Next month, the EU is planning to enforce the EU-Council’s General Data Protection Regulation, aka GDPR, a set of 99 articles which dictates a set of rules any organization, from any country, that handles the personal data of an employee, customer, or client that resides in the EU. Non-compliance can result in heavy fines, the greater of $25M per incident or 4% of annual revenue. In the wake of the recent exposure of Facebook brokering 50 million US accounts to Cambridge Analytica, many companies are not only scrambling to meet the GDPR requirements, but are also beginning to see the importance of demonstrating responsibility and accountability when handling their customers personal data.
Unlike like HIPAA & PCI regulations which include specific actions required to be compliant when securing health and credit card data respectively, GDPR regulations tend to be more statements of objectives rather than prescriptions. Organizations must generally decide for themselves how to best implement GDPR and demonstrate their compliance.
According to Article 5 of the EU GDPR – Principles relating to processing of personal data,
“…the controller [i.e. the primary organization using your data] shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”
The first thing to notice about this statement, is that to be compliant with the GDPR, businesses DO NOT NEED to obtain any form of GDPR compliance certification from an authorized third party, you simply must DEMONSTRATE that you are compliant. And while a certification is one way of doing this, it still may not satisfy all the requirements.
Now take a look at the second part of this statement which indicates that to demonstrate compliance, organizations should follow a set of general guidelines including lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data. This latter part is also known as the accountability principle, and it is the central tenant to the entire GDPR. I won’t go thru each one of these items, but from this, a picture begins to emerge of what is expected from the EU-Council for an organization to be personal data privacy compliant.
To underscore this the council then goes a layer deeper when defining the responsibility of organizations within Article 24 – Responsibility of the Controller. The GDPR considers controller as the main actors when it comes to determining how and why personal data will be used within a business. Examples of controllers are Facebook, Google, LinkedIn, a healthcare provider, and every mom & pop online-retailer. The EU council sums up the controller’s responsibility this way:
“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
In short, the EU-Council wants controllers to consider the protection of one’s right to privacy, as a right to be protected, and at the discretion of the controller, this can be implemented via people, processes and/or tools. In other words, the EU-Council describes a set of values it expects organizations to adopt and leaving the implementation of these values up to the business.
Lastly, at the end of this particular article, it’s also noted that, “Those measures shall be reviewed and updated where necessary.” This is a subtle statement that many companies often miss. Compliance is not a one-time event, it’s an ongoing-event. So when an organization is choosing its approach to compliance, it’s critical to ensure that your approach treats it that way.
Bringing this all together, when an organization adopts a set of values, and integrates those values within all its processes, it is making a change to its culture. And a change in culture as to how an organization values personal data privacy is the one thing an organization must adopt to achieve & maintain on-going privacy compliance.
So how does an organization incorporate personal data privacy as a primary component of its culture? There is one final article we should look at that I believe provides a guide in getting there, GDPR Article 25 – Data Protection by Design and by Default.
Data Protection by Design and by Default, aka privacy by design, is generally taken as the process or processes an employee, customer, or client takes when interacting with your business in such a way, that by default, any personal data provided can not used by the organization until the individual is fully aware and purposely acts to permit its use versus simply inferring unrestricted use until the individual calls a 1-800 number to disallow it. Are you listening credit card companies?
While this is definitely a step in the direction of protecting one’s right to personal data privacy, I believe an organization’s needs to take the concept of privacy by design beyond the idea that it’s strictly up to a development team to implement a handful of checkboxes within an online product or service.
Although there are a number of requirements to technically be GDPR compliant, such as performing data privacy impact assessments (DPIAs), hiring a data protection officer (DPO), and establishing a secure method of privacy related communications with your data subjects (aka employees, consumer, & clients) and supervisory authorities (e.g. FTC, DOC in the US, ICO in the UK), privacy by design has to be something that has to become ingrained throughout the entire company in all of its people, processes, and tools. Doing so will not only earn a company GDPR data privacy compliance, but also the ability to retain and gain employees, customers, and clients via trust, as well as long-term profits. Not all organizations are impacted by the GDPR regulation, but there are plenty of reasons why any organization should take a closer look at what the EU-Council put forward with the GDPR regulation and consider how it values personal data privacy.
Once organizations from Facebook to small online retailers, begin to treat personal data privacy not simply as a certification to be obtained, but as a set of values to incorporate and maintain throughout their organization, we will begin to see a positive cultural shift throughout business and the global economy which benefits all of us.
Zuckerberg’s standing behind me isn’t he?