The deadline for compliance with the European Union General Data Protection Regulation (GDPR) is May 25, 2018. Many organizations have spent countless hours already in their preparation for the deadline, while other organizations are just getting around to reading up on it. GDPR, like Y2K of a couple decades ago, has international implications that for some organizations HAS to be addressed as GDPR will impact the lifeblood of their operations, whereas for most organizations, some due diligence needs to be done to ensure they are within the compliance of the regulation.
GDPR is Today’s Y2K
I reference Y2K as I was one of the advisors to the United States White House on Y2K and spent the latter part of the decade before the Millennium switchover traveling around the globe helping organizations prepare for 1/1/2000. Today with GDPR as I did then with Y2K believe there are fundamental things every organization needs to do to be prepared for the deadline, but to NOT get caught up in the hype and over speculation to the Nth degree detail that’ll drive you crazy.
What is GDPR?
To help those catch up on what GDPR is, the regulation technically went into effect in 2016 and the deadline for compliance is May 25, 2018. The thing that scares people is that fines for non-compliance are up to 20-million Euros or 4% of the company’s prior year worldwide revenue, which is an alarming number that gets everyone’s attention.
While there are many tenants to GDPR, I net it down to 3 major things:
- Prevention of “Tracking” Individuals: This is the big thing in GDPR that goes after the big Internet companies (Google, Facebook, Amazon) that gather personal information on individuals, track the Websites they visit through cookies, and actively advertise to individuals through that tracked information. GDPR directly addresses the practice and process of gathering information on what individuals buy, sites they visit, and content they’ve searched for by not only requiring consent but also have clear stated purpose WHAT that information will be used for.
- Prevention of Retaining Personally Identifiable Information (PII): This tenant is not so new and has been a big piece of legislation around the world to protect individual’s privacy. GDPR, like other global regulations on PII, sets limits on what personal information can be gathered (name, date of birth, address, etc), how that personal information needs to be stored and protected, and what needs to be done in the case of breach.
- Cross-Border Transfer of Information: GDPR stipulates that EU residents (citizens and even individuals that are temporarily working and living in the EU) information should remain in the EU –or– if the information leaves the EU that the target destination for the storage of the information meets specific European Commission approvals
Of the three major tenants I note for GDPR, the second and third are things that we’ve been addressing for some time now with the predecessor to GDPR (the DPD 95/46/ec) and the various Privacy/PII laws that are already in effect. So the big thing in GDPR is around the collection, storage, and tracking mechanisms commonly used by Internet organizations for web-based shoppers and social media participants. THOSE are the organizations that have been working very hard the past couple years already devising ways to inform, get consent, and handle tracking in a manner that fits within the requirements of GDPR.
Tenants of GDPR
There are other tenants of GDPR that organizations need to address and are commonly discussed in conversations about GDPR. They include:
- Data Protection Officer and Vendor Management: GDPR stipulates that organizations impacted by GDPR need to have a Data Protection Offices identified and have a process for vendor management as it relates to GDPR. This individual will have the role of overseeing the compliance with GDPR internally and with vendor/suppliers.
- Codes of Conduct: GDPR requires organizations to have stated codes of conduct how data will be extracted, used, timeframe for use, how the organization will protect the privacy and rights of the individuals the data was extracted from, and provide users the right to request that “their data” be purged.
- Data Profiling / Data Consent: As noted previously, GDPR has tight rules as it relates to using data to profile individuals that can be directly associated back to a named individual. Use of identifiable information (like Cookies) requires explicit consent.
- Cross-Border Transfers: Also as previously noted, GDPR has tight rules on EU data remaining in the EU –or– that the target destination of EU data complies by the same standards expected of information stored in the EU
- Data Portability: GDPR has a data portability tenant that allows users to request their information to be allowed to be “moved” to another provider. Just like phone number portability in the United States that allows an individual to keep their phone number as they switch from one phone carrier to another, GDPR data portability gives users the right to request their emails, photos, documents, and the like to be transferrable.
- Pseudonymizing of Personal Data: Fancy word, but effectively the randomizing of data so that it cannot be attributed back to any particular individual, effectively making the data anonymous. However GDPR does stipulate that just because the data is randomized doesn’t allow an organization to just collect and use the information as they please. GDPR has stipulations that require an organization to justify why they are collecting the information, what they plan to do with the data, and with clear definitions how the data will be eliminated when those stated purposes are no longer valid or applicable
- Data Breach Notifications: GDPR tightens the timeframe that cybersecurity breach notification is made, with requirements for notification in as little as 72-hours from an organization being made aware of the breach. There are some variations to this notification where individuals need to be notified if information that can be attributed back to them (personally) has been breached, however if information has been pseudonymizied, that only the European Commission needs to be informed.
