Why the new EU privacy rule will be challenging for providers
While Facebook is in the hot seat for failing to safeguard data privacy, the European Union is about to take a giant step forward to protect personal data. The EU’s General Data Protection Regulation (GDPR), adopted two years ago, will go into effect on May 25, and the implications are large for companies that handle data belonging to Europeans.
This includes SaaS providers looking to develop and deploy apps that work with data across international boundaries. It also impacts healthcare organizations collaborating with countries in Europe to speed research and development of healthcare solutions.
The GDPR takes a broad view of what constitutes personal identification information. Organizations that must comply with GDPR will need the same level of protection for an individual’s IP address and cookie data as for their name, address and medical ID number. Companies can hold and process only the minimum amount of data needed to achieve their objectives, only for as long as necessary.
The data at rest must be encrypted or tokenized to prevent security breaches. If such a breach occurs, the data-controlling company must notify the authorities in the country where the breach occurred within 72 hours. Personal data cannot be transferred to countries outside the Eurozone unless those nations guarantee the same level of data protection as the GDPR.
Noncompliance with the GDPR can result in a fine of as much as 4 percent of a company’s annual global revenue or 20 million euros, whichever is greater. This penalty can be incurred if a company doesn’t obtain sufficient consent from individuals to process their data or doesn’t build privacy into their business processes. Organizations can be fined 2 percent for not having their records in order or failing to report a security breach. Companies that control data and those they hire to process it—including cloud providers—have liability for noncompliance and security breaches.
According to a PwC survey, 77 percent of U.S. companies with 500 or more employees that do business in Europe expect to spend $1 million or more to meet GDPR requirements. Some 54 percent of these firms said GDPR readiness was their top security/privacy priority. But 23 percent of them hadn’t started preparing for the GDPR. It is estimated that about half of U.S. companies won’t comply with all GDPR criteria by May 25.
To meet GDPR requirements, U.S. companies with European operations will have to change the way they process, store and protect customers’ personal data. If they use cloud services, they will have to develop comprehensive data locality plans with the help of security, privacy and compliance experts.
- Locality plan development is typically a four-step process:
- Create a detailed diagram that illustrates the flow of personal data coming into, within, and from a cloud system.
- Perform a lifecycle analysis that helps define and architect data safeguards at every stage of the data’s lifecycle, including its creation, use, distribution, maintenance, storage and destruction.
- Write a compliance gap report on these safeguards, which includes mapping to all relevant GDPR policies, procedures and regulations.
- Provide detailed administrative, physical and technical recommendations to address each of these requirements.
Companies will also have to create new processes to meet GDPR’s consumer requirements. Asking patients to consent to the processing of their data, for example, requires a very different approach than an opt-out procedure. Similarly, companies will have to track the location of each individual’s data and how it has been used to respond to patient requests about the use and processing of their healthcare data. All of this must be designed into the system so that it can be performed automatically and checked regularly for GDPR compliance.
In addition, contracts with cloud providers, SaaS vendors, payroll service providers and other business partners may have to be rewritten to protect the data-controlling company. This is similar to what happened in the U.S. in 2010, when the HIPAA Security Rule required HIPAA-covered entities to take responsibility for the actions of their business partners. As with HIPAA, it is incumbent upon the data-controlling company to ensure that these third parties are compliant with the GDPR. This means that companies must understand how their vendors operate and what their security procedures are.
All in all, data companies have a daunting challenge ahead of them as they grapple with the GDPR. This is especially true if they are behind in their preparation efforts. But with the right expert assistance, they can rise to the challenge and continue doing business in Europe without concern about financial penalties.