Decoding the EU's data privacy laws
Information governance across borders is an increasingly complex issue—one that's getting more attention thanks to the strict new regulations recently approved in the European Union.
The simplest way to decode Europe's complex new data privacy law is to realize it's designed to protect people, not data. Data is easy to isolate, but people cross borders (both in person and online), leaving trails of digital data everywhere they go. This data can put companies with European customers at risk of massive penalties, even if they have no facilities and few business interests within the EU.
And while the EU's General Data Protection Regulation (GDPR) is the most compelling and urgent set of privacy rules for global businesses right now, there will be more to come.
GDPR is only "the thin edge of the wedge," says David Kemp, a Hewlett Packard Enterprise business development specialist for EMEA. Non-EU countries, including Norway, Switzerland, and South Africa, are already building GDPR-like elements into their own laws to avoid problems with the EU—a major trading partner of each.
Some expect the United Kingdom to follow suit after Brexit. That expands the number of potential trading partners with which privacy issues could arise, even for companies with no current ties to the EU. And other nations worldwide may well follow suit, with rules that match or exceed the EU requirements.
One major goal of the GDPR, which was enacted by the EU in April and goes into full effect in 2018, is to protect the personally identifiable information (PII) of European citizens—even PII held in countries outside the EU, says Kemp, a British lawyer with expertise in EU privacy and information governance, banking industry regulation and compliance, and insurance industry risk analysis and management.
Any PII about EU citizens collected by any company, anywhere, in any medium, falls under the rules of GDPR (full-text PDF), Kemp says. For example, data on EU citizens who buy goods online for shipment to the EU—regardless of whether the vendor has European facilities—would have to comply with GDPR requirements. Companies refusing to comply could be punished with fines of up to 4 percent of global revenues or, in extreme cases, criminal charges and prison terms.
To enforce the rules, Kemp says, EU authorities can impede contracts, trading, or travel to the EU; suspend the banking or trading licenses of noncompliant companies; or lodge criminal charges to achieve compliance under European law. And the regulations apply to more than typical structured data. Security camera video showing an EU citizen using a passport as identification would qualify as PII that has to be tracked, audited, and forgotten, along with every other bit of PII, if the customer issued a request to be forgotten. That's far beyond the ability of most companies, which would probably struggle just to separate EU from non-EU data in their structured databases.
Adjusting IT processes to accommodate EU data privacy laws
The records management challenge of privacy regulations can be broken down into smaller components in the same way as any other IT project can be, Kemp says. The first step is to make a complete risk assessment that identifies the types of data collected and held by a company, and the potential for compliance problems with GDPR. Questions to ask include:
- What kinds of sensitive data do we collect, on whom, and from where?
- How do we collect data, and do we disclose that data to regulators or customers?
- How do we store data—in what databases, servers, or clouds? Owned by whom, in what countries?
- How do we use the data and with whom do we share it? How long do we keep it?
- What policies, procedures, contracts, and safety measures do we use to protect data? How vulnerable is it anyway?
- Who is responsible for our PII, and do they manage it correctly?
- How do we correct, update, and delete data? Could we meet a regulation deadline of 72 hours to report a breach?
The second step, he says, is to assess existing systems and decide how to update them to versions able to manage compliance with GDPR. The EU requires that privacy protection capabilities be built into one's products "by design," but effective privacy protection must also align with business goals and adapt to changes in privacy requirements or business processes, according to the International Association of Privacy Professionals.
How banks can turn digitization into a golden opportunity
Fortunately, Kemp says, the business case is there. Beyond avoiding the considerable costs of failing to comply, the records management exercise driven by privacy regulations has other benefits. "You have to dedupe or get rid of data that isn't kept in compliance with the regulation," he notes, "but what you get is defensibility, compliance—which helps avoid penalties—and efficiency that saves operational costs and gives you more ability to start mining the anonymized data that you otherwise might feel you can't deal with."
To avoid making the records management system overhaul a daunting prospect, Kemp says, it's important to break down the records being managed into smaller segments that let the company address each need separately, at a manageable pace.
"Any sensible, prudent organization will already have policies, procedures, and technology in place to provide some level of consistent governance in accordance with the 1995 EU General Data Protection Directive," he says. "You might begin by determining that all data going forward will be handled according to more complete guidelines, or begin by searching for all structured data sources and then move on to unstructured data later."
The key is to not ignore a potential threat just because it's unusual, but to follow a specific set of steps to deal with it:
- Evaluate your risk.
- Identify the improvements that are an absolute requirement to avoid penalties.
- Find ways to leverage those changes into business improvements that could accelerate the return on investment.
- Select a systems provider that can build one module on another to scale in exactly the way you need.
As thinking—and regulation—around privacy matures globally, organizations will continually be challenged to keep up with new requirements. A smart, comprehensive approach to information governance will make the challenge easier to meet.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.