The EU’s much-anticipated General Data Protection Regulation took force on May 25. Its far-reaching requirements raise potential conflicts with current data management practices, and organizations face a new level of compliance requirements.
The GDPR, which affects any organization with data on EU residents, signals a fundamental regulatory shift that gives individuals rights over their own data and enforces corporate responsibility for its use. Its philosophy is less permissive than many existing data practices, and compliance requires that businesses heed the EU’s mandate for “data protection by design and default” at all stages.
Data management in many organizations has evolved in an ad hoc manner, pieced together as technology—particularly mobile and internet—has changed. GDPR, in contrast, takes a cohesive view. Based in the concept of data protection by design, it requires that safeguards be implemented at the earliest planning stages rather than as an afterthought. The principle is outlined in Article 25, with added emphasis in clauses that limit grounds for data collection and specify transparency in use and storage.
While organizations may find they need to rethink their privacy approach in light of GDPR, the challenge of compliance requires a practical plan. First steps should include a comprehensive inventory to discover what data the organization holds, where, and for what purpose, with the intent of understanding the applicable legal basis for collection, use, and retention.
Another change from business-as-usual is the GDPR mandate for use of data protection impact assessments, particularly when sensitive data is to be processed at scale and whenever that processing “is likely to result in high risk” to people’s privacy rights.
As outlined in Article 35, DPIAs must include the purposes and “legitimate interest” of the proposed data processing, assessment of the necessity and risks surrounding it, and the safeguards included for mitigation.
These DPIAs are not intended to be a one-time activity—the EU calls them “living tools” and expects them to be used on an ongoing basis, considering them a key element of the data-protection-by-design ethos.
For these reasons, businesses will want to implement the DPIA process with rigor, not only to better understand their own risk exposure, but also to document and demonstrate a commitment to compliance with the overall regulation.
Data controllers and processors—the organizations making decisions about data and those that implement them—shoulder different burdens within the shared obligation of personal data protection. Articles 24 through 32 outline these respective duties. Neither party can abdicate responsibility to the other, nor should they operate without binding agreements spelling out expectations.
This presents a problem for many entities, especially where multiple vendor relationships need to be formalized with parties for whom a higher burden of liability may be motivation to push for more favourable terms.
Negotiating these agreements, which can number in the hundreds or thousands for a single organization, is among the biggest challenges of GDPR compliance. It will require a methodical approach to vendor assessment and contract management. This will include identifying impacted relationships and the steps required to bring them into line, as well as implementing processes to track and carry out ongoing reviews.
Under GDPR, many organizations will be required to undergo a cultural shift in their thinking on data processing, but a pragmatic and well-planned approach can help close the compliance gap.