Who does it affect?
GDPR is applicable to every EU citizen and any EU-based company. Companies doing business or supplying goods or services to EU-based customers or individuals will also have to comply. The jurisdiction of GDPR extends to companies processing personal data of subjects residing in the EU, irrespective of where that company is based. It will still apply to UK companies, despite the country preparing to leave the EU, with the UK government stating that it will incorporate the GDPR rules into a new Data Protection Bill scheduled for May.
Why is it important?
GDPR is designed to give citizens more control over their data and to simplify the regulatory environment so that individuals and companies can both benefit from the digital economy. Organisations must ensure that any personal data they have gathered has been done so legally, and they must protect it from malicious use.
Jane Davy, information governance officer at NETSCC, says, “The new regulation puts the citizen at the heart of its requirements. With its overall aim of ‘Privacy by design; data protection by default’ it sets out to empower the individual to take control of their data. The legislation includes a lot of common sense data security ideas, such as minimising the collection of personal data, deleting personal data that is no longer needed, restricting access and securing data throughout its entire lifecycle. The aim is to bring the law up to date with how personal data is used today: data protection for the digital age in which ever increasing amounts of personal data are being processed.”
The right to privacy is the most significant factor for individuals. A lack of concern on the part of businesses over the issue of data can lead to a lack of trust in those businesses. There is a competitive advantage to be had from dealing with personal data in the correct manner, resulting from an enhanced customer trust and relationship.
The rules adopt a common-sense approach. A business must request explicit permission from the subject before processing any personal data. The request must use clear language, and long documents filled with legalese will be banned. Consent for data sharing must be out in the open, not hidden in terms and conditions.
Many companies are adopting a “wait and see” approach to finding out exactly which types of violations are going to be enforced so that they can prioritise the areas that need the most attention. Companies that already have extensive European operations will be ahead of the curve in this respect, as GDPR is unifying data privacy laws that already exist in Europe, so will need only make slight adjustments; companies outside this sphere will need to restructure the way they handle data from the ground up. Balancing the cost of proactive measures to comply against potential fines is high on the agenda.
The penalties for non-compliance will be huge. Enterprises found to be in violation of GDPR provisions can be fined up to four per cent of annual global turnover or €20 million, whichever is greater.
For some, this as a golden chance to re-evaluate how they handle data, regardless of fines. David Bonder, director, legal counsel for regulatory and privacy at BlackBerry, said at LegalWeek2018 in New York that it was a good opportunity to examine an organisation’s data practices, to see whether it can discard any data that it holds that is no longer relevant. Too many companies have been found to create and save too much data. Sometimes this can even be done unknowingly, with cloud system services holding onto data even after companies have stopped using it. In-house teams will need to work out what data they truly need, investing in data remediation if necessary.
A survey conducted by Solix reveals some startling insights in the level of readiness of many companies. The research found that 65% stated that they are not confident that their GDPR data will stay within the EU, while 22% of organisations situated outside the EU are unaware that they will need to comply with the new rules, because they hold data over EU citizens. At this late stage, businesses will be scrambling to go through their data practices and records, and to gain the necessary knowledge to comply. The previous approach to ascertaining precisely which data needs to be prioritised holds a degree of logic so that businesses don’t overspend in the mad late rush if it wasn’t completely necessary.
In order to gain the knowledge of the regulations, and as part of the regulations themselves to oversee compliance, companies must have a Data Protection Officer (DPO). Of those surveyed by Solix, 64% did not have a DPO. This, coupled with 82% of companies saying that they knew where sensitive data was stored but only 55% maintaining audit trails for data consent, collections, and update, is an indication of the issues facing companies.
Furthermore, 66% of the surveyed businesses were not sure if an individual’s personal information is taken down permanently from their systems. There is still confusion over the GDPR's "right to be forgotten”, which allows an individual to request the deletion or removal of their personal data when there has ceased to be a compelling reason for it to still exist, according to the UK's Information Commissioner's Office. A business that is unable to satisfactorily provide this right to be forgotten will face legal penalties, as well as eroding trust in their customer base.
Artificial Intelligence (AI) and Machine Learning (ML) run on data and will be affected by GDPR, both in the collection of the data – usually used for training the AI – and in providing accountability. First, companies will have to ensure, and be able to demonstrate that all the data they collect from people to “feed” their AI in order to make it work effectively has been collected legally and safely, with the provisions for holding it only for as long as is necessary. In areas such as healthcare systems, this safeguard is vitally important.
Article 22 of GDPR states that, “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” and that, “the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision”. Basically, the customer is entitled to a clear explanation of why a decision was made, which can run into difficulties with AI and its often “black box” approach. There is a big push for making AI more explainable currently, and GDPR will be a powerful force in driving that search.
AI also has the capacity to assist with GDPR compliance. There are a number of platforms now available, such as Kormoon, that are designed to help companies make sure that they are using their data legally, that they are obeying the relevant national laws of any data that they gather. These systems can be turned to GDPR to help the company fall into line with the new regulations.