GDPR (General Data Protection Regulation) will hit you like a ton of bricks

That’s a pretty neat clock, isn’t it? Scary? You bet! The GDPR clock has been ticking for a long time now and time will run out soon.

Over the past two years, a lot has been written and said about the reform of EU data protection rules, namely the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The EU GDPR, coming into full force on May 25, 2018, is designed to radically harmonize data privacy laws across Europe, enhance data protection of all EU residents and provide more systematized and consolidated data privacy framework to guide how personal data is used by businesses, organizations and governments across the Europe and around the globe for that matter. ¹⁾As stated in the the official gazette of the EU in regards to the applicability GDPR, “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular, their right to the protection of personal data.” – i.e. GDPR protects the personal data of any individual who is physically residing in the EU, even if they are not EU citizens. The complete documentation of Regulation (EU) 2016/679 is publicly available ²⁾For timeline, see “New European Data Protection Legislation (GDPR) Timeline“, and although some say it’s easy to read, it still contains 99 Articles assembled around eleven chapters, and in addition, there are almost two hundred recitals, not to mention Article 29 Working Party with a bunch of opinions and recommendations. ³⁾For a straightforward and clear explanation of the GDPR, see Brian Tretick‘s article on the matter.

There has been considerable discussion about every aspect of the GDPR, and particular attention has been paid to lawyers and privacy experts alike on four distinct topics flowing from the new data protection rules, particularly that there are ⁴⁾For more throughout examination of the main differences between the DPD and the GDPR, see White & Case (2016). “Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law“; Bird & Bird (2017). “Bird & Bird Guide to the General Data Protection Regulation“.

1. New, enlarged and enhanced individual rights (e.g. the right to be forgotten)
2. Extended territorial reach and organizational scope (e.g. sensitive personal information, application of data regulation to non-EU-based organizations) ⁵⁾As cleverly noted by Billy Lyle, “there’s no get-out clause for honest mistakes”, and furthermore, there is no country in the world where the GDPR doesn’t at least potentially apply, e.g. Brexit doesn’t actually change anything.
3. Significantly stiffer enforcement, accountability, and compliance (e.g. a breach notification has to be issued no less than in 72 hours, sanctions and fines are harsh)
4. Partial harmonization of data legislation and governance across the EU ⁶⁾Granting that the GDPR is a significant change in many ways, Peter Hustinx, the former EDPS, argues “that – in spite of all innovation – there is also a lot of continuity. All the familiar basic concepts and principles will continue to exist, subject to some clarification and smaller changes in details.”

As Dan Shearer explains,

The EU General Data Protection Regulation is a new privacy regime that has changed the terms of the debate and will increasingly influence the choice of new technological options for personal and commercial activities in Europe and beyond. ⁷⁾Shearer, D. (2017) “GDPR Part 1: Privacy Law Becomes Interesting“. OpenOcean.

It took over four years for the different stakeholders to agree on the proposal and thousands of modifications to finalize the content of the regulation. In January 2012, European Commission published the legislative proposal, and it was stated in the official documentation released by the European Commission that the new legal framework would consist of two mutually interlinked legislative proposals, namely GDPR (the EU General Data Protection Regulation) and LEDP (the Law Enforcement Data Protection Directive). ⁸⁾A&L Goodbody (2016). “EU GDPR is finally agreed.” From the beginning, it was stated that “the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection” ⁹⁾European Commission (2012). “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).” 2012/0011 (COD). Furthermore, on June 2015, the Council of the European Union published a compound document (9565/15) stating that the aim of the GDPR is “to enhance data protection rights of individuals and to improve business opportunities by facilitating the free flow of personal data in the digital single market” and on December 2015 a similar public document (15321/15) was issued that restated the aim of the GDPR “to reinforce data protection rights of individuals, facilitate the free flow of personal data in the single digital market and reduce administrative burden”.

As multiple experts have pointed out, there are potential conflicts around these aims. Dan Shearer highlights that “enhancing citizens’ rights has not normally been about improving business opportunities around the free flow of data”, and therefore it’s becoming ever more important to recognize that “none of the grim possibilities are likely to be true if you have an eye to future data processing techniques rather than traditional ones”. ¹⁰⁾Shearer, D. (2017) “GDPR Part 1: Privacy Law Becomes Interesting“. OpenOcean, 21.2.2017.

