The date May 25, 2018 should be circled on every CEO, CIO and chief privacy officer’s calendar. It’s the day that the European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect.
GDPR is a harmonized set of privacy regulations that protects EU residents. It doesn’t matter whether their data is stored electronically, or on paper in a filing cabinet – EU residents will receive enhanced privacy rights, and those holding their information will have to obey strict rules around transparency and accountability.
Failure to comply, or data or privacy breaches, could result in fines of up to four per cent of annual global turnover or 20-million euros — not pocket change.
So what does this mean to North American companies?
“If you have customers in the EU, this matters to you,” said Brad Smith, Microsoft’s chief legal officer and president of Microsoft Corp. “If you have employees in the EU, this matters to you. If you’ve even heard of the EU, this matters to you.”
It matters because the regulation applies to anyone anywhere in the world holding a living EU resident’s information (deceased individuals’ data is governed by their countries). If you even have mailing lists or newsletter subscribers with EU members, or do market research involving EU residents, or track their activity in any way, you’re on the hook.
Microsoft has 300 engineers working on the technical aspects of compliance and is meeting with regulators to ensure its interpretation of the regulation is accurate, Smith said.
It’s not just a tech issue either, said Sheila Fitzpatrick, chief privacy officer and worldwide data governance and privacy counsel at NetApp — which is a data storage, management and protection vendor.
“GDPR is first and foremost a legal compliance issue,” she said. “Of the 99 articles in the GDPR, only eight deal with technology. You must build a privacy foundation in your company.”
GDPR’s definition of personal information is wide-reaching. According to the GDPR FAQ, it includes “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” It even applies to information gathered by IoT devices, if it can somehow be tied back to an individual.
The regulation applies to both data controllers and processors, where the controller is defined as the entity that determines what personal data is collected, for what reasons, and how it will be processed, and the processor is the entity that processes the personal data on behalf of the controller.
And yes, Fitzpatrick said service providers are liable as well as their customers.
What makes the process especially challenging is that data resides everywhere, said Darren Yablonski, director of systems engineering at Commvault Canada.
“The common question is, how can Canadian organizations approach unstructured data across endpoints, applications, and storage devices without adding point products,” he said.
It’s a messy problem. A global survey commissioned by Commvault found that more than 60 per cent of CIOs surveyed said that their IT organizations have less than half of corporate data under their control.
The conditions for consent to collection of personal information are also tougher. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Companies will no longer be able to use long, illegible terms and conditions full of legalese; consent must be clear and distinguishable from any other terms and must be provided in clear and plain language. It also must be as easy to withdraw consent as it is to give it, and individuals have the right to know what data is being held (and get a copy thereof), who holds it, and have the right to be forgotten, which allows them to ask that their personal data be deleted (not as simple as it sounds).
Data movement between countries is also regulated. From the EU and the three European Economic Area (EEA) countries of Norway, Liechtenstein, and Iceland, data may only flow to countries with what the European Commission considers an adequate level of protection (there are special arrangements for law enforcement).
Some companies will be required to appoint a Data Protection Officer (DPO). The regulation requires a DPO for public authorities, organizations that engage in large scale systematic monitoring, and organizations that engage in large-scale processing of sensitive personal data.
Should there be a security or privacy breach, organizations will be required to notify authorities within 72 hours, and to contact affected individuals “without undue delay.” (The difference between the two, according to Fitzpatrick is that a security breach is unauthorized access to the environment or data, while a privacy breach is unauthorized collection or sharing of personal information, or moving it across borders without compliance.)
Security goes hand-in hand with privacy, as breaches at companies like Equifax have illustrated. “One of the most sobering things is that there’s no other crime where you can go instantly from being the victim to being the villain,” said Smith. That means nailing down solid data security as well as addressing privacy.
