Chadi Hantouche, Head of Cybersecurity and Digital Trust Asia-Pacific, Wavestone, offers advice on how to prioritise compliance objectives in the run-up to the implementation of the EU’s new General Data Protection Regulation, which becomes effective in May this year.
With just three months until the General Data Protection Regulation (GDPR) takes effect on 25 May 2018, businesses have been grappling with how to address the most important changes to affect the data privacy landscape in over two decades. Landmark in its breadth and reach, GDPR replaces the European 1995 Data Protection Directive. Building upon the key principles of the 1995 Directive, GDPR vastly expands its regulatory scope and will impact businesses globally, setting many industry leaders on a race towards compliance. The role of data protection officers (DPOs) will be critical to meet regulatory requirements in a post-GDPR environment. In addition, companies stand to gain traction by harnessing the expertise of their chief information security officer (CISO) along the way.
Assessing the impact of the GDPR
In simple terms, GDPR was designed with a tri-fold aim:
- to harmonise privacy laws across Europe
- to protect and empower the data privacy of all EU residents in an increasingly digitalised and data-driven world, and
- to reshape the approach to data privacy by organisations across the EU.
In practical application, the GDPR has extraterritorial scope. It will extend the existing compliance jurisdiction to all companies collecting and/or processing personal data established in the EU (whether the processing takes place inside or outside the EU, such as in Hong Kong), as well as all collectors established elsewhere (such as in Hong Kong) related to certain activities of EU residents in the EU. In addition to this increased scope, there will be hefty penalties for companies in violation of the regulation (applicable to both controllers and processors of data, meaning ‘clouds’ will not be exempt from sanctions). Under a graduated scale, companies will face fines up to 4% of global turnover.
The regulation improves existing measures relating to the need for a one-stop-shop for authorities to contact, requiring all non-EU businesses processing the data of EU citizens to appoint a representative in the EU. GDPR also clearly delineates expanded requirements for the role of the DPOs within each company. Additionally, GDPR outlines new provisions for data subjects’ rights (namely, strengthening conditions for consent); new requirements for data breach notification; right to access; right to be forgotten; data portability; and privacy by design.
Of these changes, the increased jurisdictional scope will arguably have the largest immediate impact on global business. GDPR clarifies the legal ambiguities that have arisen in a number of high-profile court cases over the years and, for the first time, regulatory jurisdiction will apply to all companies that process the personal data of individuals residing in the EU, regardless of whether that processing takes place on EU soil. Furthermore, it applies to the processing of personal data for individuals in the EU in instances where goods or services are offered (irrespective of payment requirements) and any behaviour monitoring that occurs within the EU.
Too little too late?
While the gravity of GDPR’s requirements has been the focus of much media and industry attention, most companies launched their GDPR compliance programmes in 2017 – too late to be compliant by the May 2018 enforcement deadline. Some 25% of businesses began GDPR activities in 2016, with banks and insurers among the earliest adopters. These activities were typically limited to legal analysis and compliance programme planning beginning in mid-2016. The ‘main pack’, comprising about 50% of businesses, mostly B2C companies, began their GDPR preparation in the first half of 2017. The remaining 25% of businesses, comprising mainly small B2B companies, began IT analysis and IT remediation activities in the latter half of 2017.
Getting teams in place
The creation of a GDPR compliance programme will have wide-ranging effects on companies and their myriad stakeholders. Company secretaries will be involved in implementing organisations’ GDPR compliance programmes and therefore need to have a clear idea of what the post-25 May privacy compliance landscape will mean for their organisations. In larger organisations, the company secretarial department is likely to be overseeing the work of the teams discussed below, while in smaller organisations company secretaries will often be directly involved in implementing compliance measures.
