A legal overview of GDPR for CIOs

legal overview

With the upcoming EU (European Union) GDPR (General Data Protection Regulation), data protection and privacy requirements will change essentially. This must lead to major changes for data and processes within almost any commercial and non-commercial organization and will require that these organizations and their executive officers acting on behalf of them, especially the CIO, take appropriate actions.

The requirements for maintaining consumers’ privacy will be significantly more consistent across the EU through the new framework. Being an EU directive, the GDPR overrides local regulations and does not need to be transformed into national laws, but nevertheless, it might subsequently be adapted through national legislation.

This article, however, should only be taken as a first overview, further details should be addressed together with an organization’s legal and data protection professionals.

Data protection affects PII
To understand the impact that the GDPR has on the management of PII (personally identifiable information) it is important to understand the key regulatory elements of the new law. The key organization – and security-related processes around the management of staff (from employees to partners and external workforce) will be affected.
But also, Customer Identity Management and the processing of customer data, in general, will be substantially affected and this also includes CRM (Customer Relationship Management), ERP (Enterprise Resource Planning) and various other business systems. Especially the use of Big Data Analytics for deep insight into customer behavior to achieve the proverbial 360°-insight into customer data and behavior for future strategic and operational planning needs to be based on a rock-solid data protection foundation.

GDPR – Who and where?
In a first step, it is essential to understand the scope of applicability of the GDPR: As a first simple rule of thumb: Continuing to do business with EU customers (or to be more generic: to handle personal data of EU citizens) requires full compliance with the EU GDPR, no matter where an organisation is located. That means that data controllers and processors established outside the EU (worldwide) that are processing data of EU customers are required to comply with the EU GDPR. In case the organization is in the EU, it should comply with the new regulation anyway.

Personal data
Different from many existing data protection regulations the EU GDPR defines personally identifiable information in a much broader sense than before: Personal data is any information related to an identified person or that allows organizations or third parties to identify a person.

This identification might be directly or indirectly, so there is no specific need for the traditional unique identifier. Surely name, an identification number, or an email address do identify a person directly. But location data, online identifiers, bank account, IP-address, login data and consuming habits that can lead to the identification of an individual (over time) are considered as personal data and are therefore expected to be subject to the GDPR. This deliberately includes all tracking data that can be leveraged for the identification of an individual.

Consent as the basis for processing and storing personal data
Personally identifiable information following that definition is required to only be stored and/or processed on a well-defined legal basis. That might be a contract or an obligation as imposed by law. Unless such a basis is available, consent is required prior to processing personal data. Such consent is expected to be provided per-purpose and the data processor will have to provide “proof of consent” as evidence. Consent needs to be freely given, informed, unambiguous and consists either of a statement or a clear affirmative action.

Appointment of a Data Protection Officer (DPO)
As of now, there has been rarely an obligation to appoint a Data Protection Officer for a large group of organizations throughout the EU and beyond. With the GDPR coming into effect this changes for many of them, namely those processing a large scale of special categories of personal data or those monitoring individuals systematically. In that case, the organization is obliged to appoint a DPO with adequate professional qualities and expert knowledge on data protection.

Extended rights of data subjects
The rights of the individual data subjects have been extended as part of the GDPR. While the “right to be forgotten” (data to be deleted) has already gained quite some visibility, several other additional rights have been introduced.

Complete information about data stored in an organization needs to be provided by request and this might be also requested as a full export in a portable format with the option to edit it. The right to pause or freeze data processing is another challenge typical organizations are not well-prepared for. The same is true for the implications of the revocation of formerly granted consent. All those new data subject rights are difficult to implement and require major changes to data management processes.

Data Protection Impact Assessments (DPIA)
The EU GDPR clearly follows a risk-based approach. This is reflected in the mandatory Data Protection Impact Assessments that need to be conducted by each organization that processes data in a way (nature, scope, context or purposes) that imposes a high risk for the rights and freedoms of individuals.

Managing data breaches
Organizations need to be prepared for potential data breaches impacting PII and adequate processes for dealing with that situation need to be defined, implemented and tested. In that case, the appropriate Supervisory Authority is to be notified by the data controller. For that breach notification, a period of 72 hours has been defined. If sensitive customer data that may impact the rights and freedoms of consumers is affected by the breach, consumers also must be notified.

Impact of Brexit on the GDPR requirements for the UK
With the scope of applicability as described above: Organizations must understand the EU GDPR as the common denominator for the future of data protection, security and privacy both within the EU and outside the EU.

To facilitate trading in the common market, the UK should be expected to provide a framework similar to the GDPR and acceptable to the EU. Stable compliance to the regulations as set forth in the GDPR are a key challenge and an essential requirement for any organization in the future, no matter whether in the EU, in the UK or outside of Europe. Being a player in a global economy, independent of political decisions yet to be made, and even more so in the EU single market, mandates compliance to the GDPR.

Matthias Reinwarth is Senior Analyst at KuppingerCole.

Matthias Reinwarth is Senior Analyst at KuppingerCole focusing on Identity and Access Management, governance and compliance. He has consulted in the Identity Management sector since 1993. Matthias’ areas of expertise cover all major aspects of IAM including technology and infrastructure, data and entitlement modelling as well as IAM processes and governance.