Part 2 of a 2-part series. Read Part 1.
The European Union’s General Data Protection Regulation (GDPR) is prompting companies to take extra efforts to guarantee the data privacy rights of its business partners, including employees, customers, vendors, and so on.
My last blog discussed the six ways Big Data analytics can threaten personal privacy as well as the two parties that are prompted to take protective actions by the GDPR: individuals and companies with customers in the EU. Individuals can distinguish the risks they are willing to take by asking themselves the following questions:
- What data am I making publicly available, and where are the potential threats?
- What risks can I avoid, and on which data do I have no influence?
- Do I have any right to claim my data? Where can I make that claim?
GDPR sets a base for future development in global data protection and security. As KPMG wrote, “It is fair to say that this new legislation is the biggest and most impactful change in privacy and data protection regulation in history. This regulation came about after more than four years of deliberations and negotiations and will impact organizations worldwide.”
As outlined in EY’s report EU General Data Protection Regulation in the Digital Age: Are You Ready? GDPR requires fundamental changes in how data is processed, stored, and used.
Data protection officers (DPOs)
- DPOs must be appointed if an organization conducts large-scale systematic monitoring or processes large amounts of sensitive personal data
Accountability: Organizations must prove they are accountable by:
- Establishing a culture of monitoring, reviewing, and assessing data processing procedures
- Minimizing data processing and retention
- Building in safeguards to data processing activities
- Documenting data processing policies, procedures, and operations that must be made available to the data protection supervisory authority on request
Privacy impact assessments
- Organizations must undertake privacy impact assessments when conducting risky or large-scale processing of personal data
- Consumer consent to process data must be freely given and for specific purposes
- Customers must be informed of their right to withdraw their consent
- Consent must be “explicit” in the case of sensitive personal data or trans-border dataflow
Mandatory breach notification
- Organizations must notify a supervisory authority of data breaches “without undue delay” or within 72 hours, unless the breach is unlikely to be a risk to individuals
- If there is a high risk to individuals, those individuals must be informed as well
- The right to be forgotten – the right to ask data controllers to erase all personal data without undue delay in certain circumstances
- The right to data portability – where individuals have provided personal data to a service provider, they can require the provider to “port” the data to another provider, provided this is technically feasible
Privacy by design
- Organizations should design data protection into the development of business processes and new systems
- Privacy settings are set at a high level by default
Obligations on processors
- Data processors become an officially regulated entity
- Data protection responsibility might split among several controllers
Though responsibility to protect their data does lie on every individual using Internet services (whether online shopping, banking, gaming, or social media), the new EU regulations explicitly require that companies take a more active role in data protection.
Given these changes, the role and importance of information management and governance in data privacy will be a key success factor for all organizations with EU customers.
There are solutions and services available to help you provide protection, availability, resilience, and governance for one of your most important assets – individuals’ data.
For more information, see:
- Taylor Armerding: CSO
- Reform of EU data protection rules
- Ernest Davis, professor of Computer Science at the Courant Institute of Mathematical Sciences, New York University
This was originally published on the SAP BusinessObjects Analytics blog and is republished with permission.