The privacy and data protection issues have been in the news for several times since the beginning of 2018. On the one hand, large-scale data protection incidents (such as Facebook’s famous Cambridge Analytica case) have completely changed our perception of how major internet platforms handle our data. On the other hand, the European Union has put into force its new data protection law, which is already changing the way in which enterprises collect and process private data. The GDPR policy has been implemented at a perfect time, as the users are beginning to have intense concerns about their online privacy. As such GDPR has attracted a lot of interest from the public, in addition to interest from stakeholders responsible for implementing and enforcing it such as legal experts and online service providers.
GDPR supersedes the former Data Protection Directive, was has been in effect since 1995, serving as a data protection guide for all European organizations ever since. GDPR includes several of the elements of this former directive, yet it is much more ambitious in terms of its protective measures while introducing much higher liabilities for non-compliance and personal data abuse. In general, the GDPR aims at providing individuals with greater and more fine-grained control over their personal data, while at the same time ensuring that the organizations that collect and analyze personal data ought to be more cautious against potential privacy violations. Furthermore, GDPR is notorious for the power that it provides to data protection authorities and national regulators to impose significant fines on enterprises that breach the law.
GDPR is already a reality, as it has been put into force as on May 25th, 2018. This milestone was reached following a two-year transition period, that was given to organizations in order to comply with it. The European Parliament voted for GDPR during the first semester of 2016, yet it gave organizations a grace period to help them prepare for the transition. Nevertheless, today, two months following the official launch of the GDPR, there are still several misunderstandings about it. In the following paragraphs, we shed some light on some of the basic concepts and principles surrounding GDPR.
GDPR’s Main Principles
GDPR is driven by six main principles, which should drive data collection, handling, and analysis, by all organizations that gather, control and/or process personal data. In particular:
- Transparency, fairness, and lawfulness: Any organization that processes personal data must abide by the law i.e. it should have a legal basis to do so. Moreover, the processing of the data should be transparent to the individuals to whom the personal data belongs.
- Processing of personal data should be specified and explicit: Whenever an organization uses or processes personal data, it should do so for well-defined purposes that must be explicitly known to the owners of the data. It is therefore prohibited to (re)use or disclose personal data for purposes other than the purpose for which the data was originally collected.
- Minimalistic data collection and storage principle: Data should be only collected when absolutely necessary for the purpose they were originally collected. Organizations should not collect more data than needed. For example, organizations that collect data for an order tracking purpose should restrict the scope of the data collection to the contact information that is required to communicate with their client. They should by no means collect additional data that are irrelevant to the stated purpose.
- Data accuracy and correction: Organizations should ensure the accuracy of the personal data they hold while putting in place procedures for erasing or rectifying inaccurate data. Hence, they should also provide the means for correcting data in cases of errors.
- Limited storage: Personal data should not be retained more than absolutely necessary to achieve the purpose of the original data collection. Moreover, individuals should be able to ask for erasure of their data as part of the famous “right to be forgotten”.
- Ensuring security, integrity, and confidentiality: Organizations are obliged to put in place technical and organizational measures in order to ensure the security, integrity, and confidentiality of the data.
GDPR’s Global Impact and Main Implications
GDPR was created in Europe and is meant to be applicable to European organizations. It applies to all processes that entail collection and analysis of anyone’s personal data, whenever the processing is performed as part of the activities of an organization established in the EU. Even if the processing of the data takes place outside the EU, organizations established in the EU must abide by the GDPR. Therefore, its applicability impacts organizations and enterprises beyond Europe, such as multi-national US firms with an established presence in the EU. Moreover, GDPR is having a global rather than EU-wide impact for the following additional reasons:
- It applies to organizations established outside the EU, as soon as they collect and process data of European citizens and individuals that reside in the EU. This broadens the GDPR applicability spectrum.
- It is increasingly viewed as a policy model for handling privacy issues internationally. In particular, it has already attracted the attention of businesses and governments in non-EU countries (e.g., Israel, Australia). We, therefore, expect to see many organizations outside Europe implementing the GDPR in the near future.
The need to comply with GDRP has important implications for enterprises and other stakeholders, for example:
- GDPR obliges enterprises to revise their organizational and technical processes in order to ensure their compliance with the new law. This is a very important change, which enterprises cannot avoid as non-compliance is associated with huge fines. According to the law, the maximum fine for serious infringements will be the greater of €20 million or four percent (4%) of an organization’s annual global revenue!
- GDPR compliance incurs in several cases significant investments in processes, systems and legal consulting. These investments are barely affordable by Small Medium Businesses (SMBs), notably microenterprises, which are concerned about how GDPR could impact their competitiveness and enterprise risk.
- Technology vendors and solution integrators should make sure that their solutions are GDPR compliant. This may put new restrictions on their technology strategy. For instance, there is a heated debate on whether the promising blockchain technologies could ever become GDPR compliant. This is because blockchains are associated with transparency and immutability, which goes against the “right to be forgotten”.
- Data Privacy Authorities and National Regulators have now new roles and responsibilities in supervising GDPR compliance and supporting organizations at national and regional levels. Their everyday business will be disrupted substantially.
- Legal experts and various forms of GDPR consultants have found a new line of business. We believe that this type of consulting should aim at helping enterprises in safeguarding the privacy of their customers, rather than putting legal burden without tangible business benefit. GDPR should become a productive investment, rather than a defensive strategy against possible fines.
We are only two months past the enforcement of GDPR and it’s probably too early to evaluate its impact on the market. For example, up to date, there have been no notorious fines for non-compliance, which could have a severe impact on some businesses and their stance against GDPR. Enterprises have certainly experienced the overhead of GDPR preparation, while consumers have been bombarded with messages about revisions of privacy policies and requests to reaffirm their consent for certain data processing tasks. GDPR is here to stay and will certainly put a lot of pressure on enterprises, IT solution integrators, and consultants. The challenge is to turn GDPR from an administrative burden to a growth vehicle that would give an opportunity to effectively manage data in this increasingly data-driven and customer-centric world.