Operational Impacts of GDPR

Even the slightest disturbance at the surface of water creates ripples which has far reaching effects, same general phenomena applies to any new law enforced into our society.

The EU General Data Protection Regulation (GDPR) will be replacing the Data Protection Directive 95/46/EC and will in in effect from 25th May 2018. It gives 8 important rights to every EU citizen and you can read more about it in our previous article available here.

The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.  

This enforcement portend a more far-reaching operational impacts for companies doing business in Europe.

Some of those possible effects we will be going to discuss in brief here.

 

1. Mandatory data-breach notification

In case of personal data breach the supervisory authority and the individual whose data has been compromised must be notified not later than 72 hours after becoming aware of it. Where, it is not possible to share the complete information at the time of data breach, the information may be provided in phases without undue delay.
Companies will most likely want to avoid the negative publicity of these disclosures. As a result, we expect to see multinationals gradually ramp up comprehensive risk assessments, end-to-end security enhancements, and outsourced managed security services.
Surely the key concern is that breached personal data could be used against individuals’ interests: Individuals must be told of confidentiality breaches so they can take steps to protect themselves against identity theft/fraud – such as by resetting their passwords, or cancelling cards.
Under GDPR, a controller is to be made “aware” upon having “a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised,” depending on the circumstances. This includes discovering loss of an unencrypted CD, or receiving clear evidence of breach from another.
After being told of a potential breach, a controller may undertake “a short period of investigation” to establish if there really was a breach, during which it’s not considered “aware.” However, GDPR expects the investigation to start ASAP and establish “with a reasonable degree of certainty” (1) whether there was an actual breach, and (2) possible consequences for individuals. More detailed investigation can follow.
It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.
So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

2. Requirement of a mandatory data protection officer

Designation of the Data Protection Officer(DPO) is now a mandatory requirement. GDPR calls Data Protection Officer to duty to comply with the new standards. These data protection officers must have “expert knowledge of data protection law and practices.”
The GDPR will have a broad influence on the existing technology and business processes, however, this will effectively require DPOs to exhibit expertise in these other areas as well as project and program management, such as risk assessment and compliance monitoring skills.
Surely the next two years will be golden years for Senior executives boasting this type of resume as they are in short supply in Europe.

3. Pseudonymization

Pseudonymization is the process of separating the data from the direct identifiers so that linkage to an identity cannot be made without additional information that is held separately.
Among the arsenal of IT security techniques available, pseudonymization is highly recommended by the GDPR regulation.  Such techniques reduce risk and assist “data processors” in fulfilling their data compliance regulations.
There is a possibility that this might affect Big data analysis, as to conduct big data analysis collecting personal information is inevitable.
Pseudonymization enables to uncouple specific data aspects from a data subject whereby the most identifying and/or sensitive data fields in the record are replace by pseudonyms. For Instance we take an IT company, the information stored for a customer by them can be consistent replacement with statistical distribution for the names For example Mathew will be saved as Joseph as this enables them to track details of the customer whilst protecting their anonymity.
Yet, pseudonymization can be reversed. This is of course not a problem as such. However, only people who have the authorization to reverse it can do so. When the reversal of pseudonymization is not authorized there is a problem: unauthorized reversal is a personal data breach (if it means a risk for the data subject).

4. Consent

We know great power comes with great responsibility but it can become a curse, well we didn’t think of it that way. For marketers, the biggest concerns surround the issues of data collection and consent
As with GDPR in effect will empower Individuals with power over their personal information but would also impose a significant burden on companies with personal data stored across multiple systems.
Consent is the only basis through which targeted marketing works. GDPR specifies that publishers and advertisers need to get consent from each user to employ their personal data to target ads.
The personal data includes any info that can be used to help pinpoint an individual; for GDPR, that includes IP addresses and browsing trails, as well as email addresses. And the consent needs to itemize each use, which has at least 10 different opt-ins for digital ads, including showing relevant ads, creating a profile based on your browsing habits, seeing if you interacted with an ad and so on.
What we need to see is that if the new right proves popular, companies may need to maintain comprehensive data inventories, accelerate data-governance strategies, and potentially re-architect key systems in order to more efficiently process these requests.

5. Consequences

The penalties for non-compliance are eye watering. Infringement on certain articles of GDPR carry fines of up to €20M or up to 4 per cent of total global revenue of the preceding year, whichever is greater. Other fines carry penalties up to €10M or up to 2 per cent of total global revenue of the preceding year, whichever is greater. These punishments show it is important that compliance is met and GDPR is not ignored.
There is a lot to see when GDPR actually comes into effect. All we can do is suggest that precaution is better before the storm strikes, once it hits, you will be the one to suffer. So if you are operating in Europe you should already be initiating GDPR readiness assessments in order to complete the gap remediation before the deadline. Do leave suggestions in the comment section below.



Top