If you work with compliance in your organization, you’ve probably spent best part of the past two years preparing for and spreading the message about a delightful gift presented to the international business community by the European Union. This gift, commonly known as the General Data Protection Regulation (GDPR), is intended to strengthen and unify data protection for all individuals within the EU. With the fast approaching implementation date of May 25th, we are nearing the end of the two-year transition period to implement it.
In its quest to improve data privacy for EU citizens, GDPR contains both clear and vague requirements.
A lot has been written about GDPR across a plethora of forums, and repeating here in detail the same text that you’ve read many times over in slightly different variations brings little value. However, just in case you need a reminder, here’s a summary of the top three points you need to know about GDPR:
- GDPR is all about protecting personal data and giving individuals (data subjects) control over how companies (data controllers) use and process their data.
- Breaking the rules set out by the GDPR can get you in big trouble (big, as in getting a fine of up to €20 million or 4% of your global annual turnover, whichever is higher).
- All companies that do business in the EU and process personal data on EU citizens are affected (so you’re not exempt even if you don’t have physical presence in Europe).
While there are clear principles and explicit requirements listed in the regulation text (e.g. individuals’ rights, the principle of data minimization, etc.), it’s good to bear in mind that, in some instances, GDPR is intentionally vague and broad in its wording. This, unfortunately, means that some of the finer lines on how certain elements of the regulation should be interpreted will become clear only after a few organizations have been taken to court over their practices and judges have made their rulings.
The potential legal threat has naturally made large enterprises a bit more diligent in their preparations. However, on the other end of the spectrum, there has been some concern over the GDPR readiness of smaller organizations. Considering the high stakes and persisting ambiguity, one can’t help but wonder how things will unfold in the coming months.
Legal challenges – both ongoing and those likely to emerge – will shape the future of data privacy.
The potential legal challenges against corporate practices that may take place after May 25th lead us to think about a few interesting developments that have transpired recently. If you recognize the name Cambridge Analytica, you are probably aware of the data privacy scandal that sent Facebook’s stock price tumbling, costing its shareholders tens of billions of dollars. While the damage was mitigated by the hearings in U.S. Congress, the scandal is far from over, and we are yet to see if and how GDPR will impact it.
In a story published on April 12th that analyzes the GDPR threat to Facebook, Washington Post also raised a potential issue with Privacy Shield, which is the main mechanism via which GDPR allows the transfer of personal data to the U.S. and could potentially have broad implications to any company whose business involves moving personal data between the U.S. and the EU. In a ruling on a case raised against Facebook in Ireland, the Irish High Court found that the company’s practices regarding data processing potentially violate the rights of European citizens, and referred a set of questions to the European Court of Justice (ECJ). A ruling on the matter is still pending.
If the ruling by the ECJ results in the fall of Privacy Shield (which is exactly what happened with its predecessor the “Safe Harbor Agreement”), it could spell massive trouble for many companies.
Essential actions (that you have hopefully already taken) include risk analysis and implementing necessary contractual and technological safeguards.
Moving on from things to come, let’s step back and explore what you have already done. To be as ready as you can be for May 25th, you have (hopefully):
- Identified your internal processes that involve personal data processing and, thereby, developed and implemented appropriate internal processes to comply with the new regulations.
- Identified what personal data external partners process on your behalf, and determined whether that information falls under special category information (e.g. racial or ethnic origin, political opinions, religious beliefs, or genetic data or biometric data listed by Article 9 of the GDPR) to identify if you are mandated to take any extra precautions.
- Conducted an analysis to assess any risks involved in relation to processing personal data, including a review of all amendments and new agreements provided by your service providers and/or third parties that process personal data on your behalf (if you haven’t received any such communication from your providers, it would be advisable to check with them).
- Made informed decisions on whether you need to implement additional security measures to meet the requirements, including careful consideration on how you should apply the technique called pseudonymization to protect personal data you process.
While not a “get out of jail free card” data pseudonymization is an important security measure worth considering.
Pseudonymizing data means separating it from all direct identifiers, so that the link to a real identity cannot be established without additional information that is separated from the pseudonymized data. Therefore, the process of pseudonymization can significantly reduce the risks associated with processing personal data while still maintaining its usability.
While the interpretation is that pseudonymized data is not exempt from the regulation, the GDPR relaxes several requirements on controllers that use this added security measure. This may support processing personal data beyond the original collection purposes, and helps comply with Article 32 of the GDPR, which requires controllers to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
From a technical point of view, the most efficient way to pseudonymize data is to use a technology called tokenization. Simply put, tokenization means replacing any data value with a “token” that looks like the original data but does not have any mathematical relation to it (unlike encryption). Tokenization has a history and reputation as one of the most secure ways to protect data, and is used broadly by payment and other specialized service providers to protect payment card information in compliance with the Payment Card Industry (PCI) standards.
Whatever your journey towards GDPR compliance has been, and however much ambiguity and work still remains, it’s very likely that all the hassle and preparations over the past two years have left any company that has gone through them better-off regarding not just GDPR, but also their broader data privacy and data protection practices.
Liaison Technologies takes a comprehensive and proactive approach to compliance, addressing a broad scope of compliance frameworks covering Liaison’s technology, people and processes. In addition to providing integration and data management services that are GDPR compliant, Liaison’s solution portfolio includes tokenization as a service (TaaS) which can be leveraged to pseudonymize and protect sensitive data to provide that extra layer of security.