The European Union’s General Data Protection Regulation (GDPR) represents the most aggressive effort by governments yet to formalize, unify, and strengthen data protection. While 1995’s Data Protection Directive forms the basis for much of the GDPR, it was passed in an era before the birth of social media, and at a time when the internet was just commercialized. Widespread household use had yet to occur, let alone easy accessibility in most people’s pockets or purses. But today, the internet is an integral part of global commerce and daily life, and the processing, analyzing, and sharing of data is big business.
The Directive of 1995 certainly didn’t anticipate a definition of personal data that needed to include IP addresses, login IDs, or social media content, or a world in which the proliferation of data and constant flow of information would mean that data privacy and protection were increasingly serious issues. To address these concerns, the EU has updated and expanded upon the core content of the Data Protection Directive through the GDPR, with sweeping provisions that reflect the new realities of e-commerce and digital media. To impel compliance, the regulations also add some teeth that the Directive lacked, imposing maximum fines for noncompliance of the greater of €20 million or 4% of annual revenue.
The GDPR goes into effect May 25, 2018, and tackles some major issues around personal data protection and data privacy. The scope of the regulation is extra-territorial, meaning that it applies to any company offering goods or services to EU resident and citizens, or collecting or monitoring personal data within the EU. An organization’s physical location doesn’t matter; regulatory applicability depends simply on the act of compiling or processing personal data on EU residents. The regulation applies to “data controllers,” or any organization (or in certain circumstances, any individual) who alone or jointly decides the purpose and manner of any data processing. It also applies to “data processors,” who are processing data on behalf of a data controller, as in the case of third party vendors to whom a company might outsource part of their operations. Overall responsibility remains with the data controller, but the data processor must work collaboratively with the controller to ensure compliance.
Under GDPR, data controllers and processors must maintain auditable records of all processing activities related to personal data, and adhere to risk-appropriate data processing security measures, which could include personal data pseudonymisation and encryption, assuring the integrity, reliability and confidentiality of data processing systems and services, and appropriate measures for data recovery. It also sets out clearly delineated requirements and timeframes for notification of both the supervisory authority (the applicable data protection regulator in an EU member state) and affected data subjects (individuals to whom personal data relates) in the event of a data breach. In addition, it contains provisions requiring organizations to conduct Data Protection Impact Assessments (DPIAs) in cases of high-risk processing or processes involving new technologies, and outlines data protection requirements for international data transfers.
Perhaps to buttress internal organizational support for the heavy new compliance burden that companies must bear under GDPR, the regulation also requires that any organization that processes or stores large amounts of data must appoint a Data Protection Office (DPO), to act as a point of contact for any supervising authority and bear responsibility for company compliance education and training, internal audits, documentation and record retention of all data processing activities, and ongoing monitoring of the organization’s compliance efforts.
Beyond these robust rules around data security, the regulation also extends broad rights to data subjects when it comes to their personal data, detailing requirements of explicit consent, individual rights of access, the right to have errors rectified, the right to be informed, the right to restrict processing, the right to erasure, the right to object, the right to portability, and rights related to automated decision-making and profiling. The regulation even expands the very definition of what constitutes personal data, and defines important subcategories of sensitive and child data.
So what do all of these individual rights add up to? As a practical matter, once the regulation goes into effect, they will add up to a lot of requests that data subjects can make of a lot of companies when it comes to their personal data. And as knowledge of GDPR provisions becomes more widespread, you can be sure that many people will seek to take advantage of some or all of these rights as it relates to their personal data, making it vitally important that you have controls and governance in place to ensure requests are handled smoothly and that data is accurate across your enterprise to ensure data privacy.
The precepts underlying GDPR provisions are the concepts of transparency, accountability, and governance. In fact, a host of analysts and consultants will advise you that data governance is the foundation on which to build a GDPR compliance strategy, which is sound advice to follow. And frankly, the GDPR is a multi-faceted regulation, and it isn’t reasonable to think that you will find a single source solution for every compliance challenge that confronts you. For instance, there are excellent consent management solutions available to handle data subject approvals and denials for data usage on an ongoing basis. But what you need to consider is how you can implement controls across your enterprise to complement whatever data governance strategy you may be using, to ensure the ongoing integrity of your data between systems and sources and to ensure that you are alerted to any potential incidents of non-compliance.
The GDPR provisions briefly summarized above will necessitate an array of new operational processes and workflows to manage compliance. It isn’t just about where personal data is in your organization, and whether it should be categorized as sensitive or child data. It is also about its approved usage and if it may be shared externally. With proper central governance, you can define, categorize, and manage your data to ensure that you know its location, approvals, and ownership. But without controls for ongoing monitoring to check for data quality and alert you to possible compliance violations, you will have a deficient GDPR solution.
For example, let’s say that personal data for John Doe exists in three different systems in your organization. John gives affirmative consent for its lawful use, but also notices that his address is wrong and asks that it be corrected. One year later, he asks you to send his information to a competitor of yours, and also wants to exercise his right to be forgotten (right to erasure). From just this example, the company would benefit from setting up the following automated controls:
Audit controls can reconcile data and ensure its accuracy across disparate systems, minimizing right to rectification requests, while potential compliance violations can trigger alerts and issue management workflows for efficient investigation and resolution of issues.
As previously mentioned, data governance is not only an integral part of the GDPR, it should be a foundational component of any GDPR strategy. It allows you to clearly define business terms, processes, roles, and responsibilities, all critical to ongoing GDPR compliance.You may have an internal data governance program, or you may have purchased a data governance tool. But whatever your approach to data governance, your GDPR strategy would benefit from the ongoing value of fully automated audit controls. The solution you select should allow for the deployment of thousands of customized controls to meet the unique needs of your organization.
Alternatively, finding a single solution that integrates automated controls, data governance and analysis and dashboarding can help you not only realize the benefits of a comprehensive data governance program with audit controls and data quality checks, but you also realize the benefits of machine learning algorithms, which can automatically identify hidden personal data across your enterprise, and continuously improve data profiling.
As noted before, there is no single solution that helps meet all the requirements of the GDPR. But there are a few that help with many of the challenging aspects of the requirement. Identifying one solution that can help with the majority of the regulation will help you achieve compliance faster, build a foundation of data governance, and give you better visibility into your data, processes, and systems.
To learn more about meeting GDPR compliance, check out the data sheet below.
For a deeper dive into this topic, visit our resource center. Here you will find a broad selection of content that represents the compiled wisdom, experience, and advice of our seasoned data experts and thought leaders.