GDPR is probably one of the most complex regulatory frameworks I have personally come across, and its effects are far-reaching as it fundamentally extends data privacy requirements beyond the EU Data Protection Directive 95/46/EC it replaces. Basically, if a business operates in any digital domain and individuals, whether clients or employees are involved, GDPR will apply to some extent. Although GDPR is far from perfect “regulatory product,” many experts have argued that data privacy reform was necessary and it could furthermore help businesses and organizations to develop their data privacy capabilities by bringing it more closely aligned with the organizational culture. ¹¹⁾Perko, J. (2017). “GDPR KÄYTÄNNÖSSÄ: Esimerkkejä ja vinkkejä käytännön työhön“. Presentation held at SAS Institute’s seminar in Helsinki, 28 Mar 2017

In the world where the importance of trust is perceived as the cornerstone of digital economy, the number of data breaches is ever-increasing, the relevance of cloud computing and data centers is growing, a new malware specimen is created every 4.2 seconds (and almost 400 000 new malicious programs is registered every single day), major organizations deal with an average of 20 data loss incidents every day, the global average cost of a data breach is $3.62M, and the average cost for each lost or stolen record containing sensitive and confidential information is $141M, the average size of the data breaches is more than 24 000 records, the cost of breaches is not entirely understood, and almost 90% of breaches had a financial or espionage motive it’s easy to understand the aims and goals of the new EU data protection rules. ¹²⁾Risk.net (2017). “Top 10 operational risks for 2017“. 23.1.2017  The growing number of cyber security threats and risks has recently prompted governments and regulators worldwide to come up with appropriate responses to meet the challenges of the global data security epidemic. ¹³⁾See, for example, NISD & GDPR (EU) Cybersecurity Information Sharing Act (US), Personal Information Protection & Electronic Documents Act (CA), Cybersecurity Basic Act, Amended Personal Information Protection Act & Act on Protection of Specially Designated Secrets (JP), Act on Promotion of Information and Communication Network Utilization and Information Protection & Law on the Protection and Use of Location Information (KR), The Cybersecurity Law (CH), Australian Privacy Principles (AU)

The main focus of the public discussion around GDPR has been on its sheer extensivity, perceived complexity and the jungle of exceptions it contains. The new data protection framework sets down some minimum requirements, specifications, and obligations for any organization doing any kind of business in the EU or that collects or processes personal data of EU citizens, residents or visitors. GDPR has numerous implications for everyday operations of EU-tied natural or legal entities that are deemed as data controllers and/or data processors. ¹⁴⁾See Article 4 for definitions of “personal data”, “controller” and “processor”. Unfortunately, there are also a lot of rumors and misunderstanding going around about the GDPR in general.

My personal view is that effective data protection governance, risk management, and compliance simply equals good business. Information privacy laws and protection of personal data, whether you think that they might interfere with legitimate business or there is a need for even tougher legislation, has always been a double-edged sword. For one thing, there is a need to protect the fundamental rights and freedoms of individuals, and secondly, laws should facilitate the free flow of personal data and information within appropriate limits. ¹⁵⁾On the origins of data protection and data protection laws, see Hustinx, P. (2014). “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation As Peter Hustinx states, “Privacy and data protection – more precisely: the right to respect for private life and the right to the protection of someone’s personal data – are both fairly recent expressions of a universal idea with quite strong ethical dimensions: the dignity, autonomy and unique value of every human being.” ¹⁶⁾Hustinx, P. (2014). “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, p. 2; see Hijmans, H. (2016). The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU. Switzerland: Springer, pp. 56-57. As stated in recitals 2 and 3,

(2) […] This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

(3) Directive 95/46/EC of the European Parliament and of the Council seeks to harmonise the protection offundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States. ¹⁷⁾Directive 95/46/EC, also known as the Data Protection Directive, is superseded by the GDPR

According to Hustinx, data protection “was not designed to prevent the processing of such information or to limit the use of information technology per se”. ¹⁸⁾Hustinx, P. (2014). “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, p. 1; see Hijmans, H. (2016). The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU. Switzerland: Springer, pp. 56-57. As the GDPR will be implemented 25 May 2018, there really isn’t too much time to cope with all the challenges the new regulatory framework poses; there has already been some news that consumer products companies are struggling with data privacy and security issues, European banks have been reported to be concerned over being able to meet the deadline, and on average, companies are complying with less than 40% of GDPR principles. As Adrian Bridgwater writes in his intimidatingly titled article, “Worldwide Climate Of Fear Over GDPR Data Compliance Claims Veritas Study,” there are serious challenges in becoming compliant and accountable with GDPR. ¹⁹⁾For more throughout assessment, see Varonis’ recent survey of IT 500 decision makers across different sectors and companies with over 1000 employees in Europe and the US

