What are the Business Implications of GDPR?
For those of you that don’t know what GDPR is [and didn’t yet connect with my first blog on the subject] it stands for “General Data Protection Regulation” and is the new European Union law on data protection, replacing the existing EU data protection directive and will be implemented by every individual country in the EU. This has wide ranging implications for enterprise organizations across the EU.
TechTarget users are certainly keen to understand these implications and what they need to do to get ready for it. In fact, we are seeing 5x increase in response from our user base on any promotional emails around GDPR. The best news is that your customers and prospects in EMEA are not only paying close attention to this, they also have budget in 2017 and 2018 to comply with the necessary IT changes they need to make. Budget your marketing and sales teams need to go after.
As a result, enterprise technology organizations, especially in technology sectors most affected by GDPR, and their marketing teams must be ready to communicate their positioning around these new regulations. Following is information from a recent sit-down European editorial expert and Computer Weekly Editor-in-Chief, Bryan Glick that will help you get a better handle on what GDPR is and what the major implications are.
[AND – as a bonus – if you want to hear more from Bryan on marketing best practices for GDPR please watch this video of him presenting at the May 2017 TechTarget London ROI Summit.]
Everything you need to know about GDPR
Let’s talk about Data Storage. Can data leave the EU?
The issue around where the data is physically located is still a controversial one. Strictly speaking, the EU says that you can only move personal data of EU citizens physically out of the EU if you’re moving it to a country that has comparable levels of protection. This used to be handled by a Safe Harbor agreement; however, Safe Harbor was ruled invalid by a legal court case in Ireland in 2016 on the basis that the US Patriot Act took precedent when the data landed in the US, thus, making the data less protected for EU citizens. In late 2016, the US and the EU came up with a new agreement called Privacy Shield. Even with Privacy Shield there still remains a question about moving data out of the EU. GDPR introduces a much higher level of data protection than the current laws so there is still a question to the degree to which you’ll be able to move data out of the EU.
What about data management? What new factors are companies looking at?
Some of the more stringent requirements that GDPR introduces that are important are around data storage, particularly around backup, archiving and data management. GDPR widens the definition of “what is personal data”. It moves the definition to “personal data is any data that could be used to identify an individual”. For example, genetic data, which doesn’t have a name, can be used to identify an individual. Anonymous healthcare records are covered and, as yet, undetermined forms of data. In your data management you need to be able to flag data that could be used, even when combined with other data, to identify an individual. If data can be used to identify an individual they do have the right, under GDPR, to ask you to delete it.
GDPR also tightens up the rules around consent. You need to have consent to collect information currently, but under GDPR you need to be able to demonstrate that you have explained what the data is being used for and that you have controls in place so that the data will be used only for the purpose which it was collected. In practice this means much more discipline around metadata management. You may have to store much more data about the data on consent given.
The third item GDPR affects is data minimization. GDPR requires that you only keep the data for as long as you need it and the individual has the right to be forgotten. In the past you may have gathered information about an individual and maybe you didn’t connect with them further, so you probably kept the data, but now you have to have rules in place to remove data after a period of time. The legislation doesn’t discriminate for archiving before legislation and introduces the concept that a person’s individual data is loaned to you, not given to you to do with what you want. If you are doing data management this introduces a lot of questions on what you do with that loan. It is similar to a bank loan; the bank has regulations on management and tracking. This requires something similar, but with data.
So, does this also affect HR data?
HR data will still be affected by GDPR but you also have employment terms and conditions as well. While you still have a responsibility as an employer to conform to data protection laws, the relationships with employees are different and are demeaned, ultimately, by employment contracts.
What about security? Data loss prevention, security management, etc.
There are two particular items around security. The EU introduces, for the first time, a data breach notification requirement. Some countries had this before, some did not, but it requires companies to notify users within 72 hours of discovery. Any data breach that happens must be reported. Where this becomes controversial is with large organizations such as banks and retailers, who have had contained breaches that they declined to report, now have a legal obligation to tell people. Alongside that, GDPR massively increases fines that can be levied to organizations for failing to comply with GDPR.
The other security aspect is that GDPR requires that security be included in development by design, from the beginning. What this means is that when you are building new processes or IT systems, you have to be able to demonstrate privacy from the start. You can’t build it on top, you have to build it from the start and this is a major consideration with software system design. In addition, you are responsible for your data supply chain. If you hire a software developer to develop something for you, it is your responsibility to commission this to include privacy by design. If you commission another organization to do something for your network in an outsourcing agreement, you are responsible for them having appropriate security protections. If you are a cloud provider, you have to be able to show that you comply with GDPR or your customers won’t be able to store in your cloud. All three of the big cloud providers have committed to this but some of the smaller cloud providers could be put at a competitive disadvantage if they can’t comply.