The way companies are legally obliged to manage their data is about to change in a big way
The General Data Protection Regulation, or GDPR, replaces the European Commission’s data protection directive (Directive 95/46/EC) from 1995. The beefed up legislation takes effect on the 25th of May next year. Its goal is to give EU citizens better control and security of their personal information and streamline the process for sharing data, with strict penalties of up to 4% of global turnover for non-compliance.
GDPR applies to any company globally that handles any sensitive information on EU citizens and covers a broad array of data types. Banking information, photos, addresses, social media posts, medical information, and even IP addresses are all covered under the legislation. This means any data that reveals information about the individual’s life, whether personal or professional, will be taken into account. The regulation requires each state to set up a supervisory authority to monitor compliance within their municipality. Each business will be assigned a single “Leading Authority”.
The retention time of data, as well as the contact information for the data controller and data protection officer, must be made available upon demand by the consumer. Privacy by design and default must be practiced and includes data-masking with pseudonyms for an added layer of security. “Pseudonymization” means encrypting data where the key to unlocking the encrypted information is stored separately. Data breaches must also be reported within 72 hours, and sanctions are imposed for those who are non-compliant, reaching upwards of 20 Million Euros. Other factors such as data portability and an individuals ‘right to erasure’ are also subsections of the new regulation.
Preparing Legacy Data
Companies should also be aware that data decisions based on algorithms are now contestable by consumers, as is profiling. These restrictions are more flexible for law enforcement, judicial authorities and other governmental agencies who are often required to use and share protected information to carry out their duties. So how can companies prepare their legacy data to respond to these requests?
“It’s both a matter of preparing the data and preparing the process in terms of how you manage the data and use it,” says Florian Douetteau, CEO of analytics firm Dataiku. “Companies must be sure they can provide the full lineage of their data – that’s possibly a challenge because of how many systems are built.”
Unique to the regulation is the need to assign Data Protection Officers. A DPO would be required to take on more than a traditional compliance officer and they are expected to be well versed in the IT operations of their business. They must be able to handle threats and cyber attacks, and of course, must know the laws, practices, and regulations around GDPR inside out. DPOs must have their own support team and be fully up to speed with technology and security practices, which they are solely responsible for.
While the benefits of GDPR are obvious for privacy-conscious consumers, organizations that have decades of data kept in a variety of ways face a major headache in preparing their data, with time running out.
“Because it’s typically a two-year project, they should start right now. They should have started six months ago” warns Douetteau. We spoke to him in depth about how companies can prepare today, listen below.
If you’re looking for advice on how your organisation can prepare its legacy data, contact Dataiku.