What is the word for 2017? GDPR!

Ok, so GDPR is an acronym rather than a word, but the point remains it will be huge in 2017.  GDPR stands for the General Data Protection Regulation that was signed into law by the EU earlier this year and will take effect on May 25th, 2018. There has already been quite a bit written about GDPR, but I haven’t seen much written on the practical and technical implications other than at a very high level. My intent with this post and others to come is to discuss some of the specific realities people in IT, application development, analytics, and marketing are now facing with GDPR only 17 months away. That said I think I should first set the table to make sure there is enough context for some meaningful dialog.

The jurisdiction of GDPR is far reaching. Unlike its predecessor, the EU Data Protection Directive (DPD) that only impacted companies that had equipment within the EU, any entity that touches personal data of an EU resident is subject to GDPR whether they have a physical presence in the EU or not. That will encompass over 50% of the companies in the US. The criteria for GDPR compliance are extensive and in some cases go well beyond what most US companies likely have in place for their PII security policies and practices. If you are a US based organization dealing with EU personal data thinking you will likely fly under the radar and skirt by with a few new policies and security tweaks think again! GDPR has put the power back in the hands of the individuals (data subjects). Under GDPR data subjects now have significant control over who can use their data and how they can use it. Companies are expected to be stewards of subject’s personal data with privacy being a top priority throughout the entire organization. If a data subject feels a company has not complied with GDPR in regard to their personal data they have the right to take that company to court in the subject’s home country and/or file a complaint with their respective GDPR supervisory authority. Supervisory authorities under GDPR have extensive investigative and corrective power. Should a supervisory authority find violations they have the power to do anything from giving you a warning to imposing a fine of up to 20,000,000 euro or 4% of the previous year’s global annual revenue, whichever is greater. Who wants to be the CEO who goes with a minimalist approach to compliance and then rolls the dice on that bet?

Now that we have some context let’s look at the most critical element in all of this, EU personal data.  How personal data is defined is one of the most impactful differences between GDPR and the previous DPD. GDPR states that any information that directly or indirectly can identify a person is considered personal data. So, in addition to what has been up to this point considered personal data like name, address, social security number, credit card number, etc. GDPR includes additional data elements such as online identifiers, location data, cookie data, device ids, and RFID tags. The broadening of the scope of personal data will potentially require very difficult and costly changes to many organizations from a technical, process, policy, organizational design, and even business model standpoint. In cases where the newly deemed personal data is limited and/or well contained in its use the impact will likely be relatively moderate. However, there will no doubt be companies where that type of data has found its way into every corner of the organization and even be the core of the company's business. Just identifying what data an organization has and all the places it resides could be a monumental task. For instance it’s obvious that you will need to understand all your production data stores and what personal data resides in them, but that is only the tip of the iceberg. Responsibility for compliance with GDPR does not stop with production data stores, it will also include non-production/test data stores, backups, employee/contractor devices (corporate and personal), system caches, indexes, queuing services, log files, documents (electronic and hardcopy), media, email and other electronic communication, and the list goes on. In addition, any vendors (processors) you work with who touch the data in any way also fall under the jurisdiction of GDPR so you will need to go through the same exercise with them. And that is only step one. We haven’t begun to discuss things like the fact that you will need opt-in consent from all data subjects (new and existing), the rights subjects have such as to have their data deleted from your organization at any time or object to the use of their information in profiling, expanded definition of data breach along with 72 hour breach notifications, how you secure data that has proliferated throughout the company for years largely unchecked, and how you some how prove you have done all the things necessary to comply if you get investigated. All great topics for future posts!

It may sound like I am suggesting the sky is falling. I am not. This is not an insurmountable task in most cases and in the long run will probably be a good thing for many companies, but like most truly impactful changes there will be some pain involved along the way. Hopefully GDPR has been on your radar for a while and you are already underway with the changes necessary for your organization, but if not I hope this post raised your awareness so you can begin to determine the kind of impact GDPR will have and what you need to do to be ready. I am working with a client on GDPR compliance as we speak, but beyond that the subject given the profound impact it is likely to have fascinates me. I am looking forward to blogging in more detail on implications of GDPR along with strategies and approaches for managing compliance. I would love to hear your thoughts and experiences!