The European Commission, a legislative caucus contained within the European Union, on Jan. 14, 2011, published an internal communication calling for new consumer data protection regulations. The document highlighted the growth of the digital economy the primary driving factor, arguing that existing statutes governing data usage, which had been drafted and implemented in 1995, failed to address the numerous complications that had arisen with the continued development of technology.
This communication ultimately jump-started an extensive legislative effort lasting four years and culminating in an amended bill called the General Data Protection Regulation. The European Parliament passed the piece of legislation in April 2016 and published it in the EU Official Journal one month later. In an effort to encourage adoption, legislators included a two-year grace period.
That moratorium is scheduled to end May 25, 2018. Organizations serving customers in the EU must have data collection and storage processes in place that comply with the GDPR by this date. Those that do not are vulnerable to financial penalties as high as €10 million or 2 percent of their worldwide revenues for the previous physical year. Unfortunately, many businesses here and abroad are not prepared to meet the requirements established in the legislation.
In fact, 60 percent of information technology professionals working at firms in the EU are worried that their respective firms will miss the deadline, while 50 percent of those in the U.S., where the GDPR will affect upwards of 75 percent of businesses, harbor the same concern, according to research from data security software provider Varonis.
The reality is, companies that have yet to prepare for the GDPR will likely never implement the required workflows in time. However, those that have embarked on the compliance journey and are nearing the end still have enough space to reassess their work and ensure they are prepared for EU inspectors, whenever they might show up. Here are some of the essential data management aspects IT teams must address to meet GDPR compliance standards and avoid considerable fines:
"That two-year grace period for the GDPR is scheduled to end May 25, 2018."
Public data collection and storage policy
The GDPR requires controllers, or the parties that take responsibility for collected customer data, to document their information collection and processing workflows. These records must include eight key pieces of information:
- The name and contact information for the processor, i.e. the third-party service provider that actually facilitates data collection. In the event that businesses are working together with joint controllers, the contact information for these entities must be included as well.
- The reason for which customer data is being gathered.
- The categories of affected data subjects and the kinds of information being collected.
- The names and contact information for any third-party organizations that may view any collected personal data.
- Instances in which customer data has been transferred across international borders.
- Time limits for data deletion.
- A general description of the technical protections in place, along with summaries of applicable data handling policies.
As data controllers, businesses operating in the EU must have the documentation on hand. Consequently, firms reviewing their GDPR measures should address this critical yet relatively simple requirement first, SC Magazine reported. Why? This is the first variable most inspectors will target. And, should they encounter inaccurate or insufficient documentation that points toward noncompliance, most will assume the issues exist. This is, of course, the wrong way to begin a GDPR inspection. With this in mind, IT teams must ensure they draft and update the required documents.
User consent controls
One of the most impactful pieces of regulation included in the GDPR is the amendment 32, which establishes the businesses must gain the consent of data subjects, or users, before collecting, storing and using their information. It specifically states that "consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement." Organizations are, of course, obligated to stick to the letter of the law, which means drafting and deploying clear consent agreements on all company web portals.
Like the documentation discussed above, this is one of the first factors inspectors tend to address, which means is should take top priority during GDPR compliance assurance efforts. The legislation requires controllers to create consent agreements that feature five critical pieces of data:
- The identity of the controller.
- The purpose of the data collection.
- The types of information collected.
- An affirmation of the right of the data subject to withdraw consent.
- Information on data used in automated processing operations.
- An explanation of how consent relates to the transfer of data domestically and internationally.
Just-in-time consent forms that populate in an unobtrusive manner are the best option, according to the International Association of Privacy Professionals. These components keep the user experience while facilitating GDPR-compliant data subject consent programs. However, this only half of the consent equation. To fully comply with the EU legislation, businesses must keep exhaustive records of their consent practices and be able to produce them for inspectors.
Data protection officer
A large portion of the GDPR addresses the implementation of user-friendly data collection policies, along with other ancillary concerns. In all, the document does not tell firms how to organize their operations internally – except for Article 37, which states that controllers with significant data collection and storage operations must "designate a data protection officer."
These executive stakeholders carry out a number of critical tasks, including advising the organization on all data-gathering matters, monitoring GDPR compliance and acting as a point of contact between the EU and the business. There are no specific regulations for appointing DPOs, according to SC Magazine. These leaders can come from within the organization or work on a contract basis via a third party.
Firms should have these professionals in place by deadline day, an objective that is, surprisingly, pretty feasible, according to The Wall Street Journal. While industry groups like the APPI say there is great demand for DPOs, hiring and recruitment data suggests that few companies are actively searching for these critical data management stakeholders at the moment, meaning human resources personnel should have little trouble filling the role by May 25, if they have not done so already.
Enterprises that focus on these variables in the weeks leading up to the effective date for the GDPR should find themselves in good shape by the time EU inspectors come calling. That said, there is always more modern businesses can do to protect consumers and comply with international data management regulations such as the GDPR – embarking on the IT modernization journey, for example.
The Inventu Corporation is here to help organizations of all sizes bolster their backend infrastructure for the sake of the customer. Our cutting-edge Flynet Viewer makes screen integration and IT modernization easy, meeting employer and staff expectations in a way that feels both familiar and simple. Connect with us today to learn more about the Inventu Flynet Viewer and the other solutions in our product portfolio.