Unless you have been in a cave in the past year, you must have heard about GDPR, the European General Data Protection Regulation. It is a comprehensive data privacy directive which takes effect on May 25th, 2018. The directive builds on the current EU Privacy Directive and unifies data protection laws in EU countries.
Note: This is the first in a series of posts on the subject of GDPR compliance.
GDPR at a high level
- Data Privacy is a fundamental right of “natural persons” (called Data Subjects which are essentially EU Citizens anywhere in the world and individuals located within EU jurisdictions).
- This right relates to Personal Data; any information exchanged between Data Subjects and Data Controllers (providers of products and services) and Data Processors (their outsourcers), information that can be traced back to the Data Subject:
- Personal: name, gender, national ID, location, DOB, physical, genetic, psychological, mental, cultural, social characteristics, online computer identifiers, medical, financial, etc.
- Organizational: recruitment, salary, performance, benefits, etc.
- Other: race, ethnic, religious, political opinions, biometric, etc.
- These Privacy Rights state that you can ONLY collect Personal Data lawfully and for legitimate reasons, and you are limited to using it to what is necessary and what it was intended for:
- Right for consent
- Right to be forgotten
- Right for rectification
- Right for data portability
- Right to object
- Right for limited usage of collected data
- Right to be notified about data breaches
It is worth noting that the above GDPR restrictions apply to Data Controllers and Data Processors even if they located outside EU jurisdictions (example a US-based cloud provider).
Organizations found to be non-compliant can face significant fines amounting up to 20 million Euros (roughly US$ 23.5 Million) or 4% of global annual revenue, whichever is greater. Not small change.
If you do the math, a US$ 10B corporation found to be non-compliant may be fined US$ 400 million.
“Sky is falling” statements like this can often produce the reverse effect:
- There are no signs that the GDPR Supervisory Authorities in the various EU countries will be trigger happy on May 25th, 2018.
- Organizations are however advised NOT to take the matter lightly… GDPR is serious business… and violations will probably be handled firmly.
What does all this have to do with Information Governance?
GDPR compliance is perhaps the compelling event that organizations have been “waiting for” in order to fully embrace the Information Governance culture. Common “values” that are delivered by effective Information Governance Programs go a long way towards facilitating GDPR compliance, such as:
- Visibility through content (content analysis, classification, etc.)
- Data and content minimization (elimination of ROT)
- Systematic lifecycle management and controls over content
GDPR is a deep subject, and in upcoming posts I will dive a little deeper its various aspects, such as:
- Definition and scope of Personal Data
- Obligations of Data Controllers and Data Processors
- Privacy Impact Assessments
- Data Privacy Officer
- The “vaulted” Right to be Forgotten
- Right of Data Portability
- “Privacy by Design” and “Privacy by Default”
Details to come.