By Kelsey Treister, CSR Professional Services
Major Changes—and Fines—Will Be Coming in Mere Weeks. Are You Prepared?
Companies that use offsite storage have to handle the personal data (PD) of end users, customers, and employees. Now, it’s time to get familiar with a sweeping new regulation that will affect every aspect of how you handle that PD: the General Data Protection Regulation (GDPR). Effective May 25, 2018, the GDPR requires that companies ensure the highest levels of privacy when handling European citizens’ personal information. Given that the GDPR already has been implemented and is being enforced, all companies need to ensure they are in complete compliance by the rollout date—or risk facing dire financial penalties. Ignorance is no excuse. The GDPR also extends far beyond the borders of the European Union (EU), so even American-based companies, including those in the records and information management (RIM) space, need to know what to do to prepare. Simply put, the GDPR changes the standards for data privacy, with a focus on consistent protection of the consumers’ personal data (PD). The trick to understanding what you can do to prepare is understanding five key concepts: the data subject; data access rights; the data controller; the data processor; and, finally, data protection authority.
Data Definitions
The data subject is any person or entity that submits information from Europe; under the GDPR, all PD collected belongs to that subject. PD is any information a company has on a data subject, from name and e-mail to more sensitive data, like an address or identification number. The GDPR introduces the idea of total transparency around this information. Under the regulation, a data subject is entitled to know how his or her data is being stored, its use, and its purpose. They must be informed if their PD will end up in the hands of third parties. Consent to such data usage is a must—and must be given freely, without coercion. With consent and transparency, data subjects also must have total access to their PD without any limitations or stipulations whatsoever, so a company must guarantee it handles that PD accordingly.
Companies also must be aware of the data subject’s access rights. Transparency, consent, and access are important elements of data access rights, but it doesn’t stop there. The data subject’s rights are clearly defined and strictly enforced. And there are a lot of them. Access, including the right to be informed, is key. The right to rectification, or to basically change information, is ensured. And data subjects also are guaranteed the right to removal or erasure. Considered “the right to be forgotten;” in layman’s terms, this means a company must delete or destroy an individual’s PD upon request. Data subjects have control over their PD, including the right to restricted processing. In other words, data subjects can choose what utilizations of their selective personal data they will allow. Data subjects may request transfer of their data between different services, which is known as the right to portability. This right is crucial because portability is based on technological limitations for those individuals’ PD as covered under the GDPR. These rights are a “plus” for RIM companies because knowing how to operate and function under these rules and how to apply them offers new opportunities to optimize relationships. Being openly GDPR compliant is a win in the eyes of your direct customers and end users.
To Control or Process?
According to the GDPR, PD gets handled or stored by either the data controller or the data processor. These are distinct bodies with different obligations, but can have the same function. Essentially, you can consider the controller the business or entity responsible for publishing—and following—a privacy policy. Data subjects willingly give their information to the data controller. The data processor is the entity that processes data on behalf of the data controller; this could be a vendor, a third party, or a consultant. Simply put, PD flows from the controller to the processor. Identifying whether your company functions as the controller or the processor is important, although an organization can actually be both simultaneously. For example, a payroll company could assume both processor and controller roles depending on the circumstances. When the payroll company carries out specified data processing on behalf of another business, the payroll company is considered a processor. However, this same payroll company would be considered a controller with regard to its own employees’ personal data. As stated, the data controller is responsible for publishing a privacy notice or statement that explicitly states how they will handle collected information. Any variation or deviance from this constitutes an offense under the rules of the GDPR, and the controller must then adhere to the data subject’s access rights and regulatory compliance. They also must take proper action to ensure appropriate security measures are in place, including regarding encryption and the care of automated data. Finally, the controller is responsible for reporting data breaches to the appropriate authorities and providing notification of said event to the data subjects involved. The data controller can then use data processors to work on the material, either to store it, transmit it, manipulate it, or anything else that needs to be done. The requirements of the data processor are slightly different from those of the controller as far as legal responsibility—the controller has more accountability. However, both processors and controllers must keep specific logs of all processing activities, including the specific categories of data with which they are working. Compliance is an important concern for processors. They must be able to process all personal data while observing the instructions given by the controller. And, in doing so, they must always be able to show proof of having followed the policy. Data processors have a role in a data breach, as well. They must report anything suspicious in detail to the data controller without undue delay. However, the processor doesn’t need to report to the authorities because, in this instance, the controller has the greater legal responsibility. The controller, in turn, has 72 hours to report the breach.