GDPR for Enterprises (not Web/Social Media Providers)
With much of the heft of GDPR focused on Web/Social Media Providers (Facebook, Google, Amazon, etc), the common question for Enterprises (corporations, small businesses, companies headquartered in/out of the EU) is what does a typical business need to think about relative to GDPR?
First of all GDPR is not a bigger thing nor a smaller thing based on the size of the enterprise. The requirements of GDPR are the same no matter the size, where the organization is headquartered, or the type of industry the organization is in. GDPR also applies to every organization that does business with companies in the EU, has employees that are citizens of the EU, or even has employees that are foreign citizens but are residing and working in the EU. So the umbrella on who has to comply with GDPR is pretty broad.
A common question is whether an email system hosted in the United States can fit within GDPR requirements. For organizations that have migrated to services hosted by Microsoft (like Office 365) or Google (G-Suite), both Microsoft https://www.microsoft.com/en-us/trustcenter/privacy/where-your-data-is-located and Google https://www.blog.google/topics/google-cloud/google-cloud-our-commitment-general-data-protection-regulation-gdpr/ have officially stated their cloud services WILL be GDPR compliant before the May 18, 2018 deadline. The way these services will be compliant is because the European Commissions has already approved and adopted the EU-US Privacy Shield. While GDPR does not specifically refer to the EU-US Privacy Shield, it does explicitly acknowledge the current requirements for Binding Corporate Rules (BCR) for processors and controllers. BCR confirmation is acquired by having auditors validate and certify compliance for organizations in their movement of data globally. The EU-US Privacy Shield fits within this certified Binding Corporate Rules deemed acceptable for GDPR as it allows the European Commission to conduct periodic reviews to assure that an adequate level of data protection exists in the transferring of data cross-border. What remains for these cloud providers is a formal “sign-off” that they do indeed meet the provisions of GDPR which are anticipated to be approved without resistance.
Note: For the topic of cross-border transfers, one might hear that the most common cross-border certification, “Safe Harbor,” has been invalidated for GDPR, that is true. On October 6, 2015, the European Court of Justice invalidated the US-EU Safe Harbor Framework. However Binding Corporate Rules (BCRs) do remain valid. Additionally, organizations can rely on Standard Contractual Clauses (SCCs) that are approved by the European Commission. SCCs are agreements between the EU exporter (ie: EU subsidiary) and the data importer (ie: US parent company or service provider) on the handling of cross-border transfers. Large enterprises are seeking certification under SCC approvals so that they can move corporate data between corporate offices and datacenters around the world. The SCC validations are not easy to acquire as they require an audit of the data management, security, handling, and processing of information throughout an enterprise. However once an enterprise has an SCC, they can more freely move information throughout their organization.
Handling GDPR for Internal Documents and Content
A common question by enterprises is whether email messages and business documents fall under the requirements of GDPR. The answer is generally no, a business document is a business document for the purpose of conducting the business of the organization. Of course if the document includes the names of employees, their home addresses, their mobile phone numbers, and other personally identifiable information, then the document falls under GDPR as well as other existing laws and regulations on information privacy. However a business contract, marketing materials, client documents, architectural drawings, and the like exchanged during the normal course of business are not “personal documents” embedded with “personal data” for non-legitimate business uses.
The KEY to handling internal documents and content to ensure the documents do not contain content subject to GDPR or other PII restricted regulations is to use content classification. Technologies built in to Microsoft’s Office 365 has the ability to scan content (emails, documents, memos) and auto-classify the content as having content that appears to include PII (birth dates, social security numbers, etc). https://blogs.microsoft.com/blog/2017/05/24/accelerate-gdpr-compliance-microsoft-cloud/ By auto-classifying the content, policy rules can be applied to the content that allows the creator of the content to choose who can access the information. By giving control to the originator of the content, that satisfies the requirements of GDPR by giving the content owner the free and direct control of the content, and to whom the content can be shared with.
Can Employers Force Employees to Give Consent of their PII?
The short answer is NO, GDPR is very clear that consent is not valid unless it is “freely given, specific, informed, and unambiguous.” That means an employee cannot be reprimanded nor discriminated against for choosing to not consent to blanket policies. This is why content classification becomes so important, it enables an organization to require users to provide consent, classify, or reclassify content as they deem appropriate on a case by case basis.
Collecting and Handling Employee and Customer Information under GDPR
GDPR is clear that an organization needs to provide users, visitors, and employees detailed information on what data is collected and how it will be used. Obviously this first makes the assumption that personal information about an individual is being collected in the first place. While some simple common business applications like the Web Browser that an employee uses likely by default has cookies enabled and is storing and tracking the Web access of the user of the Web Browser, a simple enterprise fix it to set all Web Browsers to Private or “Incognito” mode. This will prevent cookie tracking and storage of data protected by GDPR. A user can be allowed to turn off the Private mode if they choose, that will be their decision and their personal consent to having content potentially tracked.