The deadline for enterprises to comply with the European Union’s tough new personal data privacy regulations is just over 12 months away, but experts still worry many companies here that fall under its umbrella will be penalized because they won’t be prepared in time.
“A lot of folks in North America haven’t realized the impact it will potentially have,” says John Proctor, vice-president of the global cyber security practice at Montreal-based solutions provider CGI.
“I don’t think many have woken up.”
Companies have known for a year that the General Data Protection Regulation (GDPR), which covers personal information of EU citizens they collect as employers or through business transactions, comes into effect May 25, 2018 – regardless of whether that data is held in Europe, in the cloud or in another country.
Briefly, the regulation obliges companies to use clear language to get consent from individuals for the use of personal data, and it has to be as easy to withdraw consent as it is to give it. There is the so-called right to be forgotten, obliging data holders to destroy personal data on demand. Firms have to promise not to use personal data for purposes other than what it is intended for. If a firm wants to use it for another purpose it has to go back to the person for permission. There are also 72-hour data breach reporting requirements.
Failure to comply could subject a firm to fines of up to four per cent of a parent company’s annual revenue up to a maximum of EU20 million.
Yet apparently many firms are still dithering or think they still have lots of time to get their business processes and IT systems into compliance.
“I started getting real phone calls over the past 60 days,” says Imran Ahmad, who leads the cyber security law practice at Toronto law firm Miller Thomson LLP and is a member of the Canadian Advanced Technology Alliance’s (CATA) cyber security advisory committee. “I’d say I get one every two days.”
Questions include whether the legislation applies to their company and how to comply if it does.
Generally, he believes large organizations affected have already started their work, while mid-size firms are getting up to speed. That leaves small companies potentially in trouble.
Panic is starting in some companies, Ahmad agrees, and it’s only going to get worse. He compared it to the rush of companies in 2014 to meet the deadline to comply with the Canadian Anti-Spam Legislation (CASL).
“I personally have not witnessed a lot of activity in terms of companies getting ready for GDPR,” said Ann Cavoukian, director of Ryerson University’s Privacy and Big Data Institute. The exception, she adds, are calls about complying with the GDPR’s requirement that personal data be protected from the onset of the designing of systems under the princples of Privacy By Design, which Cavoukian helped create.
She fears many firms think because the EU has ruled Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is adequate for complying with current European privacy regulations they are safe. They are wrong. At some point the EU will have to decide if complying with PIPEDA is good enough for the GDPR, or will the Canadian legislation have to be changed.
If you’re a firm that does a lot of business in Europe “you better be most of the way there in getting your house in order,” warns privacy lawyer David Fraser, a partner in the Halifax law firm of McInnes Cooper.
These warnings come as Hewlett-Packard Enterprise this week released a GDPR Starter Kit, a bundle of software including a content manger, a structured data manager and a data discovery and classification solution to help companies identify, classify, and take action to secure impacted data.
“A lot of people look at GDPR and assume it’s really complicated,” said Joe Garber, HPE’s global vice president of marketing for information management and governance software. But by starting small with first classifying information and then building on additional pieces it can be done.
Organizations may already have the technology needed, adds CGI’s Proctor, such as the ability to encrypt information, a data monitor, and data governance.
Also note that organizations already complying with the current EU Data Protection Act meet many of the GDPR’s main concepts. A 12 step guide to prepare for meeting the new reg issued by the U.K. Information Commissioner’s office pointed out that “if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
Cavoukian and others note that it’s vital for organizations to start now by creating a data map of all points of entry of personally identifiable information and consents needed to use the data. Then figure out if there are secondary uses of data collected. Does data go outside the firm to third parties the customer hasn’t consented to?
One important duty is identifying personal data held on EU citizens from pools with data of people from other countries, notes Ahmad, so they can be quickly found for breach notification. “A lot of people haven’t segregated European operations from those from other countries,” he said. All data may be anonymized for security purposes, but but then it becomes difficult to identify the EU citizens.
He also notes a new EU Electronic Privacy Regulation (EPR) comes into effect at the same time as the GDPR, which covers privacy-related issues in electronic communications such as cookies, spam and using third party analytics.
Companies “have got to amp this through so you can attach the necessary permissions where they’re lacking and elevate the level of consent to where it is required by GDRP,” says Cavoukian. This is the time to get moving on it.”