D. Justhy's Blog

"Getting to Yes, Now!"

CIO: Six Ways To Get Up To Speed On GDPR Compliance, Especially If You Are Not Ready Yet

Many companies most of us know, mistakenly assume GDPR is purely a legal issue. The reality is far from the truth. In fact, this flawed assumption is because of a limited or no understanding of what data is to the business, and what it is not.

Incidentally, no single department in an organisation can address GDPR on its own, single-handedly. In fact, it requires an enterprise level view to address compliance, effectively, efficiently and more importantly, dare I say – ‘profitably’. For starters, ‘absolute compliance’ may not be possible for many organisations by May 25 2018. However, every CIO must at the least get control on their outcomes, related to GDPR.

Over the past few years, most CIOs started to recognise the importance of data management and data protection. But, GDPR started to add a sense of unprecedented urgency to those efforts. Many CIOs are probably even losing sleep on this.

The European Union’s (EU’s) General Data Protection Regulation (GDPR) will affect virtually any company in any sector around the world that processes the personal data of EU residents. Although, this may tend to put undue pressure on IT executives in order to ensure that their organisations are prepared, CIO’s must educate the enterprise that data matters are indeed a business strategy issue and not just an IT only issue. CIOs must build their case to communicate this to their business colleagues as well as their boards.

The GDPR replaces the EU’s Data Protection Directive 95/46/EC and is meant to harmonize data privacy and data protection requirements across Europe. One of the key difference between the new regulation and its predecessor, however, is that it holds accountable all companies that process personal data associated with EU residents, regardless of whether those companies have a physical presence in the EU or not. The potential penalties for noncompliance, meanwhile, are not trivial, reaching as high as 4 percent of global revenue or 20 million euros, whichever is greater. So, that’s what it is going to cost you if your C-Suite get things wrong.

Here’s a bare minimum, five things every CIO must do in ensuring that his or her organisation, is ready for GDPR compliance, even if you believe you are running late.

  1. Understand that data is a trail of your business processes. And this data must be managed with increased record-keeping. This is not new to most companies; however, the most undisciplined companies are obviously going to be penalised for this negligence and will have to get their house in order. Thankfully, most IT departments are capable enough.
  2. Get good at performing data protection impact assessments (DPIAs). Ensure that DPIAs are an integral part of your existing business and technology processes. The GDPR requires organisations to conduct data protection impact assessments for any new processing or changes to processing deemed to represent a high risk to the privacy and protection of EU resident personal data. This calls for a high level of transparency of both the process as well as data landscape.
  3. Incorporate Privacy by design into your culture and DNA. The GDPR requires privacy and data protection controls to be incorporated by design into any new or existing systems or processes that involve EU resident personal data. Ensure that communications and training programs address this as a part of your culture initiatives.
  4. Know and treat data sensitively while considering data portability and erasure. Under the GDPR, organisations must provide EU residents with the ability to access, correct, and erase their data, as well as allow them to move it to another service provider if they so choose.

Step up to a culture of managing data risk in your business. Get control over third-party risk management. Remember, that person-centric data is most valuable to your business anyway. It is the billion dollar byte. GDPR is now an opportunity to get your act together, even when third parties are managing your data.

What You Don’t Know About GDPR May Hurt You

Well, not if you actually know what’s in the regulations document. The document is fundamentally organised into Chapters, Sections and Articles.

The document has eleven chapters and ninety-nine articles. Here’s the content.