Banks also seem to have most to lose.
– Martin Arnold, Financial Times, Banks concerned over being able to meet EU data protection deadline (30.5.2017)

Without the slightest doubt, not every retailer, financial services company or professional services firm will be compliant by the 2018 deadline. However, all too often data security and protection has been regarded as far too expensive and burdensome for even large corporations to introduce and maintain. As Tim Clements has explained over and over again, GDPR is not just another IT project. It’s relatively easy to outline, describe and categorize all your personal data, assign responsibilities and establish minimal processes for data governance but it’s another thing to deal both with numerous internal and external challenges simultaneously without appropriate data privacy culture. As Trupti Harding-Shah of My Inhouse Lawyer argues,

At board level, it’s also about moving away from a mindset of compliance to thinking about how individuals would want their data to be handled and being transparent and accountable to them. It’s about employing appropriate data security measures to mitigate the risks we create for others in exchange for using their data. And it’s about creating a culture of data trust that pervades our organisations.

We have had the final formulation of GDPR available since April 2016. It’s clear that the forerunners are already implementing GDPR-related work, but some organizations are probably still working with gap analysis and just barely laying down a reasonable roadmap for implementation. It’s sensible to assume that some organizations are still struggling with the basic legal assessments and data discovery. There are numerous issues around the requirements of GDPR that can cause considerable headaches ranging from governance structures and accountability ²⁰⁾For more information, see “Demonstrating compliance with the GDPR“, “Accountability Obligations under the GDPR“, “Data governance obligations“, “7 Key GDPR Requirements & the Role of Data Governance“, data deletion, and consent management to Data Protection Protection Impact Assessment (DPIA) and data transfers to (non-EU-based) 3rd parties. When I first read about the GDPR, I was shocked, to say the least; for example, the privacy by design (and by default) philosophy, data breach notifications and appointing a Data Protection Officer (DPO) are not superficially difficult to understand, but they form a multidimensional jigsaw puzzle so it might be hard to comprehend where to actually start from.

Basically, there are two ways to approach GDPR:

1. With an attitude of opportunity and growth.
2. With an attitude of threat and scarcity.

Opportunity and threat have one thing in common regarding strategic competitiveness: when you have a particular mindset, you will always interpret things as you “need” to. GDPR, whether you like it or not, has been mainly deemed as just another pile of regulatory compliance, and therefore it seems that everyone “needs” to bring up the most apocalyptic visions (although there are real opportunities too). Basically, GDPR lays down why things are done and what is to be done, but there isn’t anything in the specific legislation concerning how things are to be done, e.g. tools, processes, models, procedures, retention times, etc. ²¹⁾See a presentation on the GDPR by Tommi Järvinen. Accenture’s security consultant Niklas Nykter has presented one possible 3-step approach to GDPR.

As Deloitte’s recent point of view subtly argues, GDPR poses both growth opportunities and regulatory pressures. So not only is accountability and compliance with GDPR of paramount importance but there could actually be business reasons to leverage on the momentum as almost everyone is concerned about their data security and privacy, and as PwC’s report points out, companies, by demonstrating proactiveness in the area of (data) security, are expected to gain competitive advantage over the less active players in the market. Also, it should be recognized that investments in GDPR compliance can help companies locate blue oceans and create new business models. Nick Symms from Imperva argues that it’s important to understand the return on security investment (ROSI) for all the GDPR-related data security investments, and to incorporate these kinds of calculations into GDPR business cases as it “can be useful in helping demonstrate the potential loss your organization may be able to avoid by investing in data security solutions for GDPR”. ²²⁾However, these calculations don’t take into account possible third party, brand, reputation, and image risks associated with non-compliance. See more specifically, Kenny, S. (2015) “The Business Impacts of the General Data Protection Regulation: Part Two.” GDPR Associates, 24.3.2015. On the link between compliance and competitive advantage, see Bird, R. C. & Park, S. (2017). “Turning Corporate Compliance Into Competitive Advantage“. University of Pennsylvania Journal of Business Law 19(2), pp. 285-339

The good news is that getting good at handling personal data now will help businesses leverage these capabilities in the future to drive growth. But they need to get it right, which means they need to make some upfront investments in improving how they collect and store personal data, as well as how they protect that data.
– Laura Noukka, Risk Management Consultant, F-Secure (The Key GDPR Question: Do you Want to be Data Driven or Not?, 26.5.2017)

Is GDPR a showstopper or a trendsetter?

