A wide ranging set of rules to protect the data of citizens in member nations of the European Union was adopted in April. Known as the General Data Protection Regulation (GDPR), the measure’s goal is to replace the existing patchwork of national laws with a single modern regulation that reflects the digital age. As such, the new directive can be applied uniformly throughout the EU, which should ease the administrative burden of those trying to negotiate the present fragmented legal landscape.
That uniform application of the measure, which will take effect in May 2018, is a bit unusual, noted Agnes Andersson Hammarstrand, a partner and IT attorney with Advokatfirman Delphi. “Normally we’re used to local laws in each EU country, but now we actually have a direct applicable regulation which is the same and should be interpreted the same in all EU countries,” she said at the Nordic APIs 2016 Platform Summit held in Stockholm in October.
A broad number of organizations processing personal data will have to comply with the GDPR, including all EU companies and public authorities, as well as companies selling wares to EU citizens. Companies that use APIs to expose their applications to the web need to be particularly careful in determining who can request data from their systems, how such requests will be answered, and how to protect the confidentiality of those answers with security measures such as encryption.
One contentious aspect of the GDPR is its tough sanctions. Companies that violate the regulation can be fined up to 20 million euros or four percent of annual worldwide sales. “It’s quite a lot, isn’t it?” Hammarstrand observed. In addition, individuals can file civil lawsuits against companies that violate the new law.
Because the penalties are so severe, they won’t be imposed lightly, but they do make the point emphatically that companies had better start putting projects and routines in place to comply with the GDPR, as well as documentation of that compliance. “If you don’t do that, if you don’t have any projects, any routines, if you don’t do what you have to do, it’s possible to get these fines,” Hammarstrand said.
- Customer data, purchasing histories, pictures, emails, names and phone numbers;
- IP addresses and motor vehicle registration numbers;
- B2B and B2C information;
- Biometric information such as fingerprints, faces, voice prints and eyeballs.
Companies are responsible for any personal information they collect, whether that data resides in a customer database, employee database, or even a supplier database. What’s more, custodians of personal data collected by a company — even if they just store the data and don’t have access to it — need to comply with the GDPR or risk being fined.
Not only is the personal data itself covered by the new rules, but everything that’s done with the data, too. “Processors [of data] also have a responsibility,” Hammarstrand said. “What’s new in this legislation is they have a direct responsibility. They could actually be reviewed and fined if they are not complying with the legislation.”
Stairway to GDPR Compliance
Hammarstrand outlined a series of steps that data collectors should follow when assessing their compliance with the GDPR.
First, you have to ask yourself if the processing of the data you’re collecting is legal. If it isn’t, your chances of complying with the GDPR are dead on arrival.
If you can clear that first step, then you need to determine if you’re complying with all the fundamental principles in the GDPR. For example, one such principle is that data should be stored only as long as necessary.
While some principles will remain constant across industries, others will not. For instance, if you’re working with sensitive data — like health data — you must meet a special set of rules for that.
When you’re confident you’re compliant with the data handling principles in the rules, you can progress to the next series of steps to meet compliance. They include:
- Putting in place security routines for data portability.
- Creating agreements and documentation connected to the data you collect.
Finally, most importantly for international business — there’s a prohibition on transferring data out of the EU, unless you have a legal basis for doing so. “It is possible, of course, to transfer data and to process data out of the EU, but you need to be sure to do it in accordance with regulation,” Hammarstrand said.
Meeting Legal Obligations
While at first glance, it may seem as if anything an organization wants to do with data is outlawed by the GDPR. That’s not the case. “Is everything illegal?” Hammarstrand asked. “Of course not. Quite a lot of the things you want to do are legal to do.”
For example, data can be processed to meet legal obligations. Such obligations include:
- Meeting a contract to which the subject of the data is a party.
- Complying with a legal obligation.
- Protecting the vital interests of the subject of the data.
- Protecting the public interest.
- Advancing legitimate interests as long as they do not override individual interests.
If you can’t find a legal peg to justify a purpose for processing data, you can always seek the informed consent of the data’s subject to do it. Hammarstrand noted that the need for informed consent is often misunderstood by data collectors. “It’s a popular mistake to make,” she said. “You only need consent when you don’t have any other legal basis for processing the data.”
“It’s my recommendation to not obtain consent if you don’t need it,” she added, “because consent is something that can always be withdrawn.”
Principles of Minimization
Any legal processing of data must be consistent with the principles of minimization in the GDPR:
- Minimization of Purpose. Data must not be processed for a purpose other than that for which it was collected.
- Minimization of Data. Data should be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
- Minimization of Storage. Data must not be kept for longer than necessary.
A collector of data must also meet some general security requirements. For example, it must take technical and organizational measures to assure an appropriate level of safety for the data it’s processing. What those technical and organizational measures are vary from industry to industry. For example, organizations collecting healthcare data may need to meet higher security standards that those in a retail business.
Hammarstrand advises companies shopping for security solutions to comply with the GDPR to make sure any solution considered meets the specific needs of their business. “There are a lot of companies that want to sell different types of solutions to you,” she said. “They say, ‘You have to buy this to comply with the regulation.’ There are no such requirements. It depends on what your company has for requirements.”
Making choices that are right for your company is vital when meeting the GDPR’s privacy design mandates. In general, though, companies need to think about privacy when they design their IT systems. What that means in practice is that top management has to be involved in protecting the privacy of the data its business collects and budgets for privacy measures will be necessary; to protect data, fostering a culture of security throughout the entire business will be necessary.
Hammarstrand urged companies to take a holistic view of GDPR compliance. That means GDPR compliance can’t be delegated to an IT or legal silo. It needs to be something spread throughout an organization and infused in its culture. That’s why it’s important to include people with a variety of competencies and backgrounds in the compliance process.
Conclusion: Procrastination Is Not an Option
How should a company prepare for the GDPR? First, budgeting and planning must be done carefully and immediately. In addition, awareness of the new regime must be disseminated throughout the organization.
A thorough investigation must be conducted of an organization’s data usage to determine if changes must be made to comply with the law. Responsibilities must be established, legal instruments created, and IT measures put into place to comply with the GDPR.
Companies will also need to evaluate their existing APIs for compliance. The GDPR could disrupt API deployment because existing APIs may need to be reengineered to meet the new regulation’s requirements. That’s especially true in industries with tighter compliance rules.
Data portability requirements also require APIs be used to allow data owners to have access to their data. Some companies may see that requirement as a burden and adopt a minimalist approach to complying with those requirements. Savvy businesses, though, will see that while they need to share their data with others, others also have to share data with them. Ironically, this data sharing could be leveraged to create new services that would not have been possible without the GDPR.
Although 2018 may seem far into the future, Hammarstrand emphasized that the compliance process needs to be started now. “This is something you need to budget for now, otherwise it will be too late.”