A few weeks ago, the much-discussed General Data Protection Regulation (or GDPR for short) went into effect. It’s a directive with far-reaching consequences for companies that process personal information of EU citizens or are located within the EU. You’ve probably noticed it yourself by the sheer amount of emails asking for approval to keep using your contact information.
AE helps its customers become and stay GDPR compliant and treat this regulation both as leverage and as an opportunity instead as just another legal compliance project. In this post we’ll cut through the fog around GDPR and provide answers to some commonly asked questions. We’ll also tackle the impact of the GDPR on companies and their business processes.
GDPR is a new legislation concerning the privacy and protection of personal data for natural persons in the EU that went officially into effect on May 25th, 2018. On one hand GDPR gives natural persons a set of rights and protections; for instance, the right to be forgotten or the need to be asked for explicit consent for data collection and data usage of their personal data by any organization that wishes to do so. On the other hand, the regulation also imposes certain obligations on data controllers, companies that collect your personal data. These include the mandatory notification of a data breach within 72 hours and the designation of a data protection officer (DPO) within larger organizations.
Remarkable in the GDPR is that for the first time the data processors; companies that collect and process your personal data on behalf of the initial controller, will have to adhere to a certain set of commitments and put in effect the necessary safeguards to ensure the protection and safe usage of your personal information by these companies.
All the attention that GDPR has gotten mainly has to do with the large fines that can be imposed on organizations that are not compliant. In previous privacy legislation there never really was anything to incentivize organizations with – bar the potential negative publicity accompanying a public data breach.
The current legislation allows every local Data Protection Authority (for Belgium this is the CBPL) to impose fines up to 4% of a company’s global revenue or 20 million euros (whichever is the highest). Apart from that, the Data Protection Authority has the right to proactively perform inspections. In Belgium, the CPBL will take on more of an advisory role for now but in the Anglo-Saxon countries we see a different trend. There, fines have become the norm.
With the introduction of the GDPR, end-users have not only gotten additional rights but also an instrument to enforce these rights. Everyone can put in a request for the personal data that a company has on them, has the right to object to their data being used for specific purposes and can correct their personal data. At the same time all data subjects have the right to be forgotten entirely; something which was not that easy to achieve in the past due to technical constraints.
All those rights are now enforceable. As a citizen, you can file a complaint with a data controller when you feel he has violated your rights. If that complaint is not being handled and the dispute is not resolved, you can call-in a data protection authority or even go as far as filing a lawsuit against the other party and demanding compensation.
Today, the biggest impact on organizations is getting legacy applications compliant with the GDPR. One of the rights natural persons have, is the right to access their data. This pre-existing right was barely used; but with the attention data privacy, the GDPR and this right in particular has gotten in these past months, it is expected that many companies will face an increase in data access requests. To give identified natural persons (or “data subjects”) access to their data in a compliant way, it is critical that companies can collect personal data from all their available sources and hand it over in a readable and understandable format.
This impacts all data processing activities in an organization. One advantage for organizations is that all types of companies; from the small-scale startup to the large multinational are treated equally. It is expected however that larger companies will be targeted more than smaller entities. That’s why our customer, one of the larger institutions in the financial services sector, was very thorough in its preparations to make sure all applicable processes, procedures and applications were in line with the upcoming regulation and legislation.
The key challenge is one that’s typical for companies dealing with data; people don’t know where which data is located and how it’s managed. If they manage to tackle this one, it soon becomes obvious that their data is not consistent. Companies are also often confronted with legacy applications, some over thirty years old, without any available knowledge or documentation. Those must be made compliant as well – another GDPR challenge added to the list.
Organizations also must not only bring together but really integrate the various technologies in their application landscape. This does not mean: “create one giant database”; companies can continue their current data strategy. It should be possible however, to communicate transparently where personal data is located and how and for which purposes its being processed. There are many technical solutions and designs that enable you to get data from various sources together.
AE helps customers build those service-oriented applications that enable companies to efficiently manage and operationalize their data and stay compliant with existing and new regulations at the same time.
At various clients the GDPR has helped build appreciation for better data management and ensured C-level support and the necessary budget for its effective realization.
One example is a client of ours in the financial services sector. They used GDPR not only as an incentive to get their Big Data platform compliant but also consolidate their collection of data warehouses into one massive Data Lake. That project was used as a stepping stone to create individual views on the platform. As such, they’ve made a clear choice for one architecture and one technology to work with Big Data and its inferential information.
These past months we’ve helped several of our customers in their GDPR compliancy projects. We don’t just give advice but work closely together with our customers to effectively implement their rights and responsibilities concerning this regulation.
Multidisciplinary AE-teams designed the blueprint of a GDPR-compliant organization and assisted in the concrete implementation of it. That way, our customers can be confident in having a solid and GDPR-compliant architecture.
More information can be found on:
https://www.ae.be/en/sector/financial-services/challenges/data-and-privacy