When we talk with companies about GDPR, many point to their current compliance with HIPAA or other data-compliance handling regulations. Or, they’ll say something like, “We’re not based in the EU, so it doesn’t apply to us.” However, it doesn’t matter where your organization is located or incorporated. The bottom is this: If you handle European Union residents’ personal data, the General Data Protection Regulation (GDPR) requirements apply to you. What’s more, the requirements are far wider than current regulations. In fact, GDPR applies to any business—located anywhere in the world—that collects, stores, processes or monitors personal data of EU residents, even if they’re not EU citizens. For example, if someone has a bank account with an American-based bank and retains their account after moving across the Atlantic, that U.S. bank is still responsible for complying with GDPR requirements.
The GDPR gives residents broad rights over how data is handled, including the right to ensure that data is collected in a manner that’s accurate and secure with appropriate levels of consent. Individuals also reserve the right to have data erased, a.k.a. “the right to be forgotten”, and the right to data portability – meaning that data subjects can request their personal data in a commonly used and machine-readable format in order to give it to another data controller, and where feasible can require you to transmit it directly to the new data controller (potentially one of your competitors). The GDPR will have a significant impact on how companies manage data, requiring a thorough understanding of the complete data lifecycle.
PII vs. personal data
The GDPR personal data definition is far broader than the concept of personally-identifiable information (PII), which is commonly used in the US. When it comes to GDPR, EUGDPR.org offers this succinct two-line definition in its FAQ:
What constitutes personal data? Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
If an EU resident can be identified—directly or indirectly—by a piece of data, every company that’s handling that data must be GDPR-compliant. This data includes names and ID numbers, along with location data, cookies, IP addresses and more. The GDPR also classifies genetic and biometric data, such as touch ID metrics, as personal data. As an indication of how the EU views personal information, the legal definition couches it as a human right.
Systems, processes, and data states covered by GDPR
The GDPR covers every aspect of data and data security. Even a partial list is daunting:
- Application security
- Cloud storage and file sharing services
- Data encryption (at rest and in transit)
- Customer Master
- Master Data Management
- Geolocation Information
- Metadata Management: Data Discovery and Classification
- Endpoint security
- Identity and access management
- Mobile device management
- Perimeter security
- Pseudonymization, masking data and encrypting identifying data
- Risk mitigation (rather than security)
From a technical standpoint, many organizations experience challenges understanding what data they have on hand, where that data is located and its level of business value. Approximately one-third of global enterprise data is actually duplicate data. Studies show that the majority of data (especially unstructured data) held by a company is “dark,” with no tracking of its existence.
GDPR concepts around minimization of customer data means companies will need to be able to demonstrate that any business process touching personal data maintains appropriate levels of consent and uses as little data as necessary, for the shortest period of time possible. There is also a requirement that data be exposed to the smallest number of people possible and then, it ought to be deleted as quickly as possible. With the vast majority of personal data being collected, captured, stored, structured, organized and processed in digital forms, GDPR compliance will require an exceedingly well-governed data management environment with robust Data Governance standards, policies and procedures.
What rights does GDPR give EU residents over their personal data?
It’s not just the broad definition of personal data or the high volume of privacy and security requirements that make GDPR compliance so complex. If you handle EU residents’ personal data, you also need to provide mechanisms that allow an individual to exercise the rights that are afforded by the GDPR. The ability to search, discover and review data is a critical component of GDPR compliance.
As just one example, the right to have data erased (a.k.a., “the right to be forgotten”) is a task in and of itself. But if that data is stored in multiple systems, and potentially shared with multiple partners, the task becomes dramatically more complex – requiring the technological ability to erase all affected data promptly.
There are a number of other rights under the GDPR, rights that you’ll need to ensure EU residents can exercise as well, including:
- Access to information
- The ability to have inaccuracies corrected
- Data portability
- Prevention of tracking/direct marketing
- Notification of data breaches
All of these rights require a new level of enterprise-wide data mapping, data governance, data architecture and system management.
Children’s data may be collected only with verified parental consent and any privacy notice must be written in age-appropriate language that the child is likely to understand. Therefore, if your company handles this type of data, you’ll need a system in place to address these issues.
The countdown to GDPR compliance is underway
GDPR is meant to simplify what had once been a country-by-country patchwork approach to handling personal data. The deadline for full compliance is May 25, 2018. The GDPR definition of personal data is broad—and the rights it codifies are wide-ranging—while the number of affected companies is deceptively large.
Ensuring GDPR compliance can be overwhelming, but it doesn’t have to be with the right partner. The GDPR is about people, process and technology. The “data protection by design” that’s spelled out in the GDPR will require high-level consideration of systems, with all parts of the organization working together as a systematic whole. Complying with the GDPR requires both organizational and technical measures.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.