With the May 2018 deadline fast approaching for Europe’s new data protection laws, Phil Muncaster outlines practical tips from the experts on how to get in shape ahead of the big date
In April 2016, three senior European Commission policymakers issued a landmark joint statement. It signaled the final adoption of new EU rules designed to enshrine in law the right of personal data protection for all citizens. For organizations around the world, it also signaled the beginning of a two-year countdown to enforcement of the European General Data Protection Regulation (GDPR), which is also intended to foster “trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” That May 25 2018 deadline now looms even larger – spelling trouble for some organizations.
Veritas claimed last December that over half (54%) of global firms had still not advanced their compliance plans, while a DLA Piper estimate from January claimed organizations are only currently complying with around 40% of GDPR principles. Meanwhile, Netskope claimed three-quarters of the 22,000 cloud apps it tracked fail to pass muster, according to the new regulation. That could be costly for firms, according to new rules which will levy fines of up to €20m ($21m) or 4% of global annual turnover for serious infractions. It could cost global firms $320bn if they fail to get compliance sorted, according to Capgemini. The Payment Card Industry Security Standards Council (PCI SSC) reckons that could amount to over £120bn ($150bn) for UK firms alone.
This may sound like a lot, but be warned: the GDPR will make it much easier for individuals to bring private claims against firms. They won’t need to prove financial loss, just ‘distress’ or hurt feelings. They’ll also have the right to ask a consumer protection group to bring claims on their behalf, according to DLA Piper. What’s more, the new law will apply both to data controllers and the suppliers they engage to process that data – bringing a whole sweep of new firms under the compliance microscope.
What Does it Cover?
It’s worth mentioning that the GDPR covers all ‘personal data’ but that the definition of this is broader and will apply to more details, including a “wide range of personal identifiers” such as IP addresses, according to the UK’s privacy watchdog, the ICO. Even pseudonymized data could fall under the scope of the new regulation, depending on how easy or difficult it is to tie it back to the original individual. It will also mandate that firms be more explicit when obtaining consent to use individuals’ personal data: the use of straightforward language will be essential and firms will not be able to interpret a lack of response as consent.
One of the new rules with the biggest impact on firms will be 72-hour mandatory breach notification to the local data protection authority – i.e. the ICO for UK firms. Also high up on the list will be the mandatory appointment of data protection officers (DPOs) for any firms which undertake “regular and systematic monitoring of data subjects on a large scale” or those who process special categories of data “on a large scale.”
The GDPR introduces the idea of privacy by design, and for that reason, any firm judged to represent a major risk to user privacy must conduct a Privacy Impact Assessment (PIA) before undertaking any work. The regulation also introduces new consumer rights, notably the right to be forgotten and the right to data portability.
"Is your customer-facing privacy communication ready for GDPR and able to address growing customers' expectations and demands for privacy?”
Where Should You Be by Now??
All organizations should have finished an initial assessment phase by now, designed to help them understand where their compliance gaps are, according to Forrester analyst Enza Iannopollo. Next should come budget approval, and implementing the necessary changes, before reviews and continuous monitoring.
Those complying with current European privacy laws will see the process more as an “evolution”, while for others it will be a “deep, radical change”, she tells Infosecurity.
“First of all, you need to find out where your data is and map its flow, including third parties and business partners, and this analysis should also include an evaluation of the technologies, processes and oversight mechanisms in place,” she explains.
“Last, but certainly not the least, we need to look at the people: including employees’ awareness and preparedness, but also customers. Is your customer-facing privacy communication ready for GDPR and able to address growing customers' expectations and demands for privacy?”
To ease the process, firms should have put together an internal privacy team in charge of GDPR compliance by now. However, the hardest part of the compliance puzzle is the necessary cultural change, according to PwC US privacy leader, Jay Cline.
