The deadline for compliance with the European Union General Data Protection Regulation (GDPR) is May 25, 2018. Many organizations have spent countless hours already in their preparation for the deadline, while other organizations are just getting around to reading up on it.
GDPR, like Y2K of a couple decades ago, has international implications that for some organizations HAS to be addressed as GDPR will impact the lifeblood of their operations, whereas for most organizations, some due diligence needs to be done to ensure they are within the compliance of the regulation.
GDPR is today’s Y2K
I reference Y2K because I was one of the advisors to the United States White House on Y2K and spent the latter part of the decade before the millennium switchover traveling around the globe helping organizations prepare for 1/1/2000. Today with GDPR, as I did then with Y2K, believe there are fundamental things every organization needs to do to be prepared for the deadline, but to NOT get caught up in the hype and over speculation to the Nth degree detail that’ll drive you crazy.
What is GDPR?
To help those catch up on what GDPR is, the regulation technically went into effect in 2016 and the deadline for compliance is May 25, 2018. The thing that scares people is that fines for non-compliance are up to 20-million Euros or 4% of the company’s prior year worldwide revenue, which is an alarming number that gets everyone’s attention.
While there are many tenants to GDPR, I net it down to three major things:
Prevention of “Tracking” Individuals: This is the big thing in GDPR that goes after the big Internet companies (Google, Facebook, Amazon) that gather personal information on individuals, track the Websites they visit through cookies, and actively advertise to individuals through that tracked information. GDPR directly addresses the practice and process of gathering information on what individuals buy, sites they visit, and content they’ve searched for by not only requiring consent but also have clear stated purpose WHAT that information will be used for.
Prevention of Retaining Personally Identifiable Information (PII): This tenant is not so new and has been a big piece of legislation around the world to protect individual’s privacy. GDPR, like other global regulations on PII, sets limits on what personal information can be gathered (name, date of birth, address, etc), how that personal information needs to be stored and protected, and what needs to be done in the case of breach.
Cross-Border Transfer of Information: GDPR stipulates that EU residents (citizens and even individuals that are temporarily working and living in the EU) information should remain in the EU –or– if the information leaves the EU that the target destination for the storage of the information meets specific European Commission approvals
Of the three major tenants I note for GDPR, the second and third are things that we’ve been addressing for some time now with the predecessor to GDPR (the DPD 95/46/ec) and the various Privacy/PII laws that are already in effect. So the big thing in GDPR is around the collection, storage, and tracking mechanisms commonly used by Internet organizations for web-based shoppers and social media participants. THOSE are the organizations that have been working very hard the past couple years already devising ways to inform, get consent, and handle tracking in a manner that fits within the requirements of GDPR.
Tenants of GDPR
There are other tenants of GDPR that organizations need to address and are commonly discussed in conversations about GDPR. They include:
Data Protection Officer and Vendor Management: GDPR stipulates that organizations impacted by GDPR need to have a Data Protection Offices identified and have a process for vendor management as it relates to GDPR. This individual will have the role of overseeing the compliance with GDPR internally and with vendor/suppliers.
Codes of Conduct: GDPR requires organizations to have stated codes of conduct how data will be extracted, used, timeframe for use, how the organization will protect the privacy and rights of the individuals the data was extracted from, and provide users the right to request that “their data” be purged.
Data Profiling / Data Consent: As noted previously, GDPR has tight rules as it relates to using data to profile individuals that can be directly associated back to a named individual. Use of identifiable information (like Cookies) requires explicit consent.
Cross-Border Transfers: Also as previously noted, GDPR has tight rules on EU data remaining in the EU –or– that the target destination of EU data complies by the same standards expected of information stored in the EU
Data Portability: GDPR has a data portability tenant that allows users to request their information to be allowed to be “moved” to another provider. Just like phone number portability in the United States that allows an individual to keep their phone number as they switch from one phone carrier to another, GDPR data portability gives users the right to request their emails, photos, documents, and the like to be transferrable.
