This article featured in a CISO MAG’s edition.
Contributed by Raymond Teo, Senior Vice President, Business Development, APAC, NTT Security.
In an uncertain world, one thing international organizations can be sure about is the need to mark 25 May 2018 in their calendars. Why? Because on that date, the new General Data Protection Regulation will come into effect. This will impact every organization in the world that collects or retains personal identifiable data from any European individual.
Four years in the making, this European data protection initiative aims to harmonize the fragmented data privacy framework across the European Economic Area (EEA), and ensure that fundamental rights are protected in today’s digital economy. Legislators believed that an increase in legal certainty would both reduce compliance costs and encourage long-term consumer confidence in the safety of the global digital marketplace. This is why GDPR’s jurisdiction cannot be limited to the EU and requires extraterritoriality to be addressed.
In our experience, many organizations that are located outside Europe but have a global employee and customer base, remain behind the curve in assessing the risks and opportunities of GDPR. They do not have clear visibility, understanding and control over the personal data they process, nor appropriate access to its movement across multiple geographical locations. This lack of engagement could be a risky strategy. With massive fines and requirements for notification that will push more breaches into the public eye, GDPR promises to make data privacy a potential public relations challenge. With proposed penalties for falling short of compliance – including fines of up to four percent of total worldwide annual turnover, these potentially staggering numbers have a purpose: to put privacy and data security on the boardroom agenda by bringing it in line with the highest sanctions for regulatory non-compliance – such as anti-bribery and anti-trust laws.
This article aims to highlight the areas of GDPR that international businesses need to consider, and the practical steps they can take to ensure that they are ready for the 2018 deadline.
GDPR: a framework for a digital world
In seeking to transform data protection culture as well as practice, GDPR has bold ambitions. It encourages organizations to make privacy and data protection core business values, instead of a casual afterthought. By placing the principle of ‘data protection by design and default’ at its heart, GDPR requires organizations to only process the personal data necessary for the specific purpose for which it was collected, and to implement controls to protect that data throughout the process lifecycle. And what counts as personal data? GDPR defines this as “any information relating to an identified or identifiable natural person.” This may include data such as physical address, email address, IP addresses, age, gender, location, health information, search queries, items purchased, cookies and RFID tags for any EU citizen.
As well as trying to investigate how the directive applies to their businesses, many of the organizations that we talk to are using GDPR as an opportunity to review and fully understand the personal data that they retain. Many wish to find practical ways to minimize data to reduce risk. Organizations are also actively revising processes for data storage and – perhaps most challengingly – how access to personal data is controlled and restricted.
However, as we embrace the commercial opportunities of the digital world, should we allow GDPR to be a constraint? Or will consumer demand for new and innovative global services not be matched by an expectation that their personal information is protected? Not only does much of the directive build on existing EU legislations, it also aligns with the direction of travel of other jurisdictions. While differences exist between countries in their approach and the level of legislative development, there are signs of upward convergence towards important data protection principles in particular in certain regions of the world.2 This variety of global data protection initiatives, some driven by GDPR and some not, is one of the reasons that organizations seek to work with data protection advisors with international knowledge and up to date, relevant experience of these frameworks.
Don’t forget the PR in GDPR
For GDPR, or indeed any compliance to be effective, failure must carry a reputational risk. Organizations that think this is just an IT issue have missed the fundamental necessity for every department within the business to think hard about data privacy. Sales, Marketing, HR, Finance: all process data and therefore may introduce risk. The new requirements for data breach reporting within 72 hours will be a challenge for many organizations – not just in how and what to report to the regulators, but in actually having the right systems in place to assess and analyze a breach. Not forgetting that the regulators could come knocking at any time to ensure that adequate protections are in place and a failure to satisfy them may result in a fine, even if an organization has not suffered a breach.
The principle of accountability within the regulation requires clear lines of responsibility and reporting. The GDPR therefore mandates the appointment of a data protection officer (DPO) for certain types of businesses – either because they are ‘public’ organizations, or because their activities include regular and systematic monitoring of data on a large scale.
Organizations are at varying stages of readiness for GDPR – from identifying and clarifying the exact requirements and effect of GDPR to reviewing the adequacy of their existing program or seeking to create audited evidence of implemented controls and compliance with GDPR (see Figure 1). Wherever you are on your journey, this will require security and DPO executives to work together on assessing their GDPR readiness:
Where are you on your journey to GDPR?
Protecting and exchanging personal data are not mutually exclusive. A strong data protection system facilitates data flows by building consumer confidence in companies that care about the way they handle their customers’ personal data.3 In our experience, organizations across the globe are at very different stages in their preparations for GDPR. But whatever stage they are at, it is clear
that international businesses wishing to operate in the global digital market must think about the impact of GDPR in order to seize its commercial opportunities, as well as mitigate risk. But as we have said, GDPR is just another milestone on the continuous road of privacy compliance, as in the race for increasingly innovative technologies that strive to make human life more efficient or fun. Consequently, businesses cannot afford to let GDPR constrain their digital aspirations. If the road gets bumpy, organizations may want to consider qualified external partners ready to help them navigate the long compliance journey ahead.
- 1.Techcrunch: General Data Protection Regulation: A Milestone Of The Digital Age https://techcrunch.com/2016/01/10/the-biggest-privacy-law-in-the-world-has-arrived/
- Data protection regulations and international data flows: Implications for trade and development, UNCTAD (2016): http://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf
- European Commission – COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Exchanging and Protecting Personal Data in a Globalised World: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0007&from=EN
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.