A new European Union regulation that came into effect on May 25 is the most far-reaching privacy mandate implemented to date, impacting personal data protection requirements across the world.
By Salil Sankaran
Anyone who has visited a major website in the past six weeks — whether a prominent news portal or an e-commerce site — would have seen pop-ups seeking consent to use cookies to collect their personal data. The reason these websites are now requesting explicit consent involves a new European Union law that went into effect on May 25.
The General Data Protection Regulation (GDPR), which is aimed at bolstering data protection and privacy for EU citizens, applies when personal data is collected from any individual who is located in an EU or European Economic Area (EEA) country when the data is collected. Referred to as “natural persons” or “data subjects”, this concerns EU/EEA citizens and non-citizens alike (for instance, business and leisure travelers, expatriates). The regulation affects not just EU/EEA businesses, but all organizations across the world that do business and collect personal information within the European Union/EEA.
GDPR is the most sweeping data-protection regulation implemented in the world. Adopted by the European Parliament and Council of the European Union in April 2016, impacted organizations had more than two years to establish capabilities that adequately limit, manage and protect the privacy-related data that they collect or process — whether for their own purposes (as data controllers) or on behalf of an organization (as data processes).
The law stipulates that the “protection of natural persons in relation to the processing of personal data is a fundamental right.” As per GDPR, data controllers/processors should clearly disclose that they are collecting data; state why they are doing it; how long they are going to retain the data; and whether the data is being shared with third-parties.
Organizations, both in government and the private sector, which collect the data are mandated to establish a data protection officer tasked with managing GDPR compliance. Relevant businesses based outside of the EU/EEA also must have a GDPR representative located within the European Union.
Any data breaches must be reported within 72 hours, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms” of individuals.
Infringements to the regulation can result in huge “administrative fines” of up to €10 million ($11.57 million), or in the case of businesses, up to 2 percent “of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
We, at Ampcus, have been working with clients to navigate GDRP-compliance ever since the law was adopted, and I am happy to report that all of our clients have achieved compliance.
I would advise any organization — whose business involves processing of personal data — to take immediate measures to comply with GDPR, if they have not already done so. Recognizing that your organization has a responsibility to comply with the regulation is the first step. Understanding the scope and impact of the regulation is the next step. There are mainly four GDPR provisions that are challenging, which together, can be termed as CARE: Consent, Access, Receipt and Erasure.
Organizations must seek consent to collect personal data in an easily understandable language and clarify their intended purpose for the data. The challenge here is that they must make it as easy for an individual to withdraw consent as it is to provide it.
Secondly, EU/EEA individuals have the right to seek access to their personal data, with regard to what has been collected, where it is located and for what purpose the data is being used. However, putting in place an efficient system to provide a comprehensive view of the personal data and responding to questions in a timely manner requires a lot of resources.
Organizations also must fulfill a person’s request for receipt of his or her personal data and potential transfer to another entity.
Finally, EU citizens have the “Right to be Forgotten,” which means putting in place a data erasure process, which could be complex and expensive.
The implementation of GDPR has necessitated organizations to abandon their old data management approaches, which are too limiting and will not work. They need new capabilities to aggregate, classify and tag structured and unstructured data across their data footprint to achieve the compliance mandates. Fortunately, organizations can benefit from these technology improvements, as they enable businesses to harness their data for competitive advantage.
Any organization that has achieved GDPR compliance will have established a system to adequately limit, manage and protect its privacy-related data. It would have, in the process, adopted advanced principles of effective data governance and information security. As a result, it will realize efficiency and quality improvements across the organization and a positive industry reputation. This added “return on investment” is a rewarding by-product of compliance, and has even motivated organizations not subject GDPR to begin the data protection journey.
(Salil Sankaran is the President of Ampcus, a global provider of innovative, quality and cost-effective Business & Technology Consulting Services.)