Pseudonymizing of Personal Data: Fancy word, but effectively the randomizing of data so that it cannot be attributed back to any particular individual, effectively making the data anonymous. However, GDPR does stipulate that just because the data is randomized doesn’t allow an organization to just collect and use the information as they please. GDPR has stipulations that require an organization to justify why they are collecting the information, what they plan to do with the data, and with clear definitions how the data will be eliminated when those stated purposes are no longer valid or applicable
Data Breach Notifications: GDPR tightens the timeframe that cybersecurity breach notification is made, with requirements for notification in as little as 72-hours from an organization being made aware of the breach. There are some variations to this notification where individuals need to be notified if information that can be attributed back to them (personally) has been breached, however if information has been pseudonymizied, that only the European Commission needs to be informed.
GDPR for enterprises (not web/social media providers)
With much of the heft of GDPR focused on Web/Social Media Providers (Facebook, Google, Amazon, etc), the common question for Enterprises (corporations, small businesses, companies headquartered in/out of the EU) is what does a typical business need to think about relative to GDPR?
First of all GDPR is not a bigger thing nor a smaller thing based on the size of the enterprise. The requirements of GDPR are the same no matter the size, where the organization is headquartered, or the type of industry the organization is in. GDPR also applies to every organization that does business with companies in the EU, has employees that are citizens of the EU, or even has employees that are foreign citizens but are residing and working in the EU. So the umbrella on who has to comply with GDPR is pretty broad.
A common question is whether an email system hosted in the United States can fit within GDPR requirements. For organizations that have migrated to services hosted by Microsoft (like Office 365) or Google (G-Suite), both Microsoft and Google have officially stated their cloud services WILL be GDPR compliant before the May 18, 2018, deadline. The way these services will be compliant is because the European Commissions has already approved and adopted the EU-US Privacy Shield.
While GDPR does not specifically refer to the EU-US Privacy Shield, it does explicitly acknowledge the current requirements for Binding Corporate Rules (BCR) for processors and controllers. BCR confirmation is acquired by having auditors validate and certify compliance for organizations in their movement of data globally. The EU-US Privacy Shield fits within this certified Binding Corporate Rules deemed acceptable for GDPR as it allows the European Commission to conduct periodic reviews to assure that an adequate level of data protection exists in the transferring of data cross-border. What remains for these cloud providers is a formal “sign-off” that they do indeed meet the provisions of GDPR which are anticipated to be approved without resistance.
Note: For the topic of cross-border transfers, one might hear that the most common cross-border certification, “Safe Harbor,” has been invalidated for GDPR, that is true. On October 6, 2015, the European Court of Justice invalidated the US-EU Safe Harbor Framework. However, Binding Corporate Rules (BCRs) do remain valid.
Additionally, organizations can rely on Standard Contractual Clauses (SCCs) that are approved by the European Commission. SCCs are agreements between the EU exporter (ie: EU subsidiary) and the data importer (ie: US parent company or service provider) on the handling of cross-border transfers. Large enterprises are seeking certification under SCC approvals so that they can move corporate data between corporate offices and datacenters around the world.
The SCC validations are not easy to acquire as they require an audit of the data management, security, handling, and processing of information throughout an enterprise. However once an enterprise has an SCC, they can more freely move information throughout their organization.
Handling GDPR for internal documents and content
A common question by enterprises is whether email messages and business documents fall under the requirements of GDPR. The answer is generally no, a business document is a business document for the purpose of conducting the business of the organization. Of course if the document includes the names of employees, their home addresses, their mobile phone numbers, and other personally identifiable information, then the document falls under GDPR as well as other existing laws and regulations on information privacy.
However a business contract, marketing materials, client documents, architectural drawings, and the like exchanged during the normal course of business are not “personal documents” embedded with “personal data” for non-legitimate business uses.
The KEY to handling internal documents and content to ensure the documents do not contain content subject to GDPR or other PII restricted regulations is to use content classification. Technologies built in to Microsoft’s Office 365 have the ability to scan content (emails, documents, memos) and auto-classify the content as having content that appears to include PII (birth dates, social security numbers, etc).
