over 500 million people and if you collect information on your website that probably means you too.
There’s a huge amount of information published on GDPR; from the point of view of lawyers, the regulators who will enforce it, IT security vendors, and marketing associations, it can appear to be overwhelming. Perhaps now is the best time to go back to basics and look at the background and general basis for the law.
If in your organisation there are people still not convinced GDPR matters, are trying to hide from it, or see it purely as a burden, this previous blog is aimed at them. A quick infographic of the regulation is here reminding us that the maximum fine could be up to 4% of turnover or €20M (around US$22M) which should be getting everyone’s attention.
But why is the law coming in now and why is it so detailed and prescriptive? Honestly, it is our fault – both the way organizations have collected and used data in the past as well as the lack of respect for the value of that data and the lack of controls on the use and sharing of that data.
Data protection laws have been around for decades, this is not a new thing. California has led the way with mandatory breach notification and in the European Union the original data protection directive that the GDPR replaces was published in 1995 – so we’ve had over 20 years to get this right. And yet in that time we have lost more data than ever before, primarily because we have treated it as of little value.
We need to think about the value of this data to the individual it belongs to and remember that even if we collect it and process it we are only guardians of that data, we don’t ‘own’ it, it is on loan from the person who it refers to. An older blog reviews this here. You can see why the fines are so high. In the past, some companies have decided that the fines were so low that they were outweighed by the cost of improving processes and installing technology to correctly manage the data. The amount of the fines is set to try to stop this – though mandatory breach notification and the loss of trust by consumers may be even greater.
So, let’s go back to basics and review the background to GDPR. Without using too many pieces of jargon, the overarching principles are below and everything in the regulation stems from these general points.
- Any data that can identify a living individual is covered in the GDPR – and if that information is gathered by pulling together multiple sources, it is still considered individual data
- Data on an individual belongs to that individual at all times
- Any individual must give authority (opt-in consent) for anyone else to collect, store, and process that data, and this must be clearly explained
- The individual must be told what the data is used for, it must only be used for that specific purpose and deleted at the end of the processing
- The individual has the right to review and take their data back and forward it onto another provider
- The individual can demand that their data be deleted
- The data should be kept safe, secure, and not shared with third parties unless the individual has agreed to this
- Whoever collects the data (i.e. the “data controller”) is responsible for the data at all times
- Anyone using that data on behalf of the data controller (i.e. a “data processor”) is also responsible and must treat it with care
- Policies, procedures, and technology should be well documented so that the authorities can check, especially if a data loss incident occurs
- If data is lost, both the regulator and the individuals must be informed
- The regulator can issue fines if data is lost; these fines are based partly on the processes, policies, training and technology deployed to keep the data safe.
- Individuals can issue class action lawsuits if data is lost
- Data should only leave the European Union if all the above are enacted wherever the data is sent
- Special, sensitive data has to be dealt with even more carefully
From an IT point of view, we should review some basics too – is access to all data logged? Do we enforce a corporate identity and access management system for all systems, even cloud services? Have we implemented data loss technology that can identify individuals? Can we encrypt or tokenize data in some of our systems? Which third parties do we share data with? Have we implemented good practices such as least privilege models?
If you would now like (many) more details on GDPR and our 68-page publication “GDPR – An Action Guide for IT”, please download from here.