The Internet of Things enables Big Data to suck at our daily lives. Every day brings another story of another data breach, of a hack, a personal information gone missing, of ransomware, of negligent data handling. Countering that, the evolution of blockchain and the anonymity of cryptocurrencies show that the populace does not want to be tracked and does want to keep personal data safe.
Whether it’s securities commissions overseeing the issuance and trading of crypto coins, or Canada’s Anti-Spam Legislation (CASL) governing electronic communications, governments have many tools in the toolbox to regulate data. The European Union is taking a different approach and swinging a much bigger hammer.
The European Union is using GDPR to push back at Big Data’s constant assault on individual privacy rights. General Data Protection Regulation (GDPR) imposes a positive duty on businesses to protect the personal data of EU citizens for transactions that occur within EU member states and it limits the exportation of personal data outside the EU. It affects any business doing business anywhere in the EU, regardless of where the business is located globally, with one standard of compliance enforceable across the EU. The rules are pro-consumer with astonishingly high penalties for non-compliance.
GDPR was passed by the European Parliament in April, 2016, after four years of drafting, consultation and research. Enforcement kicks off on May 25 of this year. GDPR’s homepage is here. If your company has any shareholders in the EU, you must learn about GDPR.
Here’s a very high level overview. A business is allowed to collect the absolute minimum amount of data to carry out its business purpose, and it must be accountable to the individuals for the storage and use of that data. GDPR’s definition of what constitutes personal identification information is extremely broad – companies must provide the same levels of protection for simple things like an individual’s IP address or cookies as for more personal items like name, address and biometrics.
GDPR also requires a business to designate a Data Protection Officer (DPO) to oversee data security strategy and GDPR compliance. Among other duties, that DPO must self-report to regulators and individuals affected by a breach within 72 hours of a such breach being detected.
The DPO is also ultimately responsible for enforcing the following rights for every individual:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
Of these, I find the Right to Erasure to be the most fascinating. If you were so inclined, you could force every company that has ever dealt with you in the EU to delete all of your personal information from their records, completely, irretrievably, permanently. You have the Right to Be Forgotten. You can erase your digital footprints. This puts the power back in the hands of the consumer, not Big Data.
There is a cost to getting into compliance with GDPR. PwC’s “GDPR Preparedness Pulse Survey” released in January, 2017 found that while 24% of US multinational respondents planned to spend under $1 million for GDPR preparations, 68% said they would invest between $1 million and $10 million. Another 9% expected to spend over $10 million to address GDPR.
But, there is an even larger cost to non-compliance, with penalties of up to €20 million or 4 per cent of global annual revenue, whichever is higher, for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as €5 billion in fines and penalties in the first year from FTSE100 issuers alone. (Until Brexit is formalized, all British companies are subject to GDPR.)
Large multinationals can eat the cost of terrifyingly high compliance, but most businesses lack the resources, motivation or knowledge to get into GDPR compliance. The best advice I can give is for you to find a third-party service provider who has a tech toolbox that provides that compliance. The outsourcing of key technology functions is common place; the more businesses that outsource GDPR compliance, the more it fits within the definition of ‘reasonable’ and provides a due diligence defence.
(Thanks to Neil Beaton of CAPS Group for his thoughts on the technical challenges of GDPR compliance, and thanks to Derek Lackey for his excellent presentation. You can contact Neil at email@example.com, and Derek at firstname.lastname@example.org. Any errors or mis-statements are mine.)