GDPR storm is coming

The big storm will come in 2018. What the hell? The storm called GDPR (General Data Protection Regulation). The forcing mechanism will finally drive organizations to take a proactive governance posture when it comes to unstructured data. If you processed data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR. You’ve got until 25 May 2018 to be ready. So what’s this GDPR compliance? It's an update to the existing data protection laws across Europe. This one is not a directive, it does not require any enabling legislation to be passed by any government of any state; meaning it will be in force immediately from May. The focus is on the privacy and transparency of the data you collect from your customers or your audience. You have to prove the consent from your audience to collect, process, and manage their data, and people will also have the right to be forgotten. (to be erased from their database)

Personal data is defined as "any information relating to an identified or identifiable natural person". (Article 4) What the fuck is a natural person? A name, a location, identification number, or what? Recital 30 try to explain it and expressly called out IP addresses, cookies, and RFID tags all listed as examples and all that I asked previously. In my opinion, it should be more clear to point out every piece of data that can be identified as personal data because it could be very easily used improperly by authorities and especially by lawyers. Also with modern technology, we are creating more personal data than ever before, and the processing of that data has become ubiquitous. The GDPR is meant to update the standards to fit today’s technology, to simply protect the fundamental rights of individuals throughout future waves of innovation not to put more power in the hands of some state institutions. They will enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands, and orders to carry out specific remediation activities to all the companies, organizations, or foundations. Corruption will flourish. And with such a high bar, often the most effective approach for companies will be to minimize exposure and not to process personal data from the beginning. I'm not sure of that!

The fact of the matter in most organizations is that they don’t really think about data across the entire lifecycle – so it’s usually relegated to something that needs to be dealt with ‘equipment’ or someone from IT will be responsible. Entirely wrong! The organization itself will be responsible from May. You’re going to have to make sure that your policies make it very clear what you are going to do with the data you collect. Once you’ve got that, you need to get the consent of consumers as they sign up. If they don’t agree then you can’t sign them up. You are going to need them to agree to the update in your terms and conditions to prove that consent.

Also, this is the first time a law directly regulates data processors. This sounds very good? Ahh...not quite. Processors must comply with specific obligations, including to maintain adequate documentation (Article 30), implement appropriate security standards (Article 32), carry out routine data protection impact assessments (Article 32), appoint a data protection officer (Article 37), comply with rules on international data transfers (Chapter V) and cooperate with national supervisory authorities (Article 31). Processors will be directly liable to sanctions (Article 83) if they fail to meet all these and may also face private claims by individuals for compensation (Article 79). If you don't prepare the highest fine (Article 83(5)) is up to 20,000,000 Euros or in the case of an undertaking up to 4% of the total worldwide turnover of the preceding year. Ohh, God!! You have to understand what you have and a data audit is your option. As you may have gathered information you should put in place a plan especially to determine the ‘hidden’ data processors within your business. They will also have to get consent for their data. It’s not just marketing, it’s also going to payroll on other systems within your business that handle personal data. So make them be compliant.

Nevertheless, the most profound changes with GDPR will be a European-wide requirement to notify data breaches to supervisory authorities and affected individuals. In the US, data breach notification laws are now in force in 47 States, and not notifying authorities has become a high-risk option. In contrast, Europe currently has no universally applicable law requiring notification of breaches. For many organizations not notifying and thereby avoiding the often damaging media fall-out is still a common practice. This law states very clearly that "the controller without undue delay, and where feasible, not later than 72 hours after having become aware of it, [to] notify the … breach to the supervisory authority" (Article 33(1)). Organizations that are found to have deliberately not notified can expect the highest fines and lasting damage to corporate and individual reputations. Lost or stolen devices; emails sent to incorrect addresses in error and the continuing rise of cybercrime mean that for many organizations, data breaches are a daily occurrence. All this will require in a large company a technology infusion typically some combination of firewalls, log recording, data loss prevention, malware detection, and similar applications. Regular privacy impact assessments and upgrades of technology should be a concern right away. A combination of skill sets including IT, PR, and legal.

Maybe you don’t know but the weak link in security is frequently people rather than technology.

Staff training is essential to raise awareness of the importance of good security practices, current threats, and whom to call if a breach is suspected. You must make a chain of command based on possible threats and avoid that blame culture from the work environment. Make sure that forensic reports are protected by privilege and under a protected base wherever possible to avoid compounding the losses arising from a breach. Don’t speculate on what might have been, you may be dealing with an insider threat (rogue employee) or a large-scale cyberattack common these days. Either way, when a major incident occurs, precious time can be wasted so you must appoint even some external advisors because you are fighting with a 72-hour notification deadline. (stipulate this law) You should develop new standard notification procedures. You must know and have a plan for detection, categorization, investigation, containment, and reporting of data breaches. 

Finally, data governance is no longer just a case of doing the right thing; organizations need to be able to prove that they have done the right thing to regulators, to data subjects, and potentially to their audience. It will be worse because 60 percent of global organizations said it would take them up to 12 months to develop and implement the necessary IT processes and tools to pass a “right to be forgotten” audit and another 25 percent don’t even know how long it would take. With this regulation, we’re going to see the number of companies being investigated, fined, and going into legal action increase pretty significantly. In my country, it will be a nightmare from the beginning.