Ronny's Blog

I am responsible for Harvey Nash operations in Belgium

25 may 2018: doomsday on its way?

There's no denying to be done: it's coming, and you'd better be ready: GDPR.

Everywhere you look; on the internet, in magazines and newspapers, we are facing this new abbreviation. Is it a synonym to doomsday or what exactly is it? And should we really all write numerous articles about it? What's the fuss about it, and aren't we exaggerating? Let me first explain to you what GDPR means and what it will bring to us.

GDPR stands for General Data Protection Regulation, and it is the result of years and years of work by the EU to bring us new data protection legislation. Of course, something was to be expected, with the major players like Google, Facebook and others being increasingly mentioned in the news about the protection of user data. The current data protection legislation (DPA) was implemented before the internet surfaced in the modern world of today, years before social media, cloud technology and big data found new ways to exploit personal data. Therefore, it was necessary for the EU to come up with a new and improved legislation, to deal with those issues and to ensure a better handling of data in a whole.
GDPR will introduce tough fines for non-compliance and breaches, going up to 20 million Euro or 4% of your total yearly revenue of last year. This can bring some companies to bankruptcy, if not well prepared.

The goal is to have companies deal more careful with data privacy of EU citizens, and to enforce reporting obligations for data breaches. Also EU citizens will be entitled to greater control over their data and the choice of whom they or others, share it with.

There has always been a data protection legislation, it has just become a bit more complicated. Let's look at the changes.
- Rapid response and action is needed in case of data breaches. It's your responsibility to inform your data protection authority within 72 hours after you discovered the leak. And even before you inform data protection authority, you must inform the people affected by the data leak. If you fail to meet the 72-hour deadline, you face a penalty of 4% of your annual worldwide revenue or 20 million, whichever is higher.
- A procedure is needed and should be documented, on how to discover potential data leaks, and how to investigate and report on them. And when the breach is about personal data, the user will need to be informed.
- Consent. We can no longer assume that someone has given his consent for collecting his data (as it is now with DPA), so called passive consent. The EU citizen must actively give his consent, for example, by clicking on a popup message with YES/NO or a tick box "I agree";
- Consent for personal data of minors (younger than 16 years of age) must be given by the parents.
- A data privacy policy is needed in your company, including a data register that holds information on which user data is kept, why, for how long etc.
- If you work with suppliers or external services & solutions, they also need to be GDPR compliant.
- your company may have to assign a dedicated DPO (Data Protection officer), if the scale and scope of your data processing operations fall within Article 37 (processing is carried out by a public authority, core activities of the controller or processor consist of operations which require regular and systematic processing of data subjects on a large scale, or if the processing consists of a large scale of sensitive data or data relating to criminal offences or convictions.)

- You must make your employees aware of the GDPR and the upcoming changes, by designing a GDPR aware culture.
GDPR will also bring also some increased rights to EU citizens:
- Right to be informed: of which data is collected and why.
- Right to rectification: rectification of inaccurate data or completion.
- Right of access to data: the right to obtain a copy of their personal data from the data controller, and certain types of information.
- Right to be forgotten: the right to be erased
- Right to data portability: user can choose to transfer his data to another controller. (for example, from Facebook to google+), this needs to be done free of charge, and companies will have to act within 1 month.
- Right to object to data processing
- Right to restrict processing: to choose which specific data is processed, and which data isn't allowed.
- Rights in relation to automated decision making and profiling.

Many companies offer so called GDPR preparational kits on the internet. Some for free, others come with an expensive price tag. But do you really need that?

You just must make sure you understand your data processing. Try to document the data flows within your organization by asking yourself the following questions:
- What type of data is collected?
- Who is using this data?
- Where is the data being stored?
- Where is the data being sent to?
- How is the data collected?
- Why is the data collected? What do you need it for?
- How long will the data be kept?
- Will it be deleted? when?

By answering these questions, you will start to understand how data moves within your company, and you can start to correctly classify your data. This will help you to keep track of data and to be able to notify the relevant authority in case of data breaches.

GDPR will be applicable to both "controllers" and "processors" of data. A controller states why and how personal data is processed. The processor is doing the actual processing of the data. So, any organization can be the controller (companies, governmental instances or even charity organisations). Processors can be for example IT companies. It's the controller's responsibility to make sure that the processor complies to the data legislation. The processors must be aware that they should make sure all their activities on processing data or maintaining data is according to the new GDPR law.

Even if these processors and controllers are not based inside the EU, the GDPR will also apply to them as long as they deal with user data of EU citizens.

If you're still wondering what is considered as personal data under the new GDPR: all information that can identify an individual, from IP addresses, pictures, and contact details, but also cultural, economic and mental health data is considered as personally identifiable information. Plus, everything that was counted as personal data under the current Data Protection Act also qualifies as personal data under the GDPR.

Is GDPR just a burden or will it bring new and exciting things as well? As we are being forced to comply, GDPR can also be a source of innovation on services or products. Maybe you will develop something to make our lives easier when it comes to data privacy or you come up with new ways of dealing with information and data.

Maybe it's a new way of the governmental instances to profile themselves as the best possible gateway to information, why else would they impose on such high fines. What if they just want us to say, ok, we can't do it, we'll send you the data and it's up to you to keep it and process it. Big brother is already here, but maybe they want to control everything we know. I don't see this happening right away, but who knows, maybe in a couple of years from now.

As you can see, a lot is about to change. Just make sure you are ready for it. And with my article, I think I put your nose already in the right direction. So, it's best to be prepared - expect the best but prepare for the worst.