It’s comfortable to assume that GDPR is just yet another IT project with a couple of legal and compliance pieces here and there ²³⁾There are multiple approaches towards the end-to-end delivery, see Collibra’s take on the issue, but the primary focus on the whole regulatory framework is the essence of personal data (and unique identifiers) and the rights of data subjects. ²⁴⁾For a more comprehensive explanation of data protection principles incorporated in the GDPR, see A&L Goodbody (2006). “THE GDPR: A Guide for Businesses“; 24 Solutions (2017). “Guide GDPR, version 1.0“.. As Phil Lee argues in a blog post at Fieldfisher’s Privacy and Information Law Blog, “the changes to the concept of personal data under the GDPR will simply be an affirmation of what they already know: that Europe applies a very protective approach when triggering personal data requirements.” ²⁵⁾Kenny, S. (2015). “The Business Impacts of the General Data Protection Regulation: Part One.” The Privacy Advisor, 24.2.2015

Accenture’s Inge Abraham has highlighted five potential advantages of complying with the GDPR. We all agree with Abraham that efficient and effective data management is valuable and beneficial, but it requires much more than just new tools. ²⁶⁾The need to set up new roles and processes, create personal data inventories and draw internal and external data flow maps are necessary steps forward. ²⁷⁾On the importance of architecture, see Lankhorst, M. (2017). “8 Steps Enterprise Architects Can Take to Deal with GDPR“. BiZZdesign Blog, 31.1.2017 Abraham furthermore asserts that the right to rectification “is essentially fantastic”, “the fact that organizations are forced to get rid of redundant data, which, in the long run, makes for far more efficient data operations and leaves significantly less room for ‘noise'”, and “if you really want to keep certain data – there’s always a way: by anonymizing the data”. Abraham, besides, notes that emphasizing the importance of data privacy and security “can be a powerful marketing strategy.” ²⁸⁾Monetizing data is still possible under the GDPR regime, see a report by PwC  It’s important to note that Abraham’s point of view is not raised too often, and sometimes it seems hard to convince people seeing solutions instead of all the problems. Personally, I think that good data management, something that GDPR actively encourages and emphasizes, might actually lead to a thicker bottom line. ²⁹⁾White, A. (2013). “What is the (business) value of data, anyway?“. Gartner Blog Network, 6.3.2013; Kenny, S. (2015). “The Business Impacts of the General Data Protection Regulation: Part Three“. The Privacy Advisor, 28.4.2015 Creating reasonable benefits beyond just GDPR compliance, a risk-based approach needs to be adopted. ³⁰⁾Stuart (2016). “Turning data protection and privacy to a competitive advantage“ trust-hub, 5.4.2016; Gray, J. L. (2016). “Gaining competitive advantage from the GDPR“. Gemalto Blog, 21.6.2016; Isaac, K. (2017). “How to turn GDPR into a competitive advantage with ‘privacy by design’“. City A.M., 10.4.2017; Baringa Partners (2017) “GDPR – Trust and Competitive Advantage” [Youtube video]. 12.7.2017

It needs to be emphasized that the Data Protection Directive was adopted over twenty years ago, and things have changed a lot since then. Every single year we have witnessed numerous new technological developments, and therefore there have been numerous new governmental and intergovernmental actions taking place as a reaction to technological shifts and changes. We have observed interesting new trends in social networking, advanced analytics and forecasting, cloud computing ³¹⁾See, CloudLock & DLA Piper (2016). “Gearing up for GDPR in the Cloud“. CloudLock, 5.5.2016; Leichter, W. (2017). “GDPR and the Cloud: 6 Key Points You Need to Know“. CipherCloud, 23.5.2017 and so on. As for today, numerous companies across the globe are in the business of acquiring, analyzing, processing and disseminating quantitative and qualitative data of individual persons. Multiple businesses and other organizations around the world rely, for example, on predictive analytics across multiple fronts. Whether you agree with it or not, profiling and automated decision-making are a big and important part of our current world, and as the amount of data increases exponentially and advanced methods and technologies to utilize (big) data develop, there are potentially ever-increasing threats of unlawful and harmful processing taking place. ³²⁾Baker & McKenzie (2016). “EU General Data Protection Regulation in 13 Game Changers“.