“A common view of the privacy office in Europe up until now has been a lawyer sitting behind a computer screen writing policies and dispensing advice,” he tells Infosecurity. “Yet for privacy programs to withstand the impending, heightened scrutiny of European regulators, the focus of activity needs to shift from the legal department to the IT, marketing and HR departments, as well as procurement, finance and product design.”
Quick Compliance Wins
Although all the experts agree that firms should be far down the road to compliance by now, there are still some quick wins which could accelerate efforts.
“Look to the existing information security management and privacy controls, then determine which controls are already sufficient or near sufficient to meet the needs of the legislation”, advises Capgemini’s chief security strategist for NEU, Richard Starnes.
“Should a company not have sufficiently robust controls for a quick win, it is late in the game, but not too late. Partner with a trusted advisor and have your program ready to meet these new challenges. Companies don’t have to go it alone.”
For Canon’s EMEA information security director, Quentyn Taylor, formalizing the role of the DPO can also give an early boost to efforts, as can data mapping – understanding what you have and how it is used.
“For any company that is a data processor, the changes are even more significant and we would urge them to talk to their customers who are the data controllers to understand how this change will impact their business relationship and working practices”, he adds.
Alexandra Leonidou, senior associate at law firm Foot Anstey, claims some firms will need to create a number of new processes from scratch.
“Examples of this may include processes related to new rights for individuals, the new mandatory breach notification requirements, or in relation to the roll-out of new data protection impact assessments,” she says. “You may wish to develop these new business processes simultaneously to conduct your mapping and audit to make sure that you get engagement and input from key parts of the organization as you go along. Leaving this until the very end may result in processes that are less tailored or workable for your business and your data.”
“Look to the existing information security management and privacy controls, then determine which controls are already sufficient or near sufficient to meet the needs of the legislation”
The Global Picture
The GDPR is not just about European organizations. It applies to all those which store, process or share the data of European citizens, meaning UK firms post-Brexit and those in the US and elsewhere will need to comply. In fact, PwC recently claimed US firms will spend an average of $1m on compliance efforts.
There could be bumps in the road ahead though, both for those in the US and UK, which will require careful monitoring by IT leaders and DPOs.
Given the strict rules governing data transfers outside the region, global organizations would be advised to “keep it local” with European datacenters, according to KPMG global privacy advisory lead, Mark Thompson. Emily Taylor, CEO of Oxford Innovation Labs and associate fellow of Chatham House, agrees, adding that Donald Trump’s ‘America First’ policies could undermine the EU-US Privacy Shield agreement.
“Although the previous US administration made substantial concessions such as limiting access to bulk data unless strictly necessary, legal challenges are already in motion, arguing that the protections are insufficient,” she explains. “A more aggressive stance on security issues by the US may well topple an already wobbly compromise.
Is it Too Late?
There’s certainly still time to get your compliance house in order, but depending on the size of your organization, it will be a challenge. Some are more optimistic than others.
“No one wants to admit it but the reality is that the vast majority of organizations are unlikely to have done anything close to what is needed by the May deadline. GDPR compliance is a massive task, it requires significant business change, winning hearts and minds as well as transforming business processes and systems”, says KPMG’s Thompson.
“In the event that your organization is behind, it is important that you take a risk-based approach.”
The good news is that there are plenty of sources of high-quality advice for firms. The Article 29 Working Party and ICO are good places to start. Industry bodies like techUK can also help out, as can consultancies such as PwC, Capgemini and law firms. However, the focus should always be on “long-term sustainability,” according to Thompson.
“Covering the gaps right now, only for them to emerge again in 12 months’ time, is not what regulators are looking for”, he concludes
Brexit Implications
The GDPR will automatically come into force in the UK on May 25 2018. With the process of Brexit likely to take at least two years, UK organizations will need to comply from that date. Beyond that, the government has hinted at a harmonization of laws following Brexit. There remains one potential conflict: the Investigatory Powers Act’s bulk data retention requirements, which run counter to EU law. Still, in the meantime, there’s no way out of GDPR compliance for UK firms.