The EU General Data Protection Regulation – aka GDPR – comes into force as of May 25th, 2018. And frankly, if you haven’t started your preparations to be compliant yet, you are in trouble.
“People keep thinking they’re going to give us grace period, we’re already in the grace period. You’ve had two years to do something,” says Sheila FitzPatrick, NetApp’s worldwide legal data governance & data privacy counsel.
Though chasing every company for million-dollar fines isn’t the intent of the regulation, the threat of a bill equal to 4% of global revenue is very real, and one that blatant rule-breakers should be afraid of.
“They’re going to make poster childs out of the companies are not complying; they are going to put details on why they were fined, what happened, what they had and didn’t have in the place. All it’s going to take is one massive fine to make companies wake up.”
However, she adds, the data protection authorities do not want to hit every single company with a massive fine. They simply want organizations to show willing.
“They want you to show progress, they want you to show you’re doing something. Maybe you don’t have everything done; maybe you haven’t figured out the right to erasure or the right to be forgotten, but you can’t just sit back and say, ‘it’s impossible’.”
“You have to be able to do something, to at least show them a road map and say, ‘here’s our policy, here’s the data we collect, here’s our contractual agreements, here’s our processes and procedures, here’s where our data is stored’, as long as you have a plan moving forward to continue to comply or to maintain compliance, that’s going to be important.”
GDPR is like Y2K: A cash cow for vendors
And be warned, despite what some may tell you, you can’t buy or outsource your way to GDPR compliance.
“There’s going to be a panic when it comes to the end of May and companies realize that in some cases they bought a data lineage tool or a data discovery tool, or data mapping tool and they were told by doing this they’d be compliant. And they’re going to find out they’re not compliant.”
As with any major technology event, beware the marketers. In the same way that recent years have seen companies guilty of Cloudwashing and AI Snake Oil, GDPR is being used as a buzzword to hawk products.
“There’s a lot of misperception out there about this, and there’s a lot of companies that have turned it into a Y2K,” says FitzPatrick. “They’ve jumped on the bandwagon looking at GDPR as a revenue generator and the they’re trying to sell tools and technology to solve a legal compliance issue and it’s extremely misleading. Especially when they’re saying put your data in our Cloud that’s based in Germany and you’re compliant with GDPR. No.”
But it’s not just on magically compliant technology that companies are being misled on.
“Some companies are now offering Data Protection Officers (DPO) as a Service, but these are companies that knew nothing about to privacy begin with. You can’t just read about GDPR and become an expert, you have to have lived in the privacy field.”
Most companies in the technology field are now talking about GDPR, but few actually have the substance to back it up, she argues.
“Companies that know nothing about privacy are all of a sudden now GDPR experts. They have GDPR on their website, everybody’s an expert on their business card. You’ve never been a privacy officer, you’ve never been a privacy attorney, how do you know?
“If you don’t have the expertise, what are you selling your customers? It’s the Y2K again; jump on the bandwagon we can make lots of money because we can sell it as a service. They have beautiful glossies that simply are downloads of what’s on the EU website, but they’re selling these services based on vapourware.”
Data Protection Officers: hard to find, qualify and outsource
A major part of the GDPR is that many companies will need to hire a DPO. The DPO is responsible for ensuring compliance with the legislation, acting as the steward for a company’s privacy efforts and the point of contact for the data protection authorities.
“It’s a great title that everybody wants because it has all the visibility right now,” says FitzPatrick. “but there’s a lot of liability that comes with being a DPO and so I think that’s what a lot of people are only now starting to realize; it’s the DPO who’s going to be held accountable and solely responsible if there’s a violation.”
“The expertise is very few and far between. You’d be surprised how many large companies do not have privacy officers,” she says.
“They all have security, but very few have privacy officers or a privacy function. Sometimes they rely on their legal organization but most attorneys are traditional corporate attorneys that don’t know anything about privacy, they’re trying to make decisions around privacy, and it’s not a field they’re experts in.”
For a large number of DPOs, she adds, the only way to learn is going to be on the job training as the few certification programs available are barely worth the effort.
“There are companies that claim to provide certification for Data Protection Officers. The problem is the EU data protection authorities haven’t identified any certification programs that they deem adequate.”
Privacy ≠ security
The recent slew of mega data breaches has led to security evolving from an afterthought to a key role within companies keen to avoid hitting headlines for their failures. While security might slowly become a key leadership role, privacy is still an afterthought. GDPR will force that to change.
“Privacy has never been a priority, security has always been a priority. And companies they think if they secure the data they’ve met their obligations under privacy laws, and that is absolutely a misnomer. Security is not privacy. They are partnered in many ways but they are very fundamentally different, if you haven’t dealt with the privacy side, locking down that data isn’t going to help.”
“GDPR is first and foremost a legal compliance issue, and if you don’t build your legal privacy compliance framework first and have that program in place, the best tools or technology the world aren’t going to help you.”
“You have to deal with the privacy before you deal with security, and once you deal with privacy, that’s when you start to look at how do we lock this data down.”
FitzPatrick warns that simply encrypting data or buying a data mapping tool isn’t enough. She likens GDPR compliance to building a house; get too far ahead of yourself and the rest falls down.
“The ground floor is that privacy program, and what it looks like; what data do you collect, and are you legally allowed to have that data? Define what data you’re allowed to have, what you’re allowed to do with that data, who can have access to it, how long you can maintain it, and it really looks at that whole data minimization.”
“The first floor is all of your data privacy policies, your procedures, your contractual agreements, your opt-ins, your opt-outs. It’s the infrastructure around the collection of personal data.”
“Then once you get to the second floor, that’s when you start introducing things like data mapping tools, data lineage tools, so that you understand what data you currently; have where that data is stored, which jurisdictions it’s backed up and replicated in, what jurisdictions is it flowing through before it gets to the data center or wherever it’s maintained.”
“The foundational piece is the most important piece. If you don’t get that right, the rest of it isn’t going to matter. Once you get that foundational piece right the rest is going to fall into place.”
GDPR’s international effect
There are many misconceptions around GDPR: That it won’t matter post-Brexit (it will), that it doesn’t affect US companies (it does), that the EU can’t fine a company if its HQ is outside the Union’s borders (it can).
“Even if they’ve gotten past the fact it’s not just an EU thing, a lot of companies are still under the impression that it’s an EU-US thing,” says FitzPatrick. “They don’t realize Canada’s impacted, Asia-Pac’s impacted, Latin America’s impacted. Every country in the world that has any type of access to a personal data of an EU resident is going to be impacted by GDPR.”
The few countries the EU has listed as adequately protecting personal data – Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay – risk losing that status if there’s little effort made to be compliant, something which comes with the risk of losing investment from European companies. But even if companies are feigning ignorance, governments are not.
The UK has confirmed that even after Brexit, its own data protection laws will look very similar, if not identical to the EU’s, and other nations are taking a similar approach.
“The Australian Privacy commissioner has already stated that they will amend the current Australian privacy principles to meet the requirements of GDPR because they’re trying to attract a lot of European business into Australia. Singapore is already working on writing a law enhancing their data protection act to mirror GDPR. Japan implemented theirs in May of this year that’s a direct mirror of GDPR. We’re seeing a ripple effect around the world.”