General Data Protection Regulation - An Effort to Protect Personal Data in the Age of Digital Disruption
Privacy is an area of concern of the past, the present and the future. The digital explosion and the spread of connected technology will have a potential impact on privacy and thus protection of personal data is being prioritised. Data protection and privacy is gradually gaining the spotlight and is undergoing a paradigm shift especially in light of the new General Data Protection Regulation (GDPR). When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) from 1995. It becomes enforceable from 25 May 2018 after a two-year transition period.
The GDPR applies to any organization, regardless of geographic location, that controls or processes the personal data of a European Union (EU) resident. It dictates what data can be collected, need for explicit consent to gather such data, broadened data subject rights, obligatory breach notification, lawful processing and stronger powers to substantially fine organizations that fail to protect the data for which they are responsible.
As per a survey report by IAPP and EY – Governance focussing on privacy, only 40% of the organizations across the globe believe that they would be ready for GDPR by 25th May 2018 and the rest 60% have a long way to cover before being compliant. The survey further points out that with GDPR the investments in privacy programs and skills have increased substantially over the previous year and are expected to increase further.
Other countries including India are also working towards developing their own privacy frameworks which would either complement GDPR or make it more stringent, in the end putting the power in the hands of the data subjects and making them more responsible for their privacy.
Key GDPR requirements and considerations
The GDPR introduces a rigorous and comprehensive privacy framework for businesses that operate target customers or monitor individuals in the EU. Organizations now have less than one year left to meet the suite of new obligations imposed under the GDPR to implement compliance programs to protect data subjects and avoid hefty enforcement penalties.
Organizations will need to understand and document what data is acquired, maintained and processed, and the purpose / legal basis for it. With GDPR, EU residents will gain more control of their personal data as organizations will have to provide with clear and unambiguous information on how their data is being processed and how they will have to obtain explicit consent from the residents to process it. As GDPR empowers the data subject with privileges such as right to be forgotten, right to portability, right to object profiling, etc. Organizations will have to ensure that they have mechanisms in place to comply by these new requirements. GDPR also emphasizes on the need of appointing a data protection officer, who will be the single source of contact for the supervising authority and will be required to advise upon, and maintain compliance with the GDPR.
Privacy by Design has become an enshrined requirement as it will force organizations to embed privacy protection into every aspect of their business rather than bolting it on as an afterthought. It advocates a risk-based approach that allows organizations to tailor their privacy protection programs based on the risks that are most material to the organization. In line with this requirement, organizations will be required to conduct privacy impact assessments and implement security measures that balance the newest technology with the cost of implementation and reflect the severity and likelihood of risks to an individual’s rights and freedoms.
GDPR also underlines that cross-border transfers of data shall be allowed to countries that provide an adequate level of personal data protection. It mandates organizations to report a data breach within 72 hours of the incident. Above all, organizations that violate the basic processing principles of the GDPR may subject to fines total as much as 4% of the organization’s total global annual revenue or 20 million euro whichever is greater.
Implications of the new regulation and the way ahead
The implications of the GDPR for organizations can be summarized simply: every affected organization needs to immediately undertake a significant re-examination of its organizational data strategy related to personal and special categories of data. Specific requirements in the GDPR needs to be planned for, organizational and technological approaches have to be implemented to resolve problems, and protection policies are to be further strengthened. Adopting recognised standards such as ISO27001, COBIT etc. may help in achieving greater transparency over data, and including periodic reviews into such activities may further support compliance going forward. Additionally, the existing IT governance frameworks are needed to be adjusted to encompass all key GDPR requirements.
Another major implication of the GDPR is for those organizations that were not subjected to the earlier EU data protection directive by virtue of not being based in one of the member states. The new, level playing field introduced by the GDPR applies to all firms everywhere if they control or process personal data on EU residents. The proposed regulation brings the Indian service providers directly under the jurisdiction of EU commissioners. Adhering to the regulation leads to opportunity loss for the Indian IT/BPO industry as it further lowers the threshold for data transfer outside EU. Following the regulations significantly adds to the compliance costs for the service providers. These costs are higher when serving EU-based clients as compared to other markets such as the US.
The new EU security requirements are complex and demand constant surveillance. It is in this context that companies need to realise that data privacy is not just an IT problem or a compliance issue, but a significant concern that the entire organisation (DPO, CIO/CISO and business teams) must work together to effectively manage the risk.