The countdown is on. Europe’s latest regulation aimed at ensuring even greater data privacy protection for all EU citizens comes into effect May 25, 2018. But global companies doing business in Europe and with Europeans are still struggling to define their compliance strategy and develop an approach to avoid the hefty fines for data security and user consent breeches and “privacy by design” violations
Several panel discussions and keynote speeches during the recent Mobile World Congress, the annual gathering of mobile industry executives, highlighted the challenges companies face with aligning their data collection and usage practices to the EU General Data Protection Regulation (GDPR). Much like the Internet of Things’ data security conversations happening in auditoriums away from the show’s marquee booths, GDPR, considered to be the most important change to data privacy legislation in two decades, is another white elephant causing anxiety and apprehension within many corporate departments.
“There will be so many new devices connected in the next few years, but cybersecurity is not yet prioritized in the design,” said Achim Klabunde, head of sector IT policy at European Data Protection Supervisor, during a session about privacy challenges facing the Internet of Things (IoT). “One thing that the GDPR stipulates for all technology development is the introduction of the legal obligation of data protection by design. By default, by design means that when the data processing systems are being designed it shall include privacy protection and these protection provisions will be activated. Violations of this could be heavily fined.”
Data protection being designed into devices and software has triggered some of the collective worry. However, there is concern, too, about other legal stipulations included in the GDPR and expanded rights of “data subjects,” the people and entities whose data is being collected.:
Although data privacy laws have been around for years in many parts of the world, with Europe’s regulations typically being more forceful than others, the extent of the latest requirements has gotten many people talking. As listed on the EU GDPR website, the most noteworthy changes include
- Jurisdiction is extended to all companies processing personal data of data subjects residing in the European Union, regardless of the company’s location.
- GDPR violations fines can reach up to 4% of annual global turnover or €20 million (whichever is greater).
- Terms and conditions granting consent for data collection and processing must be written in “intelligible and easily accessible form, using clear and plain language,” thus eliminating the incomprehensible legalese companies tend to use. Additionally, it must be as easy to withdraw consent as it is to give it.
- Breach notifications are now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals,” and must be done within 72 hours of becoming aware of the breach.
- Data transparency and data subjects’ right to access and obtain information about whether or not personal data concerning them is being processed, where it’s being processed and for what purpose.
- Data erasure and data subjects’ right to be forgotten allows individuals to stop dissemination of their data, and potentially have third parties halt processing of the data.
- Data portability rights requires data controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.
- Privacy by Design moves from a general concept to a legal requirement calling for the data protection criteria to be built into system and product design as opposed to being an added on feature.
- Data minimization to involve only the data absolutely necessary for the completion of data processing duties and limiting personal data access only to doing the data processing
- The appointment of a Data Protection Officer reporting directly to the highest levels of management at companies is mandatory in three situations: when the organization is a public authority or body, when processing data on a large scale or when processing highly sensitive data.
If you’re reading this, wondering if you’re immune to these privacy protection requisites. The short answer is probably not
As EE Times’ Junko Yoshida reported, it’s not just the data-processing giants like Google, Facebook, and LinkedIn of the world affected by the regulation. If you buy and sell products to Europeans, GDPR affects you and the way you set up your contractual data-sharing obligations with trading partners. If you are designing, manufacturing and distributing products, including Internet of Things devices that foster greater inter-device connectivity and information gathering and sharing, you will have to include privacy protection provisions. And, if you’re data is flowing out of your system and into the hands of other parties, you’ll want to look at what levels of protection are built into those data flows.
The reality is GDPR is going to have far-reaching impact, could trigger other countries to adopt similar measures, and will, sooner or later, compel companies to rethink how and why they collect and use individual’s personal data.
“We need to break these assumptions that regulators, companies and, sometimes, consumer groups make that consumers are this group of ready, willing, able users of technology with plenty of time on their hands to familiarize themselves with all the ways this technology works and how it is using their data. They are not,” said Amanda Long, director general of Consumers International. “This is why most of the provisions in the GDPR have been added. It is making companies think holistically about the data it collects and the impact it can have on people’s privacy.”
Electronics industry organizations and forward-thinking companies already know this and are taking steps to ease compliance issues. The IEEE, for instance, has created a cross-organizational task force that is working to ensure consistency in how volunteers, members, and professional staff worldwide collect and use personal data.
On stage during their MWC “AI Everywhere: Ethics and Responsibility” presentation, Clara Neppel, IEEE senior director, European Business Operations, and Aurélie Pols, data governance and privacy engineer and IEEE P7002 Data Privacy Process Working Group participant, spoke about the importance of adopting bottom-up approaches to drive greater global privacy protection awareness.
“We are working with engineers to gain a bottom-up understanding of what the law requires,” said Pols, adding that IEEE is examining areas such as privacy impact assessments, determining which ethical values can be further designed into products, assessing liability and developing standards from working party discussions. “If we can work together with the engineers, we can develop something that will be beneficial for humanity.”