23/05/2017 | Written by: Rob Langhorst
Share this post:
Last month in London, I had the unique chance to speak with one of the people who helped lay the foundation for General Data Protection Regulation (GDPR), the new European data privacy legislation. John Bowman was head of the delegation to the Council of the European Union’s Working Party on Information Exchange and Data Protection (DAPIX) and the U.K. government’s lead negotiator on GDPR. Now John is working in the privacy and data protection practice of Promontory Financial Group, an IBM Company, a leading strategy, risk management, and regulatory-compliance consulting firm. Promontory was recently acquired by IBM. He supports clients on all aspects of compliance readiness with knowledge around data protection laws and regulations. I took the opportunity to discuss GDPR and to share his expertise and insights on GDPR on this blog.
Why was it so important to have a new EU regulation around data protection?
As a result of the rise of the internet, IoT and mobile devices, there has been a massive increase in personal data processing over the last 20 years. Accompanying that trend, we have seen growth in the use of data-driven business models. The previous Data Protection Directive of 1995 no longer reflected the current situation; it was out of date. With the Treaty of Lisbon, the EU became competent to enact new legislation on data protection. In 2012, the European Commission published the draft of the GDPR, which as a regulation would provide one set of rules for all member states instead of a directive that would be transposed into European Union member state legislation, as had been the case before. The first draft of GDPR was published in 2012. It took over four years to publish the final version in April 2016, which was achieved under the Netherlands Presidency of the Council of the EU. Finding a balance between allowing a free flow of data and achieving data protection was not easy: each member state had a different opinion on what balance would look like.
What are the main differences between GDPR and the Data Protection Directive?
GDPR introduces more consistency. The regulation is far more detailed about protecting the data rights of individuals. It comprises new rights for the individual in terms of, for example, the notification of data processing, data erasure, and data portability, as well as new obligations like appointing a data protection officer (DPO), doing data protection impact assessments, or reporting data breaches within 72 hours. A big change is the European Data Protection Board, a regulatory body that can review cases across borders, and allows local data protection authorities to intervene in cases of cross-border application that apply to them. The new fines are potentially enormous: up to 4% of a company’s global revenue or a maximum of 20 million euros, whichever is greater. In comparison, the maximum fine in the U.K. is currently about 550,000 euros. It is not just to impress: I believe the data protection regulators may take a firm stance on this matter. However, it’s not just the money: it’s also bad publicity and associated reputational damage that an incident can cause.
What are the biggest GDPR challenges on short notice?
Companies really have to get going with their programs; they only have 12 months left until May 2018. Those that don’t yet have a program in place need to do the risk analysis, secure funding, get stakeholders engaged, and raise awareness. Those who have already started their journey may need to change their IT and business processes to be enable individuals to exercise the data privacy rights. This is more challenging than it may seem. As an example: personal data can be stored in various places and erasing a small piece of data in order to “forget” somebody might undermine the integrity of your database.
A key challenge is setting up the privacy governance. How do you handle data protection, in view of the diversity of interests within companies and the fact that every department is affected by the new legislation? An important person in this context is the data protection officer (DPO): that person should be an independent advisor who would report directly to senior management.
Another challenge is determining the legal grounds for data processing that you want to rely on. It can be arranging consent, entering into a contract, protecting the vital interests of an individual, complying with legal obligations, legitimate interests, or the public interest. There is a lot of controversy about what constitutes legitimate interests grounds and to what extent is it really necessary for your business to process personal data.
A major challenge is the right to access data, especially when it comes to unstructured data like emails, and data used for analytics. The lesson to be learned here is that you need to have good data management to begin with. This can make it a lot easier to handle such data subject requests. The upside of it all is that GDPR gives you the opportunity to redesign your processes, creating transparency and potentially building trust.
What best practices do you see?
It is crucial to get involvement across the company, create ownership, and get the business case right. Almost every part of your business is affected, and you need to show how important data protection is. A readiness assessment helps to determine how mature your organization is in terms of GDPR readiness and what your shortcomings are, so you can build a program to resolve identified gaps and introduce robust practices. From a practical point of view, you would focus on implementing IT and process changes, getting engagement from stakeholders, raising awareness, and training employees. Timing is everything: you have only 12 months to move from “thinking” to “operational”. You need to take decisions and prioritize; a risk-based approach does apply to certain aspects of the GDPR, but companies may want be clear about the level of risk they are willing to accept. What is important is how you react, within the required 72 hours, in the event of a data breach: how will you set up internal reporting and get the legal and press departments involved to have control over the external communication and what’s in the morning news.
What would be the best next step?
There is a lot of material available to help you get going. Do a readiness assessment, see what you can take on internally, and seek help from external experts. My key message would be not to underestimate the amount of effort it will take to get ready for GDPR!
IBM nominated as ICT service supplier – Computable Awards 2017
Privacy issues are changing and the new legislation is leading. In May 2018, the new GDPR legislation will become effective, with new requirements for processing and processing personal data. IBM is one of the largest data processors and has acquired the necessary knowledge with previous privacy laws. It has resulted in a GDPR-specific architecture framework that IBM offers as a service. The main purpose of the GDPR assessment is a roadmap that prepares an organization for this GDPR legislation and to test risk factors in the organization of the client.
The complete jury report (in Dutch)
Vote for ICT service supplier of the year – IBM – Computable Awards 2017!
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.