But, again, security is not the same as privacy, Fitzpatrick said. “Privacy is a wheel, the full data lifecycle: its legal collection, use, sharing, storage, and transfer,” she said. “Security is just one spoke – the fortress around the data. All cloud providers can address security, few can address privacy.”
To protect data, you first need to know what it is and where it is.
“The basis of any data security strategy is to identify sensitive and regulated data so that both users and security technology can make informed, deliberate decisions on how that information should be protected,” said Stephane Charbonneau, CTO of Ottawa-based data classification and protection firm TITUS.
“For GDPR compliance specifically, organizations need to start by doing a data inventory to determine what data they have, what data is associated with European-based customers, and where this data is located. This needs to be an ongoing process in order to ensure that they remain compliant with the regulation, so internal processes should to be put into place, and a person appointed to oversee these processes in order to ensure ongoing compliance.”
It’s a simple-sounding statement, but it won’t be easy, given our tendencies to have data scattered through an organization, sometimes in multiple copies, as well as in backups. But it has to be done.
To make things more complicated, as we saw with Y2K “experts” are popping out of the woodwork with upstart consultancy groups and vendors making broad claims about their roles in compliance, said Matt Tyrer, Commvault’s manager of solutions marketing for the Americas.
“There is no certification process,” he said. “It’s a real threat. Organizations could be misled.”
Commvault does not make you compliant, Tyrer added, though it can be part of a strategy to get there. The company has announced an analytics tool, to be available by year end, to help customers find and manage personal data regardless of where it is stored.
“It’s a problem we have to solve together,” Smith said. “We need to ask ourselves three things: what does Microsoft and the tech industry need to do, what do companies need to do, and what does the world need to do.”
And “don’t be afraid to ask the hard questions (of service providers),” Fitzpatrick advised. “Turn privacy into a competitive advantage.”
Obviously, it’s impossible to summarize the entire 261 page GDPR document here — we’ve just hit the key points. Here are a few additional references to help you plan your journey to compliance:
General Data Protection Regulation full text: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
GDPR Official Site FAQ: http://www.eugdpr.org/gdpr-faqs.html
Gartner’s Five Point Guide to GDPR, including a description of individuals’ rights: https://www.gartner.com/newsroom/id/3701117
Microsoft webinar – “How to Accelerate Your Journey to Compliance” (Nov 16): https://info.microsoft.com/ThrivingInTheGDPRera-Registration.html
Microsoft GDPR Resources: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
GDPR Alliance: https://gdpr-alliance.co.uk/
Five Steps to GDPR Compliance: https://www.helpnetsecurity.com/2016/04/19/gdpr-compliance/
UK Information Commissioner’s Office Accountability and governance guidance: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/
TITUS GDPR Solution: https://www.titus.com/solutions-eu-data-protection.php
Commvault GDPR Solution: https://www.commvault.com/solutions/by-topic/gdpr
IDC Five Steps to GDPR: https://cloud.kapostcontent.net/pub/7bf8f985-a7c1-42f6-a89a-0e7a459fd435/idc-five-essential-steps-for-gdpr-compliance.pdf?kui=UZihyC4LrKkqtFHnKE7PqA
GDPR: Key Points for Canadian Businesses: http://www.mondaq.com/canada/x/517610/Data+Protection+Privacy/The+GDPR+Key+Points+for+Canadian+Businesses
IAPP Privacy Symposium 2016 Presentation – Impact of GDPR on Canada: https://www.slideshare.net/constantk/impact-of-gdpr-on-canada-may-2016-presented-at-iapp-canada-symposium
Privacy Commissioner of Canada: https://www.priv.gc.ca/en/
International Council on Global Privacy and Security by Design: http://gpsbydesign.org/
SAS Institute ebook – Working Toward GDPR Compliance: https://www.sas.com/en_ca/whitepapers/gdpr-compliance-109048.html
Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (cippic), Centre for Law, Technology and Society, University of Ottawa (public interest Internet law clinic): https://cippic.ca/en/privacy