June 12, 2017 | Written by: Steve Sedowski
Categorized: Industry insights
As the Trump Presidential Administration brings about real regulatory reform – for every one, new regulation issued, at least two existing regulations must be targeted for elimination – European Union politicians are readying themselves and companies worldwide for the seemingly immensely impactful General Data Protection Regulation, a.k.a. GDPR.
This looming order prescribed by EU government administrators can be considered one of whopping size and, if infringements occur, ramifications. However, overall, this regulation has the regular person in mind and thus seems to offer substantial privacy protection benefits for EU residents, though some companies may find compliance onerous, especially if certain steps are not implemented before the May 2018 deadline.
Now, here’s the important question: should your travel or transportation company be concerned about this approaching regulation? The short answer is, if your company processes the personal data of people living in the European Union, then yes, awareness of this regulation should be raised within your company. It doesn’t matter if your company is an airline that sells tickets to EU residents or a shipping company that overnights an envelope for an EU customer. Any company that processes or handles EU resident personal data in some manner will probably be affected by the GDPR.
The Compliance Clock is Ticking…
If a solid understanding of this EU regulation has yet to happen within your organization, your company had best start learning more about this matter now rather than later. Why? For the simple fact that enforcement of GDPR is set to happen on May 25, 2018. And the precise countdown timer on the official GDPR website is more than a hint that this action will be invoked on schedule.
What is a Data Subject?
Some crucial GDPR facts follow, but first, let’s try to understand a few terms before proceeding as many legislative materials are permeated with esoteric terms. This can help gain clarity now – and if you have to abide by this regulation – in the near future.
Data Subject – a natural person whose personal data is processed by a controller or processor
Data Processor – the entity that processes data on behalf of the Data Controller
Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data
If the above definitions are as clear as optical grade glass to you, then you are exceptionally keen since what constitutes “personal data”, “processed”, and the general fog that surrounds an unequivocal definition for these terms is a bit thick, at least to me. However, now that we have at least a rough and loose understanding of key terms baked into the GDPR, we can move forward with some important details.
10-Crucial Facts That Travel & Transportation Companies Must Know About the EU General Data Protection Regulation
1. Non-compliance can mean substantial fines. How substantial? The maximum fine is the greater of €20M or 4% of annual global turnover. Ouch. (“Turnover” here seems to mean revenue though it is not explicitly stated). There are more details to the financial damages as there are tiered penalties for breaches.1 Further details will not be provided here, but you are encouraged to continue researching if the GDPR applies to your company. But beware: comply or else.
2. The General Data Protection Regulation applies to not only companies that reside within the EU, but also to companies that reside outside of the EU. If your company sells products and/or services to people residing in the EU, or monitors the behavior of natural persons residing in the EU, regardless of where your company is located, then this regulation applies to your organization. The definition of, “monitor the behavior” is a good one to understand. It is when “…natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes..”3
3. Payment is not required by the “data subject” to be such subject.2
4. A name, a person’s photo, an email address, a person’s bank details, a person’s social media posts, medical information, or a computer IP address can all be considered personal data of a “data subject”. Basically, if the stored information can directly or even indirectly identify a person, it is considered personal data.4
5. There is the “Right to Be Forgotten”, a.k.a. “Data Erasure”. That is, a data subject has the right to request that his or her personal data be erased, “cease further dissemination of the data, and potentially have third parties halt processing of the data”.5
6. Data subjects have the right to receive personal data about them as well as transfer that data to a different controller.6
7. Data subjects will have the right to receive “from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose”.7
8. The controller will need to provide a free copy of personal data when requested to do so.7
9. When a data breach occurs and is one that is likely to “result in a risk for the rights and freedoms of individuals”, a breach notification must be sent to all member states within 72 hours of knowing that a breach occurred. Customers affected will also need to be informed “without undue” delay.8
10. Easy to understand consent conditions must be given to consumers. Also, an easy way to withdraw consent must be provided to consumers as well. Furthermore, “…companies will no longer be able to use long illegible terms and conditions full of legalese”.9
Help Is Available
There you have 10-important details concerning the EU’s General Data Protection Regulation. If your company stores, processes, or monitors the behavior of people residing in the EU, regardless of whether your company is located within the EU or the EU individual has spent money with your company, you will probably, if not definitely, have to comply with the GDPR.
It may seem like a laborious undertaking. However, there are certain steps to begin the process for compliance now. For example, when a very large organization has been involved in mergers and acquisitions over many years, dozens, hundreds, or even thousands of disparate databases can be spread across multiple physical locations and cloud environments. Thus, determining where EU data subject information is located can be difficult. Combining IBM’s Agile 3 and Guardium IT security solutions can both help to identify business related data risks and determine where personally identifiable information is stored across that enterprise. Other IBM GDPR solutions that can help to drive policy decisions are available.
IBM Security’s newest offering, Guardium Analyzer, helps companies quickly and efficiently identify data that may fall under this regulation. It is considered a “lightweight” version of Guardium.
Please reach out with any questions. We will be glad to help.
1. “Frequently Asked Questions about the GDPR.” EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. What are the penalties for non-compliance?↩
2. Council of the European Union. Digital image. General Data Protection Regulation. Council of the European Union, 6 Apr. 2016. Web. 12 June 2017. (23) (80) (Article 3: Territorial scope, 2a) ↩
3. Council of the European Union. Digital image. General Data Protection Regulation. Council of the European Union, 6 Apr. 2016. Web. 12 June 2017. (24) ↩
4. “Frequently Asked Questions about the GDPR.” EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. What constitutes personal data? ↩
5. “GDPR Key Changes.” An overview of the main changes under GPDR and how they differ from the previous directive EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. Right to be Forgotten ↩
6. “GDPR Key Changes.” An overview of the main changes under GPDR and how they differ from the previous directive EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. Data Portability ↩
7. “GDPR Key Changes.” An overview of the main changes under GPDR and how they differ from the previous directive EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. Right to Access ↩
8. “Frequently Asked Questions about the GDPR.” EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. How does the GDPR affect policy surrounding data breaches?↩
9. “GDPR Key Changes.” An overview of the main changes under GPDR and how they differ from the previous directive EU GDPR Portal. EU GDPR Portal, n.d. Web. 12 June 2017. Consent ↩