EU GDPR: A bogeyman for scaring top management?
Foto: Stanko Cerin
by Stanko Cerin
Upcoming EU data protection regulation aims to finally put in order massive misuse of personal data. What it brings is putting people in control over their personal data. This is exercising one of the fundamental human rights – a right to privacy. Great and noble goal.
To achieve it, European parliament and the Council of the European union created GDPR (General Data Protection Regulation) Directive which caused huge interest on a global scale.
Huge penalties for offenders
“Jurisdiction” has been extended outside EU borders. It comes with number of straight forward requirements such as “right to be forgotten” and several concrete requirements aimed to ensure adequate level of personal data quality and security. All organizations having EU citizens’ personal data must comply, no matter where they are located. Bigger than ever enforcement power is enabled through ability to impose penalties up to 20 million euros or 4% of the global revenue, whichever is bigger!
Huge penalties provide high level of confidence that, for the first-time, EU privacy regulation will be taken seriously.
An atmosphere of hesitation and uncertainty
Huge penalties turned into business opportunity for IT vendors, business and legal consulting companies offering GDPR solutions and services. There’s no doubt that everyone dealing with personal data must do something, but what? In some cases, change in IT systems can be so complex that implementation deadline in 2018 is just unrealistic.
Quick Google search for “GDPR” currently finds more than 1 million pages, most of them offering some kind of GDPR solution. All that marketing power employed to sell these solutions, combined with a fear of huge penalties, created atmosphere of hesitation and uncertainty. Last time we witnessed similar atmosphere was in 1999, when organizations were scared by a famous "Millennium bug" predicted to cause devastating computer glitches on midnight between December 31st 1999 and January 1st 2000.
Who’s going to pay the fine?
Penalties are for those who don’t comply, but the main question remains - what an organization must do to be fined with 20 million euros?! The truth is, privacy regulation exits already and most organizations are already taking personal data seriously. Yes, there are some organizations building their business models on selling personal data, stealing confidential information or doing other nasty things, but they are already breaking the law or at least do their business in some dark-grey zone. Massive punishments are for such businesses. I’m sure we can agree, they deserve it.
Per informal interpretations leaking from EU privacy regulation bodies, GDPR regulated organization will first be warned for non-compliance, get a deadline to make things right, while fines will be only used as a last resort if nothing else works. Amount of fine is expected to be proportional with the significance of the offence. In short, to get the maximum fine, an organization should massively and on purpose neglect not only GDPR requirements, but also information security best practices and intentionally cause a massive personal data leakage with big impact to data owners - EU citizens.
What are companies supposed to do?
Position yourself - you are already partially compliant with GDPR requirements. Find out how much, what are your strengths and weaknesses in personal data management.
Prepare the GDPR program – Identify what kind of personal data you have, how do you collect it, where do you keep it, how it is protected, as well as how and why do you use it. Establish your personal data information asset register. Assess the potential impact of personal data disclosure for each system and identify the gaps between the current state and the one required by the GDPR. Once you start the project you will realize that even identifying what personal data is, and under what circumstances, can be a challenge by itself, not to mention finding personal data across IT systems and designing required changes. You will need an experienced team to do that. Consider finding external consultants including privacy lawyers, information security and IT experts. Identify similar projects (i.e. data governance, ISMS etc…) and make sure they work together so you can come up with a detail plan – a GDPR program. Then execute it.
Instead of the conclusion
Organizations will eventually have to comply, but process of aligning existing personal data management practices with new regulation will take years and will highly depend on building personal data importance awareness among general population, and among organizations. To reach adequate level of privacy protection maturity, human society must widely adopt knowledge about personal rights and organizations’ obligations to protect them, secure usage of privacy information and much more. GDPR is good for all of us.
Stanko Cerin, http://www.ostendogroup.com/