Chapter 1 General provisions
Article 1 Subject-matter and objectives
Article 2 Material scope
Article 3 Territorial scope
Article 4 Definitions
Chapter 2 Principles
Article 5 Principles relating to processing of personal data
Article 6 Lawfulness of processing
Article 7 Conditions for consent
Article 8 Conditions applicable to child’s consent in relation to information society services
Article 9 Processing of special categories of personal data
Article 10 Processing of personal data relation to criminal convictions and offences
Article 11 Processing which does not require identification
Chapter 3 Rights of the data subject
Section 1 Transparency and modalities
Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
Section 2 Information and access to personal data
Article 13 Information to be provided where personal data are collected from the data subject
Article 14 Information to be provided where personal data have not been obtained from the data subject
Article 15 Right of access by the data subject
Section 3 Rectification and erasure
Article 16 Right to rectification
Article 17 Right to erasure (‘right to be forgotten’)
Article 18 Right to restriction of processing
Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20 Right to data portability
Section 4 Right to object and automated individual decision-making
Article 21 Right to object
Article 22 Automated individual decision-making, including profiling
Section 5 Restrictions
Article 23 Restrictions
Chapter 4 Controller and processor
Section 1 General obligations
Article 24 Responsibility of the controller
Article 25 Data protection by design and by default
Article 26 Joint controllers
Article 27 Representatives of controllers or processors not established in the Union
Article 28 Processor
Article 29 Processing under the authority of the controller or processor
Article 30 Records of processing activities
Article 31 Cooperation with the supervisory authority
Section 2 Security of personal data
Article 32 Security of processing
Article 33 Notification of a personal data breach to the supervisory authority
Article 34 Communication of a personal data breach to the data subject
Section 3 Data protection impact assessment and prior consultation
Article 35 Data protection impact assessment
Article 36 Prior consultation
Section 4 Data protection officer
Article 37 Designation of the data protection officer
Article 38 Position of the data protection officer
Article 39 Tasks of the data protection officer
Section 50 Codes of conduct and certification
Article 40 Codes of conduct
Article 41 Monitoring of approved codes of conduct
Article 42 Certification
Article 43 Certification bodies
Chapter 5 Transfers of personal data to third countries or international organisations
Article 44 General principle for transfers
Article 45 Transfers on the basis of an adequacy decision
Article 46 Transfers subject to appropriate safeguards
Article 47 Binding corporate rules
Article 48 Transfers or disclosures not authorised by Union law
Article 49 Derogations for specific situations
Article 50 International cooperation for the protection of personal data
Chapter 6 Independent supervisory authorities
Section 1 Independent status
Article 51 Supervisory authority
Article 52 Independence
Article 53 General conditions for the members of the supervisory authority
Article 54 Rules on the establishment of the supervisory authority
Section 2 Competence, tasks and powers
Article 55 Competence
Article 56 Competence of the lead supervisory authority
Article 57 Tasks
Article 58 Powers
Article 59 Activity reports
Chapter 7 Cooperation and consistency
Section 1 Cooperation
Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61 Mutual assistance
Article 62 Joint operations of supervisory authorities
Section 2 Consistency
Article 63 Consistency mechanism
Article 64 Opinion of the Board
Article 65 Dispute resolution by the Board
Article 66 Urgency procedure
Article 67 Exchange of information
Section 3 European data protection board
Article 68 European Data Protection Board
Article 69 Independence
Article 70 Tasks of the Board
Article 71 Reports
Article 72 Procedure
Article 73 Chair
Article 74 Tasks of the Chair
Article 75 Secretariat
Article 76 Confidentiality
Chapter 8 Remedies, liability and penalties
Article 77 Right to lodge a complaint with a supervisory authority
Article 78 Right to an effective judicial remedy against a supervisory authority
Article 79 Right to an effective judicial remedy against a controller or processor
Article 80 Representation of data subjects
Article 81 Suspension of proceedings
Article 82 Right to compensation and liability
Article 83 General conditions for imposing administrative fines
Article 84 Penalties
Chapter 9 Provisions relating to specific processing situations
Article 85 Processing and freedom of expression and information
Article 86 Processing and public access to official documents
Article 87 Processing of the national identification number
Article 88 Processing in the context of employment
Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Article 90 Obligations of secrecy
Article 91 Existing data protection rules of churches and religious associations
Chapter 10 Delegated acts and implementing acts
Article 92 Exercise of the delegation
Article 93 Committee procedure
Chapter 11 Final provisions
Article 94 Repeal of Directive 95/46/EC
Article 95 Relationship with Directive 2002/58/EC
Article 96 Relationship with previously concluded Agreements
Article 97 Commission reports
Article 98 Review of other Union legal acts on data protection
Article 99 Entry into force and application

Forget GDPR. Think Person.

