PAUSE II
What the GDPR means for you in 2019
The GDPR may have only been in effect for a few months, but member states have been far from sluggish. Regulators around the world have steadily grown their staff numbers and expertise. As one example, the Irish Data Protection Commission (DPC) has grown from less than 30 employees back in 2014 to 130 staff members in 2018, with plans for further expansion of staff and expertise in 2019.
This is especially noteworthy because many of the world’s biggest tech companies have their EU headquarters in Ireland, and the Irish DPC has a pivotal role in the implementation and enforcement of GDPR. This means that any complaints filed against companies like Facebook, Twitter, Microsoft, LinkedIn, and Google are under the purview of the DPC.
Worlds will collide in 2019.
In fact, they already have! The first infringement complaints came on the very day that the GDPR came into force when the nonprofit organization noyb.eu presented four complaints against Facebook, Instagram, WhatsApp, and Google.
Failing to meet critical provisions of the GDPR
Worryingly, too, in a survey conducted by AIIM after the GDPR deadline, only 36% of respondents reported having a dedicated privacy function. And only three-quarters had appointed a data processing officer (DPO). Some companies didn’t even know if they needed to.
More alarmingly, 20%-30% had little or no confidence that they could meet core compliance requirements, respond to new rights afforded to customers, or control personal information in their content systems.
2018 was the year of GDPR implementation, 2019 is the year of enforcement
This lack of preparation could cost some companies dearly—in 2019, you underestimate the GDPR at your peril! Indeed, even as the new European Data Protection Board sets up shop, one hospital in Portugal has already had three sanctions imposed against it totaling €400,000, while a German social network was fined €20,000 after a hack caused over 800,000 email addresses to be leaked, along with over 1.5 million usernames and passwords.
Even though we haven’t seen the colossal fines threatened by the GDPR—4% of annual global revenue or €20 million, whichever is higher—laws are only as strong as their enforcement, and GDPR regulators are circling. Officials will continue to scrutinize implementation measures taken by companies, and the methods of scrutiny will only improve.
The regulators are closing in
Privacy policies may be updated, tools created to give users more control, and more ways adopted to request that data is deleted, but the GDPR is only now revving up for action. Hence the large number of (sometimes annoying) geographically coded consent pop-ups that appear across websites on EU IP addresses. Don’t forget: The GDPR applies to any site or mobile application collecting data from EU residents.
On this, according to UK-based research, over 1,000 US news websites were being blocked in Europe shortly after the GDPR launch.
“Privacy by design” and “privacy by default”
The most critical GDPR topics in 2019
A goal of GDPR in 2019 is to encourage (forcefully or otherwise) companies to implement “privacy by design.” Article 25 positions data protection as an integral part of technological and IT development, as well as how a product or service is delivered. GDPR is not specific about how you implement these changes, but for many organizations adopting a privacy by design approach requires a significant culture change.
- Privacy by Design requires that every action a company undertakes involving processing personal data must be done with data protection and privacy in mind. This includes internal projects, product development, software development, and IT systems. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process.
- Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. Also, any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to ensure the product or service. If more information than required to provide the service is disclosed, then "privacy by default" has been breached.
Process management and process mining will drive compliance
What the GDPR means for you in 2019
Processes are the backbone of GDPR compliance in 2019. After all, implementation is all about documenting and developing processes and obtaining opt-in consent and reporting data breaches. Plus, provisions such as a request by individuals to access information about their personal data processing, require… processes.
As such, there is massive scope for process management systems to implement GDPR in 2019 by identifying existing processes and developing new ones for compliance. Under the ‘right to be forgotten’ requirement of GDPR, finding and deleting personal data is a process problem, not a data problem. Companies need to know how information is processed throughout the entire enterprise to detect and remove all instances of the name/data.
The importance of understanding processes
Understanding processes is necessary for compliance. Companies that have addressed processes rather than limiting their actions to protecting their database from breaches will be in a more defensible position. In other words, if an organization has made a ‘sufficient’ effort to locate all the instances of the use of an individual’s data, then even if the effort were not 100% successful, the intent would be recognized.
- Top GDPR hint for 2019: Automated processes are particularly crucial for GDPR compliance. According to the same AIIM survey, only 40% of companies can automatically delete personal information when required to do so. Under Article 33 of the GDPR, a breach now needs to be reported within 72 hours, or an explanation provided about why that could not be accomplished. To do this, organizations need to be proficient not only in tracking their data but also in automating their response.
- Top GDPR hint for 2019: This a complex regulation! Process mining allows the discovery of processes, so that each time personal information surfaces, the organization can be aware of its existence. However, this does not show which processes use the name with or without anonymization, or where anonymization does not match the new rules.
- Top GDPR hint for 2019: GDPR BOUNTY HUNTERS! Hackers will target big firms and their cyber polices. When cyber criminals take on a targeted organization, they will fully understand GDPR laws, including the implications and fines. GDPR bounties will provide a copy of their data to prove that it has been breached, and nominate a fee. This fee could be anything less than the maximum specified by regulators.
The global reach of the GDPR in 2019
The global impact of GDPR is obvious. Since its implementation, at least 10 countries outside the EU, including Australia, Argentina, and Brazil, have moved to implement similar rules. For advanced economies, updating their domestic legislation will be relatively straightforward. In some cases, countries are copying the GDPR almost word for word.
But spare a thought for the emerging countries! They must balance the need to access the EU’s market of 500 million customers with the economic pressure to encourage domestic innovation. Developing economies such as Uruguay and India have managed to devise comprehensive regulatory frameworks to meet the EU’s rules whilst also being sensitive to their own economic and cultural trajectory.
SPOILER ALERT: GDPR applies regardless of Brexit and CASS. Read our post: Brexit and the GDPR.
STOP □
What the GDPR means for you in 2019
But let’s set one thing straight, the future of the GDPR isn’t about penalizing organizations, it’s about protecting the consumer. It is about having the technology and expertise to make the critical principles of trust and transparency the bedrock on which you build your organization.
To understand what the GDPR means for you in 2019, and into the next decade, you need to remodel the GDPR in your interest: Getting Data Protection Right. After all, you shouldn’t fear what you already know!
… Now please, rewind after reading.
EJECT ⌂
G.D.P.R: Getting Data Protection Right
To learn more about the GDPR, read our popular blog series and industry-leading resources. With Signavio at your side, you have everything you need to thrive under the GDPR and far beyond 2019. Sign up today for a free 30-day Signavio trial.