Once the General Data Protection Regulations (GDPR) comes into force in May 2018, the repercussions will be felt well beyond the European Union (EU) borders.
The GDPR is a new set of regulations created to strengthen data protection for individuals residing in the EU.
The regulations extend the scope of EU data protection law to apply to all foreign companies processing data of EU residents.
It harmonizes the data protection regulations throughout the EU, while making it easier for non-European companies to comply.
To encourage adherence, the regulations include severe penalties of up to four percent of worldwide turnover in cases where companies are judged to be non-compliant.
Relocating to the UK, which will leave the EU in 2019, will not help. It too is tightening up its data use regulations and has already indicated that in terms of data use, it wishes to stay in step with its European neighbors.
Many companies are looking to technology to help them keep compliant. How much software can help here is unclear, but tech vendors and researchers are lining up to provide assistance.
To find out how the tech community is responding to the GDPR, we asked a number of vendors and commenters working across the data management industry what kind of fallout we can expect from the GDPR.
(Editor's note: this is the first in a series of discussion points around the GDPR)
What are the highest impacts aspects of the GDPR?
John Mancini, Chief Evangelist, AIIM
John Mancini is Chief Evangelist for AIIM. He is a well-known blogger and social commenter on information management and digital transformation, usually under the name @jmancini77. AIIM will be hosting a free virtual conference on GDPR on Sept. 14. Tweet to John Mancini.
In addition to examining how companies in Europe and the US are dealing with their well-founded immediate concerns about GDPR compliance (after all, May 2018 is just around the corner), it is important to also consider what the GDPR tells us more broadly about privacy and information management. GDPR is just the tip — albeit an important tip — of the privacy iceberg.
1. We’re in uncharted privacy territory. We’ve all collectively made a deal with the devil. In exchange for a device that can connect us with anyone in the world anytime we choose, we’ve given corporations and governments the ability to track us 365x24x7, with long-term privacy consequences still to be determined. Check out Bruce Schneier’s "Data and Goliath" if you want to get scared.
2. Government will rush in with the best of intentions. But … the rules of privacy and engagement have yet to be determined. In this environment, governments will rush in to set new rules — the GDPR is just the first of many well-intended attempts to follow. Often, the resultant rules and regulations have very little to do with actually protecting privacy. It is almost impossible for policy-makers to stay ahead of rapidly changing technology, especially when the governments doing the protecting are often complicit in the compromising.
3. The US and Europe will continue to talk past each other when it comes to privacy. Larry Downes put it best in the Harvard Business Review: “To the extent that the privacy concerns in Europe are genuine, they reflect a profoundly different approach to privacy in two giant economies. US privacy law, inspired by our revolutionary founding, focuses more on restrictions, such as the Fourth Amendment, that protect citizens from information collection and use by government rather than private actors … In Europe, the government is the principal protector of personal information from abuse by non-governmental institutions — the opposite of the US model.”
Jeff Morris, Head of Product, Neo4j
Jeff has been working in tech marketing and sales for the past 25 years. During that time, he has worked with pioneers in NOSQL (Graph) Databases, Cloud Analytics and Open Source databases. With GDPR regulations on the horizon he is directly involved in formulating Neo4j’s response to GDPR. Neo4j is the developer of a graph database management systems. Tweet to Jeff Morris.
The biggest impact of GDPR will be the widespread, vast amount of data that is included within the regulation. When GDPR goes into effect on May 25, 2018, it will impact every entity that holds or uses European personal data both inside and outside of Europe. Any organization that does not adhere to GDPR regulations will face heavy non-compliance fines. That means every tweet, entry in a log file or part of the website that a user visited, lies within personal data affected by the regulation and has the potential to be flagged as non-compliant. It’s a huge requirement to understand the entire context of how a customer interacted with an organization.
It's not enough to understand an organization's data. The need to reveal the connections between the data will be imperative. Companies need to find and reveal the connections between data, particularly when a relationship is broken or when a risk arises. This will dramatically reduce risk as more data becomes exposed to the regulations.
Chris Niggel, Director of Security and Compliance, Okta
For the past 12 years Chris has been enabling people to safely undertake risky projects inside and outside of the enterprise. His more recent projects includes building a team to define and execute compliance projects for Okta which offers cloud identity and access management products. Tweet to Chris Niggel.
GDPR requirements have already had an enormous impact on the amount of attention and resources dedicated to information security — and it will only increase from here. It has forced the spotlight onto security teams and HR departments, where they'll soon be responsible for implementing and maintaining processes that track how their company's tech services interact with employee and customer data.
With so much focus on securing that data, security teams will have a bigger role in the decision-making process for any technology service that interacts with their company information. This can create stronger connections between the IT teams that are bringing on new tech services, and the security teams that are working to protect data and comply with specific regulations. They will need to become better aligned as they work to meet the requirements of GDPR and respond to inbound requests from employees requesting copies of their personal information.
HR is part of the shift as well. GDPR expands the focus to include HR data, whereas programs like Safe Harbor and Privacy Shield focused more on consumer data. This will require US-based companies who may not do business in the EU, but hire EU citizens, to become GDPR-compliant or face the fines.
Considering the heavy fines involved for failing to comply — 20 million euros ($22.5 million USD), or four percent of annual revenue, whichever is higher — these teams will be highly motivated to ensure their company's compliance. Because of the expanded focus on HR data, the impact will expand far beyond the Facebooks and Googles of the enterprise, and will begin to spread into the SMB space as well.
Kristina Podnar, Digital Governance Advisor
Kristina Podnar brings clarity across the global organization and its regulatory environments to rapidly customize a policy framework that frees the organization to fully leverage digital in service of its larger mission. Tweet to Kristina Podnar.
There is little doubt in my mind that the highest impact aspect of the GDPR is understanding data flows into and outside of the organization, which represents regulatory risk as well as the loss of a competitive opportunity.
In many ways, GDPR is forcing organizations to adopt sound governing practices that should already be in place. For example, naming an individual accountable for understanding business-wide data collection and management practices should be the norm and not a struggle. Yet most companies and institutions that I consult with — large and small, across all sectors — are challenged by this basic governance principle.
There is a strong disconnect between understanding what data you have and how it is being used. There is no awareness of this beyond complying with regulatory requirements, and that the insights can support the realization of business goals and your digital strategy.
Clearly understanding and controlling data is the foundation for addressing all other aspects of the GDPR. If you understand what business processes are dependent upon or produce data, then you can: provide transparency and clearly inform users of those practices, gather explicit consent from users, address children’s online privacy, ensure you are controlling and transferring data appropriately, anticipate potential areas for data breach, and report and rectify data loss in a timely way. Moreover, if you are called out for an audit, you will be able to demonstrate efforts towards meeting the GDPR requirements, which may not guarantee penalty avoidance, but ought to go a long way in preventing one.
(Editor's Note: Join Kristina in a discussion about the GDPR's effects on marketing efforts at CMSWire's DX Summit, taking place Nov. 13 to 15 in Chicago)