Organisations spend tens or hundreds of millions of dollars on regulatory initiatives. It’s easy to get muddled up in regulatory details and lose focus on what actually matters.

Yes, the pragmatist would say – let’s just focus on what the document says and get done with it. That is true. We must stick with the details of the regulatory documents. No doubt about this.

However, it is more important for everyone involved in responding to this regulation, to imbibe the true spirit of this regulation, and that is about the ‘protection of the person.’ And in the process, an opportunity is likely to be created to better manage your billion dollar byte.  Otherwise, your regulatory spend will just become a sunk cost and that will hurt you over the coming years and there could be a tendency to view this regulation pessimistically. And that would be sad.

Here are five points to help the busy executive or technologist manoeuvre this topic.

  1. The General Data Protection Regulation has been published in the Official Journal of the European Union.

The Legislative acts has been documented with the title below:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

  1. GDPR is about personal data

It’s all about the person and their personal data. This data is the most important and the most valuable, in the digital age and in the digital world. This is the reason, I call this the ’The Billion Dollar Byte.’

  1. GDPR is all about protecting personal data as a fundamental right

The regulation sets out principles and rules on the protection of natural persons with regard to the processing of their personal data in order to  respect their fundamental rights and freedoms, in particular their right to the protection of personal data, regardless of their nationality or residence.

This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Directive 95/46/EC of the European Parliament and of the Council (4) seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States of the European Union.

The processing of personal data should be designed to serve mankind, and rightly so.

  1. The right to protection of personal data is not an absolute right

It must be recognised that the right to protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

  1. Everyone’s personal data needs to be protected in a rapidly developing world

Rapidly changing technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the European Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

GDPR – Up Your Data Game With Your Process Discipline

From the 25th of May 2018, rights of individuals in the ‘cyber world’ will be strengthened and businesses must acknowledge this by law. The price of not doing so could result in fines due to violations of regulations. Previously this was merely a directive. These fines could potentially run into millions or even billions.

It will be important for every enterprise to acknowledge that individuals need to be recognised as a “data subject” and more importantly, a very valuable one. This is the reason, I refer to the most important data in any enterprise as the data related to the involved persons in the business model.  In fact, I even call this – ’the billion-dollar byte!’

Person centric data in any enterprise must be protected and managed like a ‘heartbeat.’

My book, The Billion Dollar Byte, was honoured as the finalist in the 2017 American Book Fest. For me as a first-time author, it was an acknowledgement that the life of a person in the digital world is just as important as in the physical world. Only now, it is being legally enforced through a regulation.

Like with everything else in life, it is either good or bad, depending on your perspective.

Data has always been, is today and will be tomorrow, a mere reflection of a processes. The only difference, is that today, the processes are being digitalized.

In any enterprise, if the processes are well managed, the data will be too. However, not every enterprise is disciplined enough to manage their processes well and unfortunately, this gets reflected in their data too. You will tend to hear of these symptoms with labels like, ‘data quality’, ‘data swamps’, ‘data something or other’. But, the real root cause is a lack of discipline with the enterprises processes. And if the processes are cross-border, you are coming close to nightmare scenarios with data protection.

Since, the ‘process of life’ has now gone digitally global for almost everyone who has an internet connection, so has the data too. The good news for individuals is that now there is a good chance to be protected against in-disciplined businesses, legally.

For enterprises though, they will need to reinforce, their processes, if they have not already done so, to enable individuals have more control over their personal data, including through:

  1. The need for the individual’s clear consent to the processing of personal data
  2. Easier access by the subject to his or her personal data
  3. The rights to rectification, to erasure and ‘to be forgotten’
  4. The right to object, including to the use of personal data for the purposes of ‘profiling’
  5. The right to data portability from one service provider to another
  6. It also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to data subjects on the processing of their data.

Knowing how certain enterprises ‘frighteningly’ manage their data, I am glad that these protections are being enforced.  As for enterprises that aren’t good at managing their data, a good start is to get a grip on the business processes that manage the life cycle of the persons data and this may well be a start in your pursuit of your billion-dollar byte.