Our analysis shows (see Figure 1: workload distribution) that while legal teams and the CISO will provide expertise, their workload will remain light with respect to the overall burden of GDPR compliance programmes. Conversely, IT and digital teams will be charged with IT systems evolution, and the workload of these teams will account for nearly half of the total workload necessary for GDPR compliance. IT and digital teams will be tasked with proposing new service offers and IT compliance tools and solutions (per the regulation, data subjects’ rights, consent, portability and deletion). They will also implement changes to existing and future information systems to achieve compliance.
Business teams that collect and use customer data (or in charge of IT systems that process client data) will be required to map their processes, ensure their compliance, change the customer journey, and improve operating procedures with employees and partners.
The projected budget for a GDPR compliance programme heavily depends both on the extent of personal data use within a company, and its current level of maturity. Field feedback shows (see Figure 2: typical budget distribution for a GDPR compliance programme) that half of the amount will be dedicated to catch-up with existing regulations (for example the Personal Data Ordinance in Hong Kong), and only 20% for new requirements brought in by GDPR. The remaining budget is allocated to analysis and steering activities.
DPOs: the newcomers
DPO teams will need to formalise policies, directives and processes. They will be expected to define the organisational targets and ensure compliance of solutions deployed by the business functions and IT teams.
DPOs have historically been attached to legal, compliance, or risk management departments within companies (see Figure 3: DPOs’ historical attachment within corporations). Before the GDPR, DPOs were viewed as legal or IT experts. Moving forward, individuals in this role must know the ins and outs of their business, and assume a new role as facilitator. The GDPR requires strategic thinking and there are currently few expert resources available, therefore DPOs will be tasked with utilising existing expertise and resources to effectively target the most difficult aspects of implementation.
We outline three areas in particular for DPOs to focus their attention (see Figure 4: areas of focus for DPOs).
The role of information security officers
CISOs are responsible for ensuring the cybersecurity of personal data and related systems. Given the breadth and depth of their expertise, there are several ways in which CISOs can strongly contribute to compliance before May 2018. This includes, ‘tracking the blind spots’, or ensuring the security of privacy-critical applications.
The CISO can also improve security by adhering to the ‘privacy by design’ principle. Additionally, CISOs offer expertise in prioritising some key privacy technologies in the cybersecurity action plan. The CISO is also usually indispensable for the updating of incident detection and crisis processes including personal data breach notifications. In a post-May 2018 GDPR landscape, CISOs will also need to assist with right to erasure, anonymisation and consent management issues.
What are the priorities for May 2018?
For most companies, meeting each and every GDPR requirement by May 2018 will not be possible. Our recommendation is to focus on the three priorities set out below.
- You will need to prove that accountability has been clearly defined and is running within your company, in terms of organisation, policies, privacy by design, privacy impact assessments, etc.
Some critical processes must be compliant. For these, you need to perform business processes reviews, and to get the associated IT systems compliant.
- Choose two transversal topics to address. Our advice is to start with consent management and transfers to third parties. Consent management requires the subject’s agreement to process personal data relating to him or her. This consent has to be clear, explicit, easy to withdraw, given freely, and a record should be kept – a set of rules that may prove tricky to enforce.
Transfer to third parties, on the other hand, requires an ‘adequate level of protection’ of personal data transferred outside the European Economic Area. The regulation does not define what level of protection could be ‘adequate’, as it depends on the current state-of-the-art, and may vary over time.
Following the May deadline, the next steps would then be to handle the remaining business processes and IT systems compliance, as well as the implementation of the rights to erasure (or ‘right to be forgotten’) and to portability.
The right to erasure allows the data subject to obtain the erasure of personal data concerning him or her without undue delay, in a number of cases: if the use of this data is not necessary anymore, if the data subject withdrew consent, if the data has been unlawfully processed, etc. Portability allows the subject to receive his or her data, in a structured and interoperable format, and where technically feasible to require this data to be transferred directly from one organisation (‘controller’ in the law) to another. The technical implementation of both these rights can be a technical challenge.
But do not forget: 25 May 2018 is just the first milestone of the privacy race – which is more a marathon than a sprint.
Head of Cybersecurity and Digital Trust Asia-Pacific, Wavestone