In part 1 we discussed what the goal of the Global Data Protection Regulation (GDPR) is, and who is affected. The goal of the GDPR “is … to standardize the data privacy laws across the EU to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.” All EU countries and partners are affected, as are all organizations which offer goods or services to EU residents, and/or which collect, store, transfer, or process the personal information of any EU resident. GDPR becomes effective May 2018, and any organization which is not in compliance by that date is subject to maximum fines of up to 4% of annual global revenue or €20 Million. Like any other regulatory compliance, there are specific roles, governing bodies, and a rhyme and reason as to why the regulation is necessary. Questions to tackle in Part 2–What are the roles of a controller and processor within GDPR? Will your organization need to hire a Data Protection Officer (DPO)? What requirements must be in place in order to designate a DPO? With GDPR replacing the Data Protection Directive 95/46/EC how will the compliance burden change?
What are the Roles of a controller and processor?
Differentiating between a controller versus a processor is very important when understanding the compliance burden of GDPR. All organizations doing “business” in the EU are subject to 2 primary roles: a data controller and a processor. A data controller is any organization that collects personal data from EU residents. A processor is any organization that processes personal data on behalf of a data controller. Processors can include cloud service providers which process data collected on any data subject (person) residing in the EU. Personal data includes: any information related to a natural person, or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, or an email address, to bank details, posts on social networking websites, medical information, or even a computer IP address.
New GDPR Requirements:
- Mandatory Consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Informing individuals and regulatory body of a data breach
- Safely and securely handling the transfer of data across borders
- Appointment of a data protection officer to oversee compliance for certain organizations
What is a Data Protection Officer (DPO)?
A DPO is a security leadership role mandated by GDPR that is tasked with the oversight of the data protection strategy, and the execution of compliance within GDPR requirements. Article 37 does not define specific credentials for the DPO, but there are certain requirements that the DPO must meet. The DPO must be appointed based on professional qualities and, in particular, expert knowledge on data protection law and practices. They may be a staff member or an external service provider. Their contact details must be provided to the relevant DPA (Data Protection Act) office, and the DPO must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge. The DPO is to report directly to the highest level of management. Lastly, the DPO may not carry out any other tasks that could result in a conflict of interest.
When Is A DPO Mandatory?
A DPO must be must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
How Will the Compliance Burden Shift?
Currently, controllers are mandated to notify local DPA offices of their data processing activities. For transnationals, this is a bureaucratic nightmare due to the fact that most Member States have different notification requirements. GDPR addresses this problem, in that it is no longer necessary to submit notifications/registrations of data processing activities to each local DPA office, and it will no longer be required to report or receive approval for transfers based on the Model Contract Clauses (MCCs). In its place, there will be internal record keeping requirements, and appointing a DPO will be mandatory only for those controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offenses.
Consent Is the Goal
Like any type of compliance burden, human capital and internal financial resources will be required to achieve compliance, but GDPR is more focused on setting a higher bar for receiving customer consent to legally handle the data of those who live in the EU and other partnering countries. Easy to understand opt-in policies that are straight-forward to the user, maintaining secure records of consent for all users, and most importantly, allowing your data subject the freedom to withdraw consent at their discretion are the pillars of staying in GDPR compliance. The level of consent for the customer must also be clearly defined with zero ambiguity over how the data will be handled, in order to empower the customer to provide consent that they are comfortable with. Bottom line, the focus of GDPR is giving all customers whose personal information is going to be handled an option on whether they want their personal information handled, and at any time they can receive the data (Data Portability) that is being processed or have the data eliminated altogether (Right to Be Forgotten).
Compliance Is Expensive, But Necessary
Compliance initiatives are designed to take your organization out of harm’s way, and unfortunately there is always a cost associated with it. These costs should never inhibit your organization of achieving said compliance, regardless of size, because the long-term consequences are much more expensive. Maintaining GDPR compliance is now a cost of doing business in this region, and it calls into mind the importance of how we handle customer personal information. Proper management of PII is taking data breaches to a place where organizations can no longer ignore how they receive, store, access, and potentially disseminate this very risky data set.
In Part 3 of 3 we will look at what is pseudonymization, and how TokenEx delivers GDPR compliance through our platform, and how this benefits our customers. TokenEx is the industry leader in cloud tokenization and encryption. Follow us on Twitter and LinkedIn.