With increasing emphasis on data security in the existing climate of data breaches and hacking, regulatory bodies are taking an increasingly demanding view on enterprise data security. The Global Data Protection Regulation (GDPR) is a new regulation (EU 2016/679) through which the European Parliament and European Commission intend to strengthen and unify data protection for all EU citizens.
The objective of GDPR is to give control back to EU citizens and residents over their Personal Data and simplify the regulatory environment. GDPR was adopted on 27 April 2016 and will become effective from May 25th, 2018. The impact of the regulations is far reaching not only for data subjects (individuals whose data is stored by government and private enterprises) but also for enterprises storing and processing personal data. The scope of GDPR is addressed in the next section and finally we cover the data security, data retention and outsourcing implications of GDPR.
Scope of GDPR
The GDPR regulation comes into effect from May 25th, 2018 and impacts any organization that is dealing with EU citizen data and has a project that is running beyond May 25th, 2018. Enterprises are under pressure to comply with these regulations as the fines are heavy and can go up to 4% of global annual turnover or 20 Million Euros.
GDPR regulation can be classified into 5 key areas namely – Rights of EU Data Subjects, Security of Personal Data, Consent, Accountability of Compliance and Data Protection by Design and default. Enterprises also need to appoint a Data Protection Officer who is well versed with the GDPR guidelines and is responsible for monitoring and compliance of the business processes and systems that deal with personal data. We now examine the scope of GDPR from the following perspectives –
- Storage and processing of EU Citizen personal data – any enterprise that stores and processes personal data of EU citizens beyond May 25th, 2018 comes under the ambit of the regulation. A key question here is what constitutes personal data. The regulation states that personal data could be physical, genetic, cultural, social, economic, unstructured (e.g. Social media) and behavioral – derived and self-identified. The guidelines around storage are that personal data of data subjects should be stored only for the period deemed necessary. All processing operations on personal data must be documented and data must be processed only for the stated purposes. It is important to note that GDPR does not apply only to enterprises based in Europe and extends to global businesses that store and process EU citizen and resident personal data. Hence, some US Bank with European customers, must comply with the GDPR guidelines or face heavy fines.
- Data Controllers – data controllers control the personal data of data subjects for example a company stored personal data of employees or a bank stores personal data of its customers. Data controllers can appoint data processers to process personal data, however there need to be written instructions to ensure compliance to GDPR.
- Data Processers – they process personal data based on instructions provided by data controllers and must comply with the GDPR regulations.
- Data Subject – individuals (EU Citizens and residents) whose data is stored by data controllers and processed by data processers. Data subjects need to give their consent to enterprises about storage of their personal data and can withdraw the consent at any point of time.
- Data Breaches – in case of a data breach enterprises need to inform the regulatory authorities of the breach within 72 hours of the incident.
- Data Protection by Design – enterprises need to ensure that data protection guidelines are there in the design of data management processes and systems that would need to comply with GDPR. For instance, if you are planning a Data Mart hosted on a hybrid cloud of a 3rd party data processer, the personal data would need to be anonymized before usage by analytical applications and users.
GDPR Implications on Data Security and Outsourcing
With an overview of the scope of GDPR, we now assess the implications of GDPR on Data Security, Data Retention and Outsourcing –
- Data Security – All personal data stored and processed must be secure. If the personal data of EU data subject resides in data center outside the EU, the data must be anonymized so that persons are not identifiable. Even in case of remote access from outside the EU or if there are data movements to a site outside EU, the data in motion needs to be encrypted and anonymized.
- Data Retention – The data must be retained in Data Warehouses or Data Lakes only for the period defined for the use case/purpose of data processing. In addition, there must be mechanisms to archive or delete the data once the data subject revokes the consent for storing personal data. This has a significant impact on the Data Governance and Data Management processes currently followed in enterprises which need to be reviewed in the wake of the GDPR regulations.
- Impact on Outsourcing – While there is no direct impact in terms of outsourcing to offshore data processers from a regulation standpoint, there are certain guidelines that need to be kept in mind. All offshore data processers need to follow the guidelines laid by data controllers around GDPR and any access to EU citizen data would involve anonymization of personal data. In case of data stored outside EU, in offshore data centers the personal data attributes would need to be anonymized.
As enterprises grapple with compliance to GDPR guidelines, a good starting point is conducting an audit of business processes and systems that deal with personal data of EU data subjects, classify the data sets and put in the control mechanisms to ensure compliance to the regulations. Time is ticking, it’s time to act now!