GDPR and Business Mobility - Part 1

General Data Protection Regulations or GDPR is likely to be something you'll hear about quite often over the next two years. In this article I am going summarise my understanding of GDPR. I will then bring that in to the world of Business Mobility where we may be collecting information that needs consideration.

If you are struggling to sleep at night then HERE is the full 88 page journal for GDPR.

What is it?

It has been coming for some time and you might already know of it by some of the headlines it has generated such as "the right to be forgotten" or "privacy by design" for example. It is designed to strengthen and unify data protection for citizens of the European Union. The GDPR considers any data that can be used to identify an individual, as personal data. It includes for the first time, information such as genetic, mental, cultural, economic or social information. When the GDPR comes into force organisations will be required to abide by a number of provisions or face significant penalties.

When is it?

GDPR becomes enforceable on 25th May 2018. The GDPR will supersede national laws such as the UK DPA, EU Data Protection Directive, US 4th Amendment, HIPAA etc.

Does it apply to me?

The statement that it unifies data protection for citizens of the EU is a bigger statement than it first seems. Many cloud platforms or multinational companies do not monitor or distinguish between EU citizens and citizens of other countries. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR. Essentially making it the first global data protection law in history. Regardless to whether your company is based in China, USA or a post Brexit Britain, if you hold data on EU citizens then you will still be bound by the GDPR legislation and fines.

What is the impact on inaction or breach?

This is were things get relevant and important. The financial impact on a business falling foul of GDPR is huge. An organisation may be fined up to €10M or 2% of its annual turnover (total income received, not profit), whichever is higher, for not properly filing and organising its records, for not notifying the supervising authority and data subject about a breach, and for not conducting impact assessments. Or in severe cases may be fined up to €20M or 4% of its annual turnover, whichever is higher, for violating the basic principles related to data security or for violating consumer consent. If we look back on 2015 and 2016 which has seen some very public data breaches, every company should be at least be looking to improve their security posture if not their privacy stance.

To put into perspective, TalkTalk was recently fined by the Information Commissioner's Office, ￡400,000 for the hack and data leakage of their customers personal data. Under GDPR with a 2015 revenue of ￡1.79B the fine would have been closer to ￡88.2M. Combined with the fact that the attack had cost it ￡42M in share value and 101,000 subscribers in the aftermath of the attack. The cost of defying GDPR is looking more expensive than the customers reputation fallout.

Check out my GDPR fine calculator. By using the sources like EDGAR,  Company House, companies own website or even Wikipedia to find Annual Revenue of a company.

What do I need to be concerned with?

In the future, it will be more important than ever for organisations to explain exactly what personal data they are collecting and how it will be processed and used. Information pertaining to children will require valid consent. Without valid consent, any personal data processing activities will be shut down by authorities.

The legislation also suggests that every company matching certain criteria, employ a Data Privacy Officer to be dedicated to policing privacy. This would be for companies with more than 250 employees, all public authorities or companies where the core activity of the business involves regular and systematic monitoring of data subjects on a large scale. According to a study by the International Association of Privacy Professionals, this requirement means that, in Europe alone, 28,000 DPOs will have to be appointed in the next two years.

In the event of a breach of personal data, notice must be provided by the DPO or company "without undue delay and not later than 72 hours after having become aware of it." This notification would feed in to the supervisory authority. This is essentially a One-stop-shop mechanism whereby there is no confusion about who to report to in the event of a privacy data breach.

Privacy impact assessments (PIAs) are a requirement and in fact a component of implementing privacy by design in data structures. They allow organisations to discover and fix problems at the first stages of any project where data privacy could be a factor. Projects might include a new service, a data migration or a marketing campaign targeting groups of people.

One of the more controversial elements of the GDPR is the right to be forgotten whereby data held on an individual should be removed from data structures if a person so wishes. The challenge is huge in that there is no global framework to allow individuals visibility over their overall online image. Companies like Google, that since the dawn of the internet, have been collecting data from websites about people, can surely not escape this requirement without changing fundamentally its historically collected data.

Data portability is one of the more interesting elements and has been a gripe for most users of a service. When you go to a new company or procure a new services from a company you have a clean slate, so to speak. You are a new user and thus have to duplicate the information held. Businesses, therefore will need to develop workflows to retrieve and share data in interoperable formats. While it is stated that businesses will not be obliged to create new systems that are technically compatible with others, GDPR legislators are clearly hoping this will happen, evidenced by the provision for data to be directly transferred from company to company. Easier said than done. Also what is to assume this would be a good thing for consumers. Looking at the insurance industry in the UK, they have already been warned about sharing data in order to needlessly drive up consumer premiums. Also does this open up a broader attack surface for a breach by having to trust 3rd parties with the data you hold on a person.

In part 2, I will relate the above principles to Business Mobility with what is a consideration in your current and future Enterprise Mobility Management setup.

What are your views on the GDPR legislation? Are you happy that your privacy has a protection with legislation or do you think this is an unneeded bureaucratic policy?

Views are my own not my employers.