As I am not a lawyer or data protection expert, it’s hard for me to compare GDPR with the over 20-year-old Directive on the protection of individuals about the processing of personal data and on the free movement of such data (Directive 95/46/EC). As Erkko Korhonen and Anssi Suominen from Hannes Snellman, a Nordic corporate law firm, state “the GDPR will establish one set of rules across the EU as the GDPR will replace the national laws that implemented the previous Directive.” On the other hand, as Korhonen and Suominen highlight, the GDPR does not entirely remove the differences between the Member States as the GDPR does not exclude Member State law that ‘defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful.'” So, amended versions of national data privacy laws can still exist, and the GDPR still leaves some space for the EU member states to maneuver around the new regulatory data privacy framework.

There are several distinct differences (and similarities) between the present Data Protection Directive and the new General Data Protection Regulation. The major hurdle is, however, the transition from the current data protection regime to a new way of thinking of creating a data privacy and security culture, and also, multiple observers have written on an apparent dramatic shift in the enforcement mechanisms and penalties regime to ensure compliance. ³³⁾Gordon, S. (2017). “Companies need to embrace data laws regardless of burden“. Financial Times, 14.6.2017; Thompson, S. (2017). “How to gear up for GDPR and create a data privacy culture“. Personnel Today, 21.6.2017. Although accountability (Article 5(2)), right to (limited) data portability (Article 20), right to be forgotten (Article 17), and privacy by design and privacy by default (Article 25) are all new compelling demands, they have been discussed for a long time. ³⁴⁾Cleary Gottlieb (2016). “The General Data Protection Regulation: Key Changes and Implications“. Alert Memorandum, 13.5.2016 Nonetheless, there are numerous big challenges related to the GDPR. ³⁵⁾Capgemini & Sogeti(2017). “GDPR Readiness: The journey to GDPR compliance and beyond“.

Conclusions

My most important message is that every company should already be doing things related to the GDPR regime, and choose the right approach, whether it is the goal of minimum GDPR compliance and accountability or maybe finding new opportunities for further value creation during the GDPR journey. If an organization perceives GDPR-related investments as real options for further growth, development and shifting towards further customer-orientation, the whole journey can actually help the entire organization. Data protection and privacy are just two pieces of more complex IT security culture, and rather than just a bunch of expense items and a lot of nitty-gritty work with processes, GDPR must be approached more holistically, with the ambiguous goal of transforming the whole data-mindset altogether. It’s crucial to understand that “GDPR-readiness” doesn’t mean demonstratable compliance, i.e. accountability.

This is a huge challenge so we need to be rational optimists about everything that we might come across when working with the GDPR, and as I have learned the hard way, execution is everything. As a consultant, I have worked extensively with numerous regulatory issues, and GDPR is no different; yes, it’s hard and complicated, but it’s not impossible. Nobody knows everything, but that’s one reason to build up expertise in-house and outsource less valuable things for those who at least supposedly know better. What I personally “love” about the GDPR is that you really need to break silos and let people know that these are the requirements written in the stone; so, what about bringing up some ideas to the table to mitigate and fix these things? It’s so much stuff that there is no one who could solve everything at once, and that is the reason why you need as much help as possible, and please, don’t forget your most important people, employees, and customers.

Unlocking new value from the data privacy and protection, thanks to better data management and utilizing customer data more diligently, is one possible direction, and in addition, I personally firmly believe that at least some companies can actually noticeably differentiate themselves as both leveraging the existing data as well as continuously improving their data-driven and data governance-based IT culture. Just make sure that you’ll dodge the ton of GDPR bricks, and find out ways to confirm that you are actually aiming at building something precious.

In my next posts, I will delve more deeply into a couple of important GDPR-related topics: (1) digital trust, (2) enforcement mechanisms and penalties, (3) accountability and transparency, and (4) certain operational issues with a particular focus on banks and other financial services companies. ³⁷⁾Gordon, S. (2017). “Businesses failing to prepare for EU rules on data protection“. Financial Times, 18.6.2017

—

Photo credit: Tasja / Wikipedia (CC0)