The soaring amount of leaked personal information has caused an increase in fraud and extortion. To minimize the threat, a new General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. The regulation will supersede the Data Protection Directive that has been governing information security since 1995.
The GDPR ramps up the protection of private data and unifies its administration and control throughout the European Union. It will drastically affect the IT industry by exerting a strong influence on business activities and business practices. The inability or reluctance to conform to the provisions will result in penalties of potentially millions of euro and the loss of goodwill.
While a growing number of companies are searching for an answer to the question — “How will the GDPR impact business?” — more than 80% of businesses still have a rather vague or non-existent notion of the regulation. In this article, we will investigate what changes the new regulation is going to bring about, and will advise on how IT companies can get ready.
Business Practice-Related Changes
The European Data Protection Regulation will fundamentally change the manner in which organizations establish their business processes, as it toughens the requirements towards the responsibility for the improper management of personal information. Once the regulation comes into effect, it will have an influence on the following types companies:
- Organizations that collect and process the private information of the EU nationals: data collectors and processors that are both EU and non-EU residents
- Companies that are based in and conduct business in the EU
After May 25, 2018, companies will not be able to use private information without a well-defined consent of a person to whom the information relates. As specified by the European Commission, the definition of personal data includes any materials that concern information about a specific individual’s personal and public life or professional activities, including:
- Home and computer’s IP address
- Bank details
- Health information
- Posts on social networks
While the Data Protection Directive allowed for a singular consent to be applied for all business aspects, the new GDPR requires separate permissions for each particular business area, for instance, marketing, support, sales and accounting. Also, organizations should process personal information only in important cases, when it is truly required.
The regulation prescribes that companies carry consents in an explicit form, which is why the checking off boxes with some conditions or no response does not equal authorization. Instead, individuals must sign legal contracts that describe how, when and where companies will use their personal information. At the same time, individuals are free to withdraw their consent, which necessitates organizations to erase any private information related to them.
The Provision of Data Security by Design and by Default
The conditions of the GDPR that affect company workflow extend well beyond obtaining an approval for information use. The GDPR will radically alter the manner in which businesses organize their in-house procedures.
Companies usually add security arrangements subsequent to the development stage. Conversely, the GDPR stipulates that organizations should build the processes that govern information safety into every step of the service or product creation and provide utmost security throughout the development. That is why companies should consider security and privacy precautions as early as the design stage and make this approach part of the development philosophy. Consequently, all of the company’s business departments become involved in providing safety and privacy.
To observe the requirement of information protection by design, this EU Data Privacy Regulation recommends opting for pseudonymisation. Pseudonymisation helps optimize the risks related to the improper use of private materials by separating vulnerable information from other materials and documents; encryption is a good and efficient example of this practice. A point to keep in mind is that pseudonymised information remains personal, which is why the GDPR covers the protection thereof and requires adequate handling.
To keep a company compliant, procedures that provide the security of private information require constant auditing and revision.
The Creation of a Data Protection Team
Whether it will be a fully functional team or just a single data protection officer, a new role should emerge within an organization. These professionals will prepare companies for the GDPR-related changes to ensure their compliance with the GDPR requirements. Based on their knowledge of relevant law and best practices, these experts provide robust privacy protection measures.
Quite often, small and medium enterprises cannot afford to hire an officer. In these cases, companies can opt for outsourced services. However, nowadays there is a lack of dedicated experts, which necessitates an urgent hard-driving educational program.
Besides significant changes in the workflow that the new regulation will trigger, the EU data protection regulation will also entail drastic technology-related developments.
Data Portability Enablement
The new regulation does not limit the rights of individuals by just providing their permissions for the collection and processing of their personal information. Under the GDPR 2018, data subjects will be free to withdraw their materials and transfer them to another vendor. It is of particular importance for social networks and cloud service providers.
Companies that collect and process private information must be ready to deliver an electronic copy of this information to data subjects upon request. That is why they should make specific arrangements to be able to create portable copies of the information they keep. Along with this information, organizations should provide supporting materials that describe the data that they store and the reasons for it.
Usually, the provision of information portability is a challenge for small companies. While large enterprises typically have a formalized information storage procedure, small ones keep customer materials in silos, which significantly complicates compiling them. To address this, businesses can opt for outsourced information storage service providers that also become data processors under the GDPR and are subject to the same rules.
The Creation of a Data Breach Notification System
Under the new legislation, companies should notify their supervisory authorities about data breaches within 72 hours of becoming aware of an incident. Also, they must inform customers in case their personal data has been affected. These requirements entail the development of a robust notification system, regardless of whether a company is small or large.
However, businesses do not have to notify their customers about the breaches if they apply protection measures — such as encryption — that prevent unauthorized persons from accessing this information.
The Recording of Data Manipulation Activities
Organizations should not only keep data safe, but also record activities related to the processing of private information. Organizations must deliver reports to supervising authorities at their request.
The Adoption of an Information Security Solution
Although the GDPR does not demand businesses to introduce a solution that provides data safety, it is a measure at which companies will definitely arrive soon, as data breaches become more frequent. This is why we recommend formulating a plan now.
The information security solution should provide an advanced access management capability to strictly limit the access to customer information. Companies should assign access rights carefully and review them regularly. Businesses should also place a special focus on the protection of their perimeters to monitor and filter the incoming and outbound traffic and minimize the risk of data breaches.
Also, the increasing use of mobile devices and various electronic means of communication requires software to be capable of mitigating threats that may come from these sources.
The GDPR overview shows that the changes in companies’ business processes and in related technical aspects will induce expenses that are required to cover new needs. Hiring an in-house data protection officer or an outsourced one, as well as adjusting the IT landscape to the requirements of the new regulation, require considerable investment. Compliance with the provisions that relate to obtaining consent, data conversion and transfer will also result in significant expenditures.
Statistics show that 61% of respondent companies have not made plans to implement changes for the GDPR compliance yet. At the same time, more than 80% of these companies expect that their regulation-related costs will exceed $100,000, and 17% of them are ready to incur this amount.
Naturally, the volume of costs required for the realization of a GDPR compliance plan depends on the company’s size. The bigger the company, the larger the expenses for adjusting to the requirements. Only one in ten businesses that engage 500 to 1,000 employees are ready to spend $1,000,000. The same is true for one of four businesses with more than 5,000 employees.
Further Adjustments Are Indispensable
The General Data Protection Regulation 2018 will definitely improve the handling of personal information and minimize the consequences of data breach incidents. Although it will become effective within less than six months, the new regulation is already causing controversy. On top of all the benefits that it will deliver, the project has significant deficiencies, gaps and other issues.
Indeed, the GDPR shows a special consideration for customer information security, while it does not provide the same for employee information. Also, its provisions clash with non-EU legislation on information security, which will trigger disputes and complicate business operations significantly for non-resident companies.
Moreover, the European Commission has not yet brought the new regulation into conformity with the European international trade policy, which complicates business for EU residents. The shortage of data privacy professionals exacerbates the regulation’s introduction further.
That is why one can expect that further amendments to the legislation harmonization and clarification, as well as the intensive training of subject-matter experts, are only a matter of time. These measures will allow making the most of the GDPR by the efficient incorporation of data privacy provisions into companies’ business operations.
If you require expert advice on how to provide data security and privacy in the process of software development, please contact us.