While the expanded regulations and new accountabilities of the European Union (EU) Regulation 2016/679, better known as the General Data Protection Regulation (GDPR) are daunting in scope, they do provide significant opportunities as well. ((Official Journal of the European Union. L 119. 4 May 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC)) For instance, while demonstrating privacy by design will be an ongoing organizational obligation, complying with the new regulations and then being able to use that as a marketing strength to increase consumer trust through a privacy certification represents a budding advantage in the marketplace. ((In the US, privacy is a consumer rights and trust issue that is legislated at the sector level by both states and the federal government. Since the second World War, in the EU, privacy has been considered a human rights issue in which privacy is an inalienable right of all EU citizens. To learn more about the fundamental differences on the concept of privacy between the EU and the US, see Shared Assessments blog: EU’s GDPR and the EU-US Privacy Shield: Where Are We and Why Are We There?)) Privacy certifications are offered by private companies, currently for the EU Privacy Shield program that went into effect August 1, 2016 as the successor of the EU US Safe Harbor Program.
Consumers are realizing and better understanding the extent of the privacy they have relinquished in their online lives and the value of their individual data. As consumers have become more concerned about their online footprint, the likelihood is growing that they may begin differentiating products and services on the basis of privacy. There has been increased activism and EU courts have been finding more on the side of individual privacy, as in the ‘right to be forgotten’ cases. ((Factsheet on the “Right to be Forgotten” ruling (C-131-12) European Commission. ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf. 2016.))
As GDPR applies to any entity that touches data on EU citizens, even if that entity did not collect the data itself, it is important to understand that fundamentally this is a regulation that is extra territorial, meaning that it applies equally across international boundaries. Organizations that want to enter or remain in the market where they touch data of EU data subject, including data processors, will be obliged to follow these rules.
The new regulations provide organizations with the opportunity to:
- Manage from the viewpoint that privacy is not only law in the EU, but can be applied as best practice standard.
- Work within a consistent set of principles.
- Use the requirement for proof of privacy by design for consumer engagement.
- Be proactive toward meeting and managing processes related to information management.
The GDPR sets up consistent mechanisms within the following hierarchy:
- The European Data Protection Board (EDPB) has legal status backed by the Court of Justice of the European Union (CJEU) and the national courts.
- The EDPB oversees each nationally appointed data protection authority, which in turn supervises the ‘data controller’ – the organization that collects data from EU citizens.
- The data controller has duties to protect the rights of the individual data subjects, as well as to ensure that its third party data processors are also GDPR-compliant.
- The data controller’s responsibilities also extend to other interested third parties, including Member state authorities, private sector stakeholders, and privacy, data protection and consumer’s organizations.
Organizations can begin their movement toward being GDPR-compliant through a process of open minded self-assessment, planning and design, and implementation, not only of your own organization but also in outreach for every party with which you do business, before the May 25, 2018 effective date of the regulation.
- Self-assessment should include data mapping – know where your data is and what is being done with it – legal advisement, IT tech process examination, training for front line staff, understanding access issues, such as automated decision making, data portability, etc. and vendor security and budgeting for addressing risks and any identified gaps both internally and with third parties).
- Planning needs to include evaluating and designing for managing vendor risk, training, data classification by use type and risk rating of vendors, proper data access and auditing processes, as well as consensus building around planning and implementation both internally and externally among partners and other stakeholders.
- Implementation must include:
- Pre-implementation Privacy Impact Assessments (PIAs) as well as PIAs on an ongoing basis for high risk activities;
- Appropriate vendor vetting due diligence;
- New processes and capabilities surrounding the ‘right to be forgotten,’ ‘data portability rights’ and breach response notifications;
- Formal GDPR assessments to ensure gaps both internally and with third parties are closed and remain closed; and
- Record keeping that is GDPR-compliant.
GDPR can be viewed from two perspectives, as a stringent compliance exercise or as good business practice. From a third party risk management perspective, it will be utterly essential that organizations carefully contract for and monitor the GDPR readiness of their partners and vendors to demonstrate that they have met all the requirements throughout the supply chain. Those organizations that proactively manage for GDPR compliance through improved data protection and accountability may enjoy greater consumer acceptance and be more resilient going forward. It is likely that we will see additional supports from industry based codes of conduct, seals and certifications of compliance that indicate organizations are meeting the increased requirements for their vertical’s product and service delivery. Binding corporate rules, rules that apply globally to all parts of an organization, will continue to be one of the mechanisms specified under GDPR that prove organizations have good practices. Privacy Shield certification for firms that may touch subject data would also be among practices that would allow organizations to assure consumers and regulators that they are following GDPR. ((This article is based, with permission, on the Shared Assessments Member Forum presentation: The EU – GDPR Paths to Compliance made July 5, 2016 by Ralph T. O’Brien, CIPP/E, CIPM, CiISMP, MBCS, Senior Consultant for the EMEA region at TRUSTe.))
Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.