“Data is the currency of the digital economy.”
-European Commission, comments on Data Protection Day 2015
When discussing GDPR with someone, I usually refer to two facts about the modern world:
1. There is more personal data in our economy than ever before. According to Google’s annualized ARPU measures, 90% of all data in electronic form in the world today has been created in the last five years.
2. That data is more valuable than ever before. Some estimates indicate that the value of personal data worldwide has the potential to reach $10 trillion annually by 2020.
These two facts explain a lot of today’s data politics. Regarding data as a lucrative asset, corporations have created ever finer dragnets to capture it. Millions of individuals regularly exchange their data for digital services, often without reading the complex contracts under which they do so. The value of data also motivates hackers, who wreak havoc through a wide variety of threat vectors.
In order to address this new world, the European Union adopted the General Data Protection Regulation, or GDPR, in April of 2016. Set to take effect on May 25, 2018, GDPR aims to regulate the burgeoning data industry.
I would describe GDPR as all-encompassing, given how it impacts every actor in today’s data economy. It governs how corporations collect, use, store, and transfer data. It expands data protections to include all EU residents and every corporation that does business on the continent. It empowers regulators to levy huge penalties for noncompliance.
To explain these colossal changes, the European Union created a publicly-available site to provide and explain the text of the bill.
GDPR includes several measures of special significance:
Expanded scope: GDPR “applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”
Harsher penalties: Organizations that don’t comply “can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
Mandatory consent: companies must gain consent from clients before collecting data, and they must explain terms in “an intelligible and easily accessible form, using clear and plain language.” The bill specifically targets “legalese.”
GDPR will likely impact every organization, regardless of size or industry or location.
GDPR affects both controllers (organizations that collect and process data for their own purposes) and processors (organizations that process data on behalf of others). Whether you process the data of EU citizens or on behalf of an EU company, GDPR applies to you.
Article Six of the legislation provides grounds on which data can be lawfully processed:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
These protections are born out of several core principles, including the right to opt in, the ‘right to be forgotten,’ the right to access your data, and the right to know when you or your data have been hacked. According to the European Commission, all organizations must provide “data protection by design and by default.”
Even if you don’t process data of or for EU residents, GDPR will probably impact your business. Other countries and nation blocs will almost certainly reevaluate their data policies, instituting, if not overhauls as broad as GDPR, then at least some of its most popular changes.
However, if you even suspect that you might fall under GDPR, you ignore it at your own peril. Regulators can impose sky-high fines in two tiers. Tier 1 addresses less serious offenses like failing to keep adequate records or ensure appropriate security. Tier 2 covers more grave transgressions, including flouting basic principles, ignoring consent, and infringing on the rights of data subjects. The fines are massive: for Tier 1, whichever is greater of either €10 million or two percent of worldwide revenues; for Tier 2, whichever is greater of either €20 million or four percent of worldwide revenues.
So how can you prepare your organization?
Whether you’re inside or outside the EU, you can and should take steps to ensure compliance with GDPR, if only to prepare for similar regulations sure to come:
- Communicate and educate. Elevate the importance of this topic by addressing it every level of your organization, especially among key decision makers. Also, network with likeminded businesses to learn and share best practices. If you lack the expertise, you may even consider formalizing a role of Data Protection Officer, whether sourced internally, as a shared role across a group of companies, or outsourced.
- Establish an accountability framework. Foster a culture of regularly monitoring, reviewing, assessing, and auditing your data processing procedures. Aim to minimize retention of stale data. Build in safeguards to ensure staff are thoroughly trained and understand their obligations. Put in place clear policies to prove that you meet the requirements.
- Inspect privacy notices and policies. Make sure these notices are in clear and plain language, are transparent, and are easily accessible.
- Embrace privacy by design. Build structured assessment and validation early on to ensure that privacy is embedded into any new process or product. Do this not merely to demonstrate compliance, but also to reap additional benefits such as a stronger competitive advantage. Think carefully about how mobile devices are used throughout your organization.
- Analyze how you use personal data. Consent is just one of many ways to legitimize processing of personal data and may not always be the best – remember, it can be withdrawn. Consider the legal basis on which you use personal data as well, since the burden of proof will always be on you. When obtaining consent, have frequent legal review of your forms and documents to make sure consents are freely given, specific, and informed.
- Manage data transfer wisely. With any transfer of personal data, including intra-group or processor transfers, it will be imperative that you have a legitimate basis for the transfer and take all necessary precautions to ensure adequate data protection.
- Choose processors wisely. Understand that the responsibility for your data protection ultimately lies with you. Select processors whom you trust and that can provide you with adequate documentation regarding GDPR compliance, data security capability, breach management, communication standards, and division of responsibilities.
- Prepare for security breaches. Data breaches will occur, so don’t assume that they won’t. Instead, be prepared by establishing clear policies and well-practiced procedures that empower your organization to react quickly to any data breach and notify in a timely manner.
- Lastly, remember the Golden Rule. Do unto others as you would have others do unto you. This sentiment applies here. Think about how you want your private information treated and show others that same courtesy. Be prepared for data subjects to exercise their rights under GDPR such as data portability, erasure, etc. Consider legitimate grounds for retention as there are several that can override the interests of data subjects. Again, have your supporting documentation ready for the burden of proof.
Xledger serves more than 9000 businesses across the globe and is a trusted provider of cloud ERP. As a processor (on behalf of our customers) within GDPR, we have implemented appropriate technical and organizational measures to protect the rights of data subjects and satisfy processing requirements. You can find our formal GDPR terms here. In short, Xledger will: only process data in accordance with each controller’s (customer’s) instructions; support controllers in managing data subject requests; abide by the GDPR breach notification requirements; and assure the security of data processing.