This is the third and final contributed article in our series of GDPR related articles. In the first article we discussed the extra-territorial reach of the regulation and why U.S. companies need to understand GDPR. In the second article we focused on specific new requirements related to the definition of privacy sensitive personal data, consent and disclosure rules, as well and new customer rights. This final article will discuss GDPR’s approach to accountability and data security.
- Any American company that does business in the EU needs to be in full compliance with GDPR by May 25th, 2018. Even if your company has no presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR.
- Personal data, as defined by the GDPR, goes well beyond what U.S. companies typically think of as Personally Identifiable Information (PII). Europe applies a much stricter standard for what is considered personal data.
- The cost of non-compliance could be devastating, and even fatal to many companies as you can be fined up to 4% of global annual revenue or €20 million, whichever is highest. The amount of the fine will be influenced by the nature, gravity and duration of the infringement.
- For example, non-compliance for even a medium-sized bank like Charles Schwab Bank ($5.5 billion rev) that provides online banking services to customers in Europe could potentially cost them up to $220 million, while non-compliance by a retail firm like Abercrombie & Fitch ($3.5 billion rev) that provides upscale clothing for young consumers could potentially cost them up to $140 million.
- To be ready by May 25th, 2018, preparation needs to begin now because it can take up to 16 months to become compliant. Major organizations like Citibank are already preparing for GDPR.
- Most organizations have complicated data landscapes making it challenging to find the data and its usage. Effective ways to discover data and how it flows in systems will be critical to ensuring compliance while controlling implementation costs. Some tools have been developed to automate this data discovery process using machine learning techniques.
In this post we will discuss GDPR’s approach to accountability and data security.
The basic rule is that each organization needs to be able to demonstrate compliance. If your company is deemed to be involved in “high-risk” processing, you are obliged to perform a data privacy impact assessment (DPIA). GDPR states that such assessments should “evaluate, in particular, the origin, nature, particularity and severity of that risk” and “outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation.” This is an area to watch to understand exactly what is required for different privacy risks in different industries.
Minimum requirement is to create and maintain accurate records of all sensitive processing your organization is involved with and incorporate processes of privacy impact in your product/service development processes.
Securing Personal Data and The New Data Protection Officer
The organization is responsible for the security of the data. GDPR does not specifically mandate technical measures like encryption but holds the organization responsible for implementing technical, organizational, and process controls that prevent breach. Because specific technical solutions are not mandated, it places the burden on the individual company to determine the best solution for its unique circumstances to meet the regulation.
There are also new reporting rules in case of breach. The basic rule is that an organization need to report a breach to regulator (and sometimes to individuals) within 72 hours after detection. Organizations do themselves a service if they proactively define the media communication strategies they will employ in case there is a breach.
To ascertain implementation of controls and demonstration of compliance, organizations should appoint a data protection officer reporting directly to the highest level of management. The data protection officer should be involved in all aspect of GDPR and protection of the organizations personal data.
Implementing GDPR Accountability and Data Protection Rules
The foundational accountability requirement means that you must know all personal data you store and use. This is a major challenge as many organizations habitually store data redundantly.
Sustained compliance means that your product/service development and production processes may need to be updated to consider personal data storing and usage implications from architecture and design to deployment.
For many companies, securing of data is probably already a priority. For them, the new requirement means that they are now responsible to actually demonstrate how all of their personal data is effectively secured.
Rules for disclosure of breach and data protection officers will require implementation or update of operational processes, job descriptions, PR processes, etc.
Finding and Understanding Your Company’s Personal Data Is the First Step for Compliance
Understanding all of your customer’s personal data elements and data lineage is the first necessary step to implement a compliant data governance process. This is not a trivial task, and historically companies have had to resort to expensive manual work to accomplish this. Fortunately, there are new tools that perform automated data discovery and data flow across an enterprise using machine learning.
Summary and Next Steps
The EU’s General Data Protection Regulation (GDPR) was published on May 4, 2016, and any company that does business in the EU needs to be in full compliance by May 25th, 2018. Failure to be in compliance can result in large fines, which could be devastating to many companies as the penalties can be up to 4% of global annual revenues or €20 million, whichever is highest.
To meet the compliance deadline, companies need to begin now to put in robust programs to find and understand all of their customer’s personal data in order to put in place a comprehensive data governance program. Finding all of your customer related data elements and data lineage across an enterprise is one of the first necessary steps, and can be a highly manual, slow and costly process. Products like ROKITT ASTRA have been developed to automate this data discovery process using machine learning techniques.
Contributed by: Stuart Tarmy, VP Sales and Marketing at ROKITT brings over 20 years of experience as a GM and head of sales, marketing and product management for leading global financial service technology, e-commerce, data management and predictive analytics (Big Data) companies. ROKITT has developed a product called ROKITT ASTRA that performs automated data discovery and data flow across an enterprise using machine learning. ROKITT ASTRA goes well beyond the information found at the metadata level of a company’s databases, and is able to discover the ‘hidden’, undocumented data that can make up to 80% of a company’s data assets that often resides in older legacy, siloed or undocumented systems. Stuart has held senior executive roles with Fiserv, Albridge Solutions (acquired by Pershing/BNY Mellon), MasterCard, and McKinsey & Company. He earned an MBA from the Yale School of Management, a MS in Electrical Engineering from Duke University, and a Sc.B. with Honors in Electrical Engineering from Brown University.
Sign up for the free insideBIGDATA newsletter.