By auto-classifying the content, policy rules can be applied to the content that allows the creator of the content to choose who can access the information. By giving control to the originator of the content, that satisfies the requirements of GDPR by giving the content owner the free and direct control of the content, and to whom the content can be shared with.
Can employers force employees to give consent of their PII?
The short answer is NO, GDPR is very clear that consent is not valid unless it is “freely given, specific, informed, and unambiguous.” That means an employee cannot be reprimanded nor discriminated against for choosing to not consent to blanket policies. This is why content classification becomes so important, it enables an organization to require users to provide consent, classify, or reclassify content as they deem appropriate on a case by case basis.
Collecting and handling employee and customer information under GDPR
GDPR is clear that an organization needs to provide users, visitors, and employees detailed information on what data is collected and how it will be used. Obviously this first makes the assumption that personal information about an individual is being collected in the first place.
While some simple common business applications like the Web Browser that an employee uses likely by default has cookies enabled and is storing and tracking the Web access of the user of the Web Browser, a simple enterprise fix it to set all Web Browsers to Private or “Incognito” mode. This will prevent cookie tracking and storage of data protected by GDPR. A user can be allowed to turn off the Private mode if they choose, that will be their decision and their personal consent to having content potentially tracked.
In the normal (historical) course of doing business, organizations do collect personal information on employees necessary for the transaction of a normal employer/employee relationship. Things like home addresses (to mail legal notices, end of year tax statements), and bank information (to process payroll and employee benefits) are commonly collected by employers. This information is necessary for an employee to get paid and receive benefits, and as long as the organization only uses the personal information of an employee for the stated purposes of payroll and direct benefits, then the organization is well within the bounds of complying with GDPR. At that point, then the organization needs to adequately store and transfer that information in a secured manner to prevent the breech of PII, which organizations can do so with content classification and document encryption technologies readily available in the marketplace.
Where there is a grey line on GDPR compliance of employee data is when employee information is used to process say for example an employee’s travel arrangements (booking flights, rental cars, etc). While the processing of these arrangements are in the normal course of business, not all businesses nor all employees within a business travel and have these services provided for them. As such, it is prudent that an organization clearly notify its employees and get clear consent from the employee that the organization will use personal employee information to make travel arrangements.
The two key provisions to accommodate variances of this type is to allow an employee to reject the organization’s involvement in making travel arrangements (ie: giving the employee the GDPR given right to object) AND for the organization to allow the employee an alternative for travel arrangements (that might include allowing the employee to book their own travel with a clear reimbursement policy). Many organizations already provide these options, but for some organizations that have a very strict travel office process, there may be changes needed to fully comply with consent provisions of GDPR.
The result from this type of scenario where an employee objects to a process that is deeply grounded in an organization’s transactions that might not be flexible is for the organization to potentially put themselves in default of a provision of GDPR. As with the compliance of all laws, organizations have provisions for Risk Management. If it is cheaper/better for an organization to fight a violation or failure in accommodation than it is to change a deep rooted process, then the organization may just stay their course. Since this fits a grey area in GDPR where GDPR does not explicitly state that an organization cannot use personal employee data to make travel arrangements, it would be up to the European Commission to bring suit against the enterprise.
The key for the organization is to ensure that their actions remain consistent for the legitimate interest and efficiency of the business, and that the organization isn’t using the personal information to sell to some organizational that’ll then profit by marketing or advertising to the employees. Before financial damages will be assessed on an organization, someone will have to identify that the organization worked in malice and with disregard for employee privacy by making centralized travel arrangements for employees.
GDPR is targeting the blatant breech of privacy for financial gains by organizations using technologies like cookies, data extraction, user tracking, and the like for the purpose of marketing or selling services for financial gain of user data. GDPR seeks to protect and prevent the breech of personally identifiable information by preventing organizations from collecting the information in the first place, and then making sure to protect the information (and actively delete the information) when the stated purpose has expired to minimize future exposure to data loss.
Through the awareness of what GDPR is, what falls under the general protection of GDPR, and the use of modern technologies like auto-content classification, labeling, and content management, organizations can create stronger security controls, minimize and prevent the breech of information, and ensure the proper management of protected data through the use of technological solutions available.