Passed by the European Union, the General Data Protection Regulation bill (GDPR) is poised to transform the global digital marketplace. And yet, many organizations are not prepared for it. In fact, approximately 55 percent of organizations worldwide are concerned that they will struggle to meet compliance standards, according to research from the information security provider Varonis. That’s particularly problematic since GDPR non-compliance comes with weighty financial penalties — the EU can level fines as large as €20 million or 4 percent of an enterprise’s annual revenue.
With this in mind, businesses based or serving customers in Western Europe must ensure they are prepared for the GDPR and possess the backend processes and tools needed to comply with the new law, which is set to become enforceable May 25, 2018. Here are some of the central issues internal IT teams and their third-party partners must address:
User consent
The GDPR is designed to protect consumers or, as they are called in the legislation itself, “data subjects.” As a result, the regulation centers on an all-encompassing list of explicit data subject rights. The European Commission, the group within the EU that drafted the bill, found that these liberties were left unarticulated in an existing piece of legislation from 1995 governing enterprise data collection, analysis and dispersal. The body then decided to document a number of data privacy rights they saw as inalienable and make these the centerpiece of the GDPR. Of the five or so key user entitlements established in the regulation, the right to consent is the most crucial.
The GDPR requires companies to gain explicit consent from data subjects before collecting their information. These consent agreements, delivered via web forms, must be concise and completely free of legalese. Such online accords should also include clear explanations clarifying the purpose of data collection, along with attached descriptions of all applicable processing and sharing activities. Finally, organizations under the purview of the GDPR must give data subjects the power to withdraw consent at any time, with no exceptions. How can enterprises adhere to these standards? The multinational law firm Baker McKenzie advises businesses to deploy tick boxes and other “unambiguous” forms of consent on web-based interfaces, ensuring that users can give freely and explicitly authorize data collection activities. It is worth mentioning that the GDPR also allows oral consent agreements. However, these are generally viewed as less reliable and more difficult to collect and catalog than written iterations.
Privacy by design
One of the more involved mandates laid out in the GDPR is the regulation directing businesses to ensure “privacy by design.” This is achieved by integrating data security protections into the foundational frameworks of backend systems. The concept of privacy by design has existed for some time. However, enterprises avoided this approach in the past, choosing to address user privacy after the construction and implementation of key hardware and software. Under the GDPR, privacy by design has become an essential requirement.
The strategy encompasses digital and physical defenses, along with related policy meant to ensure safe data handling practices. For example, an organization might install server monitoring technology or hire an external security firm to oversee system activity, while also rolling out strict internal access and data minimization requirements, two policy provisions suggested in the GDPR itself.
Breach notification
Hackers orchestrated almost 1,600 large-scale data breaches last year, according to research from the Identity Theft Resource Center. More than 178 million sensitive files were lost in these attacks, which affected businesses across virtually all industries. However, it is likely that a significantly larger number of breaches unfolded over 2017 as many instances of data loss go unreported. In fact, an estimated 50 percent of breaches are not reported to oversight bodies or law enforcement agencies, analysts for ThreatAttack found. The GDPR attempts to address the unfortunate phenomenon by requiring enterprises based in the EU or serving customers in the region to notify data subjects within 72 hours of detecting a data breach.
With the effective date for the GDPR quickly approaching, companies subject to the legislation must act quickly to ensure the meet compliance standards.
Sources:
https://www.nytimes.com/aponline/2018/03/26/world/europe/ap-eu-europe-data-crackdown.html
https://www.pwc.com/us/en/increasing-it-effectiveness/publications/gdpr-readiness.html
https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-benchmarking-survey.html
https://iapp.org/news/a/recent-survey-shows-gdpr-compliance-costing-millions/
https://iapp.org/news/a/survey-61-percent-of-companies-have-not-started-gdpr-implementation/