What is it?
Going into effect May 25, 2018, the General Data Protection Regulation (GDPR) is a broad set of data privacy and security regulations affecting companies which are either based in the European Union (EU) or who process data on residents/citizens of the EU. The regulation lays out policies which govern legal consent (including special protections for children’s rights to consent), which restrict what categories of personal data can be collected, and which define data subjects rights (like the ‘right to be forgotten’). The GDPR recognizes that modern advances in technology warrant updates and expansion to existing regulations and proposes hefty penalties (up to €20 million or ~$25 million) for non-compliance.
While the fines seem scary and compliance seems next to impossible, the GDPR requirements simply mandate tenets of good data stewardship and data governance. Many of the responsibilities required for compliance with the GDPR are assessment parameters like risk analysis, data quality management, and data security.
The GDPR demonstrates a shifting philosophy around individual’s Personally Identifiable Information (PII) by recognizing the protection of personal data as a fundamental right and detailing specific requirements where companies should respect these rights in how they process personal data.
Scandals like the Facebook-Cambridge Analytic data breach are giving data privacy issues global exposure. When companies prepare for compliance and potential penalties, there is the inclination to rest on articles that include vague language or allow companies to show “legitimate interest” for non-compliance. Despite the vagaries of the GDPR, the international recognition of data privacy issues makes it likely that companies will still be targeted for enforcement of penalties. This recognition also opens the door for similar regulations to take effect outside the EU.
The GDPR started gaining attention from the article on the Right to Erasure, or as it is popularly known, the ‘Right to be Forgotten’. This right was born out of social media and gives individuals the ability to request all their personal information be deleted from all databases and public sites by a company.
The following are some other data rights outlined in the GDPR:
- Right to Access: companies are required to confirm whether they are processing data on an individual, and if requested by the individual, the company must provide a copy of the personal data being processed and the purpose for which they are processing the data.
- Right to Rectification: allows individuals to update any incomplete or inaccurate personal information on file at any time. Individuals can also restrict processing of their personal information while it is being updated.
- Right to Data Portability: gives individuals the right to receive their personal information in a commonly used and machine-readable format.
- Right to Object: individuals can withdraw consent to the processing of their personal data at anytime
This list and many other rights of the data subject are designed to give individuals control over their personal information, making it necessary for companies to understand where, how, and why they are using PII. This understanding can be achieved through data process mapping.
Most companies follow data practices that are directionally aligned with the tenets of the GDPR. They have data security measures in place and can show an intent for data privacy; but, many companies lack records of codified policies or standardized training for their employees. The GDPR also recognizes data security as an ongoing process and expects companies to show continued testing and updates as they grow and as technology changes.
Through data process mapping and risk analysis, a consultant can take a holistic look at clients’ data procedures. By planning for GDPR implementation and any additional future regulations, UDig helps clients not only demonstrate readiness for the GDPR but also show proper data stewardship and data governance, signs of good business practices that drive business and boost a company’s reputation.