Acting on Authority
Another important role to understand is that of the data privacy authority (DPA). This is the set of governing bodies that serves as the regulatory authority in that region. For example, controllers must report breach activity to the DPA in their particular jurisdiction. The DPA is tasked with the protection of data and privacy, as well as monitoring and enforcement of the data protection regulations. In the EU, the principal authority is the Article 29 Working Party, but his body eventually will be replaced by the European Data Protection Board. These entities are composed of various members of the different member-states’ supervisory authorities, as well as other members of the European parliament. But this doesn’t just affect European companies. Many American companies also must abide by these rules; any company, regardless of location, that processes large quantities of European data must be compliant. For example, if EU citizens submit their own or data gathered in Europe is submitted online to a Florida-based company, the Florida company is liable. If the Florida company experiences a data breach, Florida law would not govern the issue. Rather EU law—specifically, the GDPR—and specific codicils from Italy would be in effect. Each country in the EU has its own DPA, and significant funds are allocated to those authorities’ operations. Being compliant with the GDPR—and compliance is nonnegotiable—means knowing or employing a resource that knows how to interface with DPAs. These are the officials who ultimately will determine the consequences of a security event. They decide if there should be legal action, whether criminal or civil; a fine; or any other penalty. Overall, in its position of authority, the DPA has four primary functions, in addition to its role as watchdog for breaches or other security events: It monitors, advises, and enforces the GDPR and is responsible for record keeping.
Nitty Gritty of Noncompliance
If a firm is found to be responsible for data mishandling, the fines and consequences are significant. Fines are based on which articles were violated as well as the company’s annual turnover. Failure to notify can result in a penalty fine of up to €10m or 2% of global turnover. Negligent or intentional violation of the GDPR can result in a fine of up to €20m or 4% of turnover. And these fines and consequences can be imposed anywhere if the data in question is European. Truth be told, it has a global effect. Any noncompliance with the GDPR means a fine. Data breaches are a significant potential result of noncompliance, and seem to be increasingly inevitable in this day and age. So, the question becomes, how can you identify a data breach? Now, a common misconception is that all data breaches are digital or electronic. This is simply not the case. Up to 90% of breaches actually involve physical records, such as sensitive material being mailed to the wrong address, theft of documents, or files not being destroyed properly. All of these are breaches and therefore must be reported. To identify a data breach, it’s important to know what kinds of data breaches are possible, what to look for, and when to react. Breaches are divided into three categories: accidental, malicious, and nefarious. The most prevalent is accidental. An accidental breach is what it sounds like: an unintentional problem, such as a missing laptop or someone accidentally forwarding the wrong file to a client. By definition, an accidental breach involves a person who has permission to have the data and is using it appropriately. Accidental breaches make up about 90% of all breaches. The second group is malicious, which accounts for about 7% of breaches or security events. Legally, with malicious breaches, the perpetrator has permission to use the material but deliberately uses it in a damaging fashion. For example, if a disgruntled employee publishes PD or sells it to a third party. The third group is nefarious, which accounts for about 2% of events. This is the category that people often think of first: hackers coming in via the web. Although this category accounts for the smallest number of events by far, it gets the most attention. With a nefarious breach, the culprit does not have permission to obtain the data in the first place, and they are using it for, as the name states, nefarious means.
Coming into Compliance
To understand the GDPR, it is paramount to understand the key concepts of the controller and the processor, the rights of a data subject, and the significance of fines and consequences. With understanding comes compliance. Be prepared, and your customers will be protected. So what does that mean for you and your company? It means that, by the end of May 2018, there is no excuse not to implement these processes to the management of your own collected EU data. Many U.S.-based companies now employ a data privacy officer, who monitors their usage of PD and their controller or processor roles. Bringing these experts on as full-time employees can be difficult and costly, but third parties (such as CSR Professional Services) can help companies without these staff successfully handle regulatory compliance and data breach reporting.
____________________________________________________________________________________________
Kelsey Treister is the marketing manager for CSR Professional Services, a leading provider of data compliance solutions and expert services for businesses domestically and around the globe. CSR’s services facilitate best practices to reduce the business risk and financial liability associated with the acquisition, handling, storage, sharing and disposal of data. Visit them online at csrps.com
