The countdown is on. Europe’s latest regulation aimed at ensuring even greater data privacy protection for all EU citizens comes into effect May 25, 2018. But global companies doing business in Europe and with Europeans are still struggling to define their compliance strategy and develop an approach to avoid the hefty fines for data security and user consent breeches and “privacy by design” violations
Several panel discussions and keynote speeches during the recent Mobile World Congress, the annual gathering of mobile industry executives, highlighted the challenges companies face with aligning their data collection and usage practices to the EU General Data Protection Regulation (GDPR). Much like the Internet of Things’ data security conversations happening in auditoriums away from the show’s marquee booths, GDPR, considered to be the most important change to data privacy legislation in two decades, is another white elephant causing anxiety and apprehension within many corporate departments.
“There will be so many new devices connected in the next few years, but cybersecurity is not yet prioritized in the design,” said Achim Klabunde, head of sector IT policy at European Data Protection Supervisor, during a session about privacy challenges facing the Internet of Things (IoT). “One thing that the GDPR stipulates for all technology development is the introduction of the legal obligation of data protection by design. By default, by design means that when the data processing systems are being designed it shall include privacy protection and these protection provisions will be activated. Violations of this could be heavily fined.”
Photo courtesy: Pixabay
Data protection being designed into devices and software has triggered some of the collective worry. However, there is concern, too, about other legal stipulations included in the GDPR and expanded rights of “data subjects,” the people and entities whose data is being collected.:
Although data privacy laws have been around for years in many parts of the world, with Europe’s regulations typically being more forceful than others, the extent of the latest requirements has gotten many people talking. As listed on the EU GDPR website, the most noteworthy changes include
- Jurisdiction is extended to all companies processing personal data of data subjects residing in the European Union, regardless of the company’s location.
- GDPR violations fines can reach up to 4% of annual global turnover or €20 million (whichever is greater).
- Terms and conditions granting consent for data collection and processing must be written in "intelligible and easily accessible form, using clear and plain language,” thus eliminating the incomprehensible legalese companies tend to use. Additionally, it must be as easy to withdraw consent as it is to give it.
- Breach notifications are now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals,” and must be done within 72 hours of becoming aware of the breach.
- Data transparency and data subjects’ right to access and obtain information about whether or not personal data concerning them is being processed, where it’s being processed and for what purpose.
- Data erasure and data subjects’ right to be forgotten allows individuals to stop dissemination of their data, and potentially have third parties halt processing of the data.
- Data portability rights requires data controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.
- Privacy by Design moves from a general concept to a legal requirement calling for the data protection criteria to be built into system and product design as opposed to being an added on feature.
- Data minimization to involve only the data absolutely necessary for the completion of data processing duties and limiting personal data access only to doing the data processing
- The appointment of a Data Protection Officer reporting directly to the highest levels of management at companies is mandatory in three situations: when the organization is a public authority or body, when processing data on a large scale or when processing highly sensitive data.
If you’re reading this, wondering if you’re immune to these privacy protection requisites. The short answer is probably not