While the GDPR seems to have “snuck up” on the average user, as well as the typical organization, the impact of what it was supposed to do was very much brought to the forefront just before the May 25, 2018 effective data by the Cambridge Analytica and Facebook incident, where 87 million Facebook users personal data was secretly harvested for political purposes in 2016. Although unfortunate, here was a stark reminder of why greater awareness by the data subjects was needed in regards to the collection of their personal data and much greater attention to detail by the organization’s collecting and using that data.
The $64,000 question, however, is whether or not this increased awareness will remain, especially by the data subject, or will we sink back into the mindset of the past? That remains to be seen but for the organizations collecting the data, this incident happening in the midst of the escalating GDPR hype certainly drove home the point that there will be consequences for violations of the regulation.
What does the GDPR mean to the average EU based organization
Despite a nearly two year grace period before its entry in force on May 25, 2018, only a very small share of businesses felt they were ready to face the implications set by this regulation. There may be any number of valid reasons for this but organizations are out of time, they must now take an honest look at their rationale, processes and procedures for collecting user personal data.
Because of the rapid growth of the online market combined with lack of effective data protection regulations prior to the GDPR, most organizations developed their data collection procedures in a haphazard manner even with multiple entities within the same organization collecting the same personal data. This approach naturally led to a lack of awareness as to what data and from whom they had and how they were using it.
The GDPR now forces organizations to think of data collection from a “Rights vs Responsibilities” perspective. Prior to the GDPR, collection of user data was taken by default and in extreme cases it was very difficult for the data subject not to agree to its collection. With the GDPR the tables are turned. It’s the data user who’s in control and owns the rights to their personal data and controls who can collect it and who can’t. Organizations who now wish to collect personal data must respect that right and be upfront about how and why they will collect their personal data. Once permission is obtained, and the GDPR requires that it must be just as easy for the data subject to withdraw that permission as it was to give it, a number of responsibilities that the data collecting company must respect come into play.
In order to meet these responsibilities, organizations have had to rationalize their data collection strategies beginning with how they obtained the data subject’s permission. Once obtained, it becomes critical that an organization can identify and manage the personal data it has collected, bringing together disparate systems to have a consolidated view on what information they have and how it is being used. This consolidated view is absolutely necessary when responding to requests to either transfer a data subject’s personal data or to erase it completely. Besides illustrating who’s in control of the data, this is probably the greatest challenge that the GDPR has presented to organizations.
Further down the list of responsibilities but no less important is protection of the collected data from cyber attacks and breaches. This is the component of the GDPR that got most of the attention prior to it becoming effective due to the potentially eye-watering fines that can result from a data breach. Where the previous regulations had little to no “stick” aspect to it, the GDPR certainly contains a large one. Maybe this is the first time where not getting hit with the stick is actually the carrot.
In the event of a data breach, organizations have a window of a maximum of 72 hours after its discovery to report it. An interesting twist in the regulation however, is that the organization can make a decision as to whether or not the data breach is actually severe enough to report it, that is “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,”. Should it decide to report the breach – and reporting a breach does not automatically equate to a fine – a significant amount of information needs to accompany the notification. This makes knowing where personal data is located even more important than ever and increased the challenge to organizations preparing for the GDPR.
The significant fines associated with the GDPR – 4% of annual global turnover or $20M – are designed to keep organizations attention on their obligations to keep collected data safe. Although no one can predict how individual data protection agencies will react when the first major data breach occurs in the post-GDPR era, the regulations finally have a strong enforcement potential that was lacking in the previous regulations. In fact, in some EU member states the maximum pre-GDPR era fines that could be assessed were actually limited by the regulations themselves.
What does the GDPR mean to non-EU based organizations?
This is probably the most contentious, as well as the most interesting, aspect of the GDPR. Based on the assumption that personal data is owned by the data subject, the EU decided that anyone resident in any of the EU member states – citizen or not – was protected by the provisions of the regulation. The physical location of the organization collecting that data was immaterial. However, the enforcement of the regulations, and potential fines in case of a data breach, is still an open question and most likely has teams of lawyers preparing for the first major challenge to the GDPR.
In the case of large, multi-national firms with operations in the EU the scenario is reasonably straightforward and there is a history of the EU assessing fines against these organizations. The real question however concerns those organizations who are able to offer goods or services to an EU resident but do not have a physical presence inside of the EU.
“On the Internet, nobody knows you’re a dog.” (The New Yorker, 1993). In the same way that the Internet inspired the above cartoon line, it has also opened significant business opportunities to all sizes of organizations but particularly for small and medium business. In terms of data protection however, these same organizations are statistically more vulnerable to cyberattacks and data breaches.
Fortunately, the EU does make a distinction between those organizations whose websites make their goods and services available globally without distinction from those organizations which make an effort to solicit business from EU residents. These efforts can include offering goods and services in local currency, language or domain names as well as tracking/monitoring the behavior of online visitors.
However, in these early days no one is completely sure of how the EU will approach dealing with a non-EU organization which has violated the regulation.
Despite the significant fines and reputational damage associated with GDPR non-compliance, some companies (EU or non EU based organizations) may still be tempted to not disclose the whole or part of breaches. This would be a huge mistake. It’s important to remember that the GDPR is all about forcing organizations to be more transparent and responsible.
By Patrick Grillo – Fortinet