The European Union is preparing to roll out an important new rule this month known as the General Data Protection Regulation, or GDPR, which is intended to strengthen and unify data protection for all people within the EU.
The GDPR also addresses the export of anyone’s personal data outside of the EU, as personal data no longer knows or respects international borders. This mandate is especially important given the recent revelations about Facebook’s user data being compromised by foreign meddling in the 2016 U.S. presidential election.
Here’s the big catch: Under the GDPR language, European citizens have the right to be forgotten, regardless of how an organization obtained their information in the first place. In other words, Europeans will have the right to “opt out” of external retention of their personal data, if they so choose. Unfortunately, the GDPR might not be taken seriously by everyone until the first few casualties make the headlines and some hefty fines are assessed.
Enactment of this new rule marks a promising step forward for personal data privacy across Europe. However, it presents real concerns for tech managers who are responsible for storing and protecting their organizations’ information as it flows in and out of supplier networks.
Overall, most businesses appear ready to comply with GDPR, which represents the logical evolution of compliance rules beyond current regulations. The problem for most IT managers is that people in their organizations who are potentially exposed to personally identifiable information need to be ready for GDPR — but how can you protect your people against something they don’t fully understand? Furthermore, how can you protect your customer data when it is shared with supplier partners?
Probably the biggest challenge to the implementation of GDPR involves the massive and growing volumes of data produced today, and the tension between protecting internal data while still sharing product and consumer information with partners across distributed supply chains. The core problem is that most organizations do not fully understand what data they possess across their vast corporate databases, product catalogs, e-mail systems, budget spreadsheets and HR records, not to mention countless Word documents, slide presentations and social media postings.
Take for instance a recent data breach that struck a well-known shipping organization. Data that had been part of a previous acquisition for the firm was leaked because it had been forgotten about, so it remained unprotected. Under the new GDPR mandate, the shipping organization would have been hit with severe financial fines for such a lapse. Yet does the threat of such a penalty make what happened different or avoidable? That still remains unclear.
In terms of protecting internal data vs. overcoming supplier challenges, the main goal should be to implement strict procedures for data classification, protection and disposal.
Nearly every sizable supplier will need to comply with GDPR, even ones that do not directly do business within the EU. This is because such suppliers are still likely to incorporate some data that pertains to EU citizen information.
In addition, organizations typically require some form of non-disclosure agreement or master services agreement with their suppliers. GDPR will ratchet up the pressure to include language in those agreements about consumer information and its proper handling. Companies will need to go back and re-examine the agreements they have signed with suppliers, and update them to cover any new data privacy requirements.
To remain compliant with GDPR, here are the six lawful bases for processing someone’s personal data:
1. Consent. A person has given the company clear consent to process their personal data for a specific purpose.
2. Contract. The processing is necessary for a contract signed by an individual, or because they have asked the company to take specific steps before entering into a contract.
3. Legal Obligation. The processing is necessary for the company to comply with the law, not including contractual obligations.
4. Vital Interests. The processing is necessary to protect someone’s life or well-being.
5. Public Task. The processing is necessary for a company to perform a task in the public interest or for official functions, and the task or function must have a clear basis in law.
6. Legitimate Interests. The processing is necessary for the company’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
The expectation for a person to be forgotten lies at the heart of all the new GDPR requirements. EU citizens have the right to have all their personal records purged from company data storage systems. The company has a brief window to comply and to report that its system has been updated to honor the request.
There is little wiggle room for missed oversight under the GDPR mandate. To guarantee accuracy throughout the supply chain, organizations must know what data they possess, how to protect their data, and how to monitor their data systems for compliance.
Achieving this outcome will require a comprehensive review of internal policies for data retention, business processes, and technology systems. In turn, all these elements must work together in coordination with supplier systems to overcome the considerable challenges of meeting GDPR compliance.
Brad Bussie is principal security strategist for IT solutions company Trace3.