In our previous post, we talked about the soon-to-be-enforced EU General Data Protection Regulation (GDPR) and the big reasons companies need to pay attention. In theory, GDPR could affect almost every business on the planet, since every company has the opportunity to collect data on EU residents (and therefore be subject to GDPR).
For this second post in our series of three, we’ll address the wide-ranging financial and legal impacts of a GPDR violation. It’s absolutely critical for U.S. businesses to understand what it means to be compliant, and make that compliance a reality. Here are some of the key provisions in the GDPR documentation that U.S. businesses must be aware of, in terms of changes to internal systems:
1. Systems must be designed with data privacy requirements in mind.
Article 25 of the GDPR covers privacy by design, or the concept of creating and building systems with data protection principles woven into the framework. Many businesses currently address this process in a reactive manner - i.e., they build data collection systems without data privacy controls in place, and go back and reactively add controls as new regulations arise. GPDR stipulates that for any new systems created, these principles must be applied as they are built to insure the protection of personal data from day one.
It makes good business sense to require businesses to design new systems with the end in mind - one end being the protection of personal data. But with many U.S. businesses behind the curve on security protocols as it is, this one may be a bigger hurdle than it seems.
2. Businesses must provide data subjects with access to their own data in an easily transferable format.
Have you ever thought of contacting a business you are a customer of and asking them to give you a copy of all the data they have on file for you? Unless you’re taking legal action against a company and need it for legal proceedings, the thought probably hasn’t crossed your mind.
Article 15 of the GDPR will give EU residents the right to do exactly that. GDPR-compliant companies are required to provide an electronic copy of the personal data being processed to data subjects who request it. And it doesn’t stop there - businesses are required to answer a series of questions if data subjects ask, including:
Is personal data being processed or not?
If it is, what personal data is being processed?
Where is personal data being processed?
Why is it being processed?
This requirement makes for a dramatic shift in transparency for businesses worldwide. Not only will it trigger a mindshift for employees and customers, it requires new processes to provide this information upon request.
GDPR also stipulates that the data provided to the data subject must be provided in a “commonly used and machine readable format”, in the event that the data subject would like to transfer all the data to another controller. This concept of data portability is covered in Article 20 of the GDPR.
So now, not only can you request all the personal data collected by the bank, for example, but you’ll receive it in a format that is easily transferable to another bank, credit union, or other financial institution.
3. Data subjects can ask to have all their personal data erased, and businesses must comply.
As evidenced in public lawsuits over the years that have dredged up deleted emails and other electronic records, nothing truly gets erased from a company’s records. GDPR aims to change the status quo as it relates to personal data for EU residents.
Article 17 of GDPR grants data subjects the “right to be forgotten”, which means the EU resident in question can request that the controller erase all of his or her personal data. FOREVER. And the reasons for such a request are varied, including:
The personal data is no longer necessary for the purposes it was collected
The personal data has been illegally obtained or processed
Another legal obligation requires that it be erased
The data subject has decided to withdraw consent, for whatever reason.
Not only will companies have to develop new processes for the complete disposal of personal data, but legal proceedings for unrelated events may have broader impacts as well. If a company is subpoenaed in a lawsuit, and part of the subpoena includes information stored by the company, businesses will need to inform litigators which datasets are still intact and which ones have been removed.
GDPR is going to change the way businesses worldwide collect, manage, and store personal data for EU residents. As the deadline for compliance looms over our heads, U.S. businesses that fall under GDPR jurisdiction must take steps to comply. We’ll continue to share our insights as the deadline approaches.