How the EU’s GDPR affects all of us

I recently sat down with Chiara Rustici, General Data Protection Regulation (GDPR) expert and independent consultant and analyst, to discuss the EU’s new GDPR requirements and their impact on organizations worldwide. Here are some highlights from our talk.

1. Could you provide some context on the GDPR for readers who aren’t familiar with it?

This is a new legal framework for handling personal data of EU-based individuals, be they customers, prospects, contractors or employees. It is already in force but not yet enforceable—businesses and not-for profit organizations have until May 25, 2018 to prepare. Although GDPR originates in the EU, it actually impacts businesses worldwide: If they handle personal data of EU individuals, or do business with organizations that do, the GDPR imposes obligations on how that data is treated, even if that personal data has traveled outside the EU and is now stored and handled in a distant corner of the world.

2. What are the broad sweeping implications of the GDPR for organizations?

One new legal requirement is to report a personal data breach within 72 hours of becoming aware of it, both to data protection supervisory authorities and to the individuals themselves if the breach significantly affects their rights. This requirement is made more daunting by the fact that the GDPR expands the definition of personal data to include any information that has even the potential, alone or in conjunction with other information, to identify a person.

To comply with GDPR, there are three key areas where businesses and software architects need to do things differently. They need to find a way to:

• Preserve the identity of an individual across the multitude of their different descriptions, names and properties, and keep these together under one heading. Building a personal data ontology is a huge undertaking, and the GDPR adds complexity to the task by requiring that all the disparate data points that can potentially identify a single individual be included.
• Preserve the link between a data point and the individual that data point can potentially identify. This is either because you need to preserve a consent chain, or because you need to advise the individual when the purpose for handling a particular data point changes.
• Attach a sunset clause / purpose achieved clause to personal data points. Personal data should only be employed for a specific purpose. Once that purpose is superseded, the data point in question should no longer be held by the business. Business applications are not equipped with automatic erasure options at the person-centric level of granularity. New thinking is needed to figure out, for example, how to deal with a file that contains personal data of multiple individuals when your purpose for handling the personal data has “expired” for one person but not for the others.

3. How would you recommend an organization begin preparing for the GDPR? What are the first steps?

The GDPR is, in business terms, a cost/benefit analysis exercise: It asks organizations to make choices about what they want out of the personal data they collect and what they are prepared to do or stop doing in order to pursue their business goals in a lawful manner. In no way can IT professionals start the GDPR compliance journey on their own, but they will need to get involved in business strategy conversations, asking “why?” quite a lot:

• Why exactly are we archiving this data instead of just erasing it?
• Why are we building this data lake?
• Why are we allowing the design of this app to collect these categories of personal information?

They need to escalate to the board and CEO the key data business model questions:

• What are we trying to achieve with these personal data sets?
• Are the expected financial gains higher than the costs of encrypting or de-identifying the sets?

Ultimately, the key preparation stage is a thorough business review of the privacy landscape; some data-driven business models will no longer be viable in a GDPR world. This is a non-negotiable boardroom-level privacy posture call. Security professionals know too well that not storing personal data is the ultimate security strategy for this very hazardous asset; now the GDPR offers them powerful legal grounds to impose a limit on collection and storage.

4. What barriers are organizations facing in implementing GDPR protocols?

Quite a few, but I’ll focus on the top three cultural barriers here because it takes longer to shift organizational cultures than it takes to develop new technologies. These are:

• A user design culture. Years of design thinking have produced wonderfully intuitive user interfaces (UI), but tap-and-swipe, drag-and-drop actions, second nature for us all, amount to moving data sets in and out of corporate perimeters and often out of national boundaries. Data flows are invisible, and the GDPR wants to make them visible again. Unlearning our UI instincts, and pausing to think “Is this cut-and-paste job going to make living people identifiable?” will be tough.
• A boardroom culture. Years of thought leadership on digital transformation have produced a corporate culture of over-collecting personal data without a corresponding discipline of measuring the return on investment. Personal data brings with it a cost and a risk the moment it enters an organization: It is a liability long before it becomes an asset. The GDPR has placed a precise and hefty price tag on the cost and risk of handling personal data so that, in addition to ending indiscriminate collection and lax security practices, hopefully, it will encourage more disciplined treatment of the enterprise value of personal data.
• Vendor/contractor culture. Nineteen months to enforcement date, I am not aware of any large IT household name that has a GDPR-compliant or GDPR-proof product or service on the market. My guess is that, right until the end, GDPR-defying products will continue to be bought until the GDPR emergency is so obvious to all that it becomes a compelling reason to upgrade or buy new hardware and software with GDPR options. What makes matters worse is that the businesses with enough foresight to start the GDPR compliance journey early end up paying for the research and development costs of the new GDPR-compliant offerings by these same vendors.

5. You’re speaking at the O’Reilly Security Conference in Amsterdam this November. What presentations are you looking forward to attending while there?

All of them! I am a bona fide conference junkie and find it exhilarating to attend large events where brains come together and faces light up all the time in those very precious “ah-ha” moments. I make it a point of attending the ones I do not even grasp the title of—if I already understand 80% of the words and concepts in the presentation, I’m not learning and am sitting in the wrong room!