Until a couple of weeks ago, I had never even heard of GDPR – the new General Data Protection Regulation set by the European Union (EU).
And yet, for companies offering or wanting to offer services to clients located in Europe, the implication of infraction are clear: very high fines.
This new European legislation, which is scheduled to come in to effect in may 2018, is designed to protect the rights of data subjects – those European citizens whose data you are capturing and processing.
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.” – “New draft European data protection regime”.
One of the biggest challenges posed by GDPR? Companies must report certain data breaches within 72 hours.
Most companies do not have the context to do this – typically it would take weeks of investigation and analysis to answer questions required by the new regulation.
Questions such as:
- Which data do we share with a hacked member company?
- Where did we get this data from?
- Who is responsible for dealing with the hack?
- What controls do we have in place and how have we limited the impact?
must be answered quickly and completely.
Answering these, and related questions that may be asked, requires business context for all protected data. There are a number of approaches that one can take, but, ultimately, this is a data governance problem. At the very least you will want to record:
- A register of sensitive data tagged with the various indicators that you need to put your data into context.. Different lines of business may have different contexts – you should be able to cater for these various contexts and aggregate to an enterprise view.
- Data usage policies linked to various data elements
- Clear responsibility and accountability for the data
- Data traceability – where does it come from, what is the purpose for which it is intended, what data process and systems does it feed, and who has (and should have) access to it
- What data subjects are involved?
- Has there been a breach?
In many ways these requirements are similar to existing Protection of Personal Information (PoPI) regulations that are being imposed in South Africa and are some of the components necessary in building an enterprise data protection framework
South African multinationals that do business in both the EU and South Africa can get ahead of the curve by a systemic approach to data governance, as discussed in my post a few weeks back.