More GDPR Q+A

Which organizations have the greatest liability, what does the right to be forgotten mean, what on earth does a DPO do, and what happens when Artificial Intelligence is running user profiles?

Let’s begin with the purpose and role of the DPO.

The data protection officer (DPO) role that GDPR requires for many data handlers is intended to help them ensure compliance.

This officer, who must report to the highest level of non-IT management (C-level only), is intended to operate independently within the organization, and must not report in to any function that could create a conflict of interest. As you know, this is very different than the laissez-faire approach taken by most U.S. firms regarding CISO postings. This GDPR approach makes far more sense and will also sidestep the thorny political issues that have constantly clouded the intent of and served as a disabling burden on the traditional CISO role.

How does the right to be forgotten work under GDPR?

It works really well for those whose data is being used for purposes other than intended under the horrendous ToU that the person didn’t read and couldn’t understand who signed anyway just to be able to use the service in question, and it works really badly for the service provider who until May 25th 2018, had gotten away with murder.

Under GDPR, people who have earlier consented to their personal data being processed now have a plethora of new rights. These include the right to access data held about them. The service provider must provide a copy of the data stored and processed about the requestor free of charge, generally within 30 days of the request. Additionally, the covered subject (person) has a subsequent right to request rectification of incomplete or inaccurate personal data and the right to have their data deleted altogether.

Other ‘rights to be forgotten’ include the right to restrict specific processing and the right to obtain all of the personal data in a structured, commonly-used and machine-readable form, again free of charge. All of these rights make it critical that organizations’ processing and/or storing personal data have systems in place which enable them to identify, access, edit and delete individual user data and to be able to perform these operations quickly.

Maybe the biggest individual right that GDPR confers is the right for people who have consented to their data being processed to withdraw that consent at any time and for any reason. This of course shifts the position of power dramatically to the people and dramatically away from the organizations. The residual impact of this one right will be felt for a long time and in a variety of unexpected ways. Imagine an individual who objects to a process or feature on a given social media site and what that person could invoke by leveraging this one right multiplied by millions of like-minded members and the very power of social media itself against its very own provider. Some would characterize this as a delicious irony.

The owners of the data, referred to as data controllers must by law, inform users about this right, and not only that, but offer easy ways for them to withdraw consent. So the days of the ‘revoke consent’ option buried multiple sub-menus deep are history. Nor can a WhatsApp (cleverly) offer time-limit opt-outs for sharing user data with its parent multinational, Facebook. Users will now have the right to change their mind whenever they like. And I am sure there are already hordes of politically active users with axes to grind bringing their blades to the whetstones as I write this.

How does GDPR affect the handling of data breaches?

GDPR does what the U.S. still hasn’t been able to do in spite of the escalating volume and severity of breaches and the negative and costly impact to the consumers whose data has been compromised as a result. The guys running IT and cybersecurity for Equifax and Uber may have paid a small price for their negligence and carelessness, but in hind-sight, their timing seems impeccable. Because under GDPR, they could be serving jail sentences right now. GDPR creates a universal standard for data breach disclosures and violations are punishable by law.

Any company or organization that experiences a data breach or incident of compromise where personal data has been lost, stolen or otherwise accessed by unauthorized third parties must report the event within 72 hours of their awareness of the incident. If a breach is determined to result in a “high risk of adversely affecting individuals’ rights and freedoms” the regulation also penalizes organizations for failing to report the event immediately and without “undue delay”.

The rubber meets the road here with the risk of supersized fines, which creates a very different ball-game form the one played in the U.S. for all these years. A breach like the one Equifax suffered, may have cost the company and its shareholders $628 million in fines alone. So, the era of sloppy security must become a serious, non-lip-service, C-suite concern from now on.

Another huge impact of GDPR on most global and soon to become U.S. businesses alike will be the requirement to rope your third-party providers into your compliance circle in addition to the currently tame contract that must already be in place between you and your sub-contractor. The new requirement spells out broader coverage and more specificity around breach reporting requirements, preventing you from shirking your duty as a protector of your employee and customer data.

If a data controller (you) is using a data processor (your sub-contractor) and it’s the data processor that suffers the breach, they’re now required to inform you (the data controller) as soon as they become aware. So, while you remain liable for your own compliance you musty now additionally insure that your sub-contractors can provide “sufficient guarantees” that the regulatory requirements will be satisfied, and the rights of the data subjects protected. These guarantees must be insured one way or the other, unless you intend to hold the bag if your third-party processor flakes. I didn’t think so.

And my favorite new right? The right to human review for AI decisions.

Article 22 of GDPR places a set of restrictions on decisions that are based on the automated profiling of individuals. In other words, profiling based on a purely mathematical and/or algorithmic process. There is some weasel language that exempts processes that are “necessary” when entering into a performance contract between a company and an individual or where law enforcement issues are present (fraud detection), or where the individual has expressly consented to the processing. These sorts of exempted ‘AI decisions’ would be an automated refusal of a credit application, e-recruitment practices and several other examples.  

But, even so, I am sure that we will see a dramatic increase in AI-related discrimination cases around e-recruitment practices as an example, and maybe to the extent that the nascent industry gets clobbered aborning. Because while provisioning against automated decisions may not be new, this potential path for GDPR to check the power of the machine learning and AI juggernauts will certainly impact its trajectory on its overtake of human interaction.  

As a footnote, individuals will have the right to challenge and request a review of an automated decision in the restricted classes at any time and will thus receive a modicum of protection when the perceived treatment is judged to be unfair or harmful by those affected. That one small right will create huge process and operational problems for all businesses who are now furiously adopting machine learning technologies in applications like recruitment, human resources, workplace communications, healthcare, supply chain, logistics, manufacturing and retail.

There are also additional restrictions on data used for any profiling practices such as health data, political beliefs, religious affiliations, etc., and all of that requires consent from the user for doing so. Profiling based on other types of personal data does not require obtaining consent from the individuals, but it still requires a legal basis and there still involves a transparency requirement, which translates to mean that service providers will need to inform users they are being profiled and explain what it means for them. And ultimately here too the users always have the right to file an objection.

At the end of the day, the organizations facing the greatest liability risks under GDPR are the ones that deliberately conclude by their actions that privacy protection rights are subordinated to the greater business interest.