April 30, 2018 | Written by: Laura Polak
Share this post:
The countdown clock to GDPR – the General Data Protection Regulation of the European Union (EU) – is being closely followed by business leaders in Europe and around the world as it moves towards its May 25, 2018 deadline. While this harmonized data protection law was designed to give EU citizens more control over their personal data, there is no doubt that GDPR is having a more widespread effect due to the fact that many corporations are global in nature. If obliged to meet a regulation for some affiliates in the EU, many companies will be poised to adopt it global if needed, and may just do so for the sake of stakeholder trust and good governance.
In a recent IBM Algo FIRST newsletter, we looked at ramifications for financial services firms of non-compliance to GDPR. With reference to the example of the recent Equifax privacy breach, the Algo FIRST research team delineated key implications of GDPR for businesses in Europe and around the world. GDPR features stricter rules – on consent to hold and use personal data, and the individual “right to be forgotten” – including:
- The concept of ‘privacy by design’ for new products, where the premise of privacy is a feature of the development of a product, rather than something that is added as an afterthought
- A new requirement to document evidence of compliance with the GDPR
- The reporting of significant data breaches to the regulator within 72 hours
- Maximum fines for non-compliance with the GDPR increasing to 4% of annual turnover, or €20 million, whichever is greater.
Rethinking business and product development in this new light (i.e. ‘privacy by design’) clearly opens a perspective on how our data can and should be used. For example, in the case of Equifax much of the information was passed to them to create individual credit rating histories. Unfortunately over the years, a person’s Social Insurance number has become the de facto key to much of this information, especially in situations where credit is extended. This means that if a security breach occurs, the data at risk is of a type that could be used to put the data owner at risk for account takeovers and identity theft. When we consider recent significant data privacy breaches – for example, at Equifax, Home Depot and Target – we can see that the impact of GDPR on business will be transformative.
Privacy regulations are increasingly reshaping business today. Would it surprise you – as a consumer – to know that in many cases when you fill out forms or submit information through online forms, there are ‘small print’ terms embedded on the site which are designed to protect not the consumer but that organization from legal action? Enter a variety of regulators, like the Consumer Financial Protection Bureau (CFPB), who contend that consumers often do not understand what they are opting-into and, moreover, that consumers have a right to understand exactly what they are agreeing to. Today, these regulators are moving to put in a variety of safeguards for consumers in this regard.
For corporations seeking to manage their GDPR ‘readiness’ in this rapidly-changing regulatory environment, most are looking to track their processes and systems to limit or better understand the kinds of private data that they retain. Solutions such as IBM OpenPages offer a capability to configure and send questionnaires to business line stakeholders, enabling an institution to assemble an inventory of the systems that are required to keep this type of critical data. Regular assessments are used to track how well they are managing against these processes.
It will remain to be seen if some the legislation (like that proposed by the CFPB) will be passed in the USA and have the same impact as GDPR has for the EU, but regardless, those companies choosing to do business in the EU or hold private data for EU citizens will need to ensure that they are prepared to address the issue of ‘privacy by design’.
Learn how Algo FIRST’s daily updates can provide your business with the insights it needs to be prepared for external risk events.