This week, the General Data Protection Regulation (GDPR) will become the ‘law of the land’. The legislation originated in the European Union, but the effects will be felt by organizations across the globe:
The requirements apply to ALL companies processing personal data of EU citizens, including third-party vendors.
The provisions set forth in the GDPR are as broad as they are innovative (or daunting, depending on your perspective): it’s the biggest change to data legislation in decades. The change aspect is what many companies will focus on, since becoming GDPR-compliant is no small task. Playing by the new rules will require monumental shifts in the way companies, and their compliance departments specifically, approach the acquisition and use of personal data.
We certainly can’t deny the challenges that are woven into the GDPR, but it’d be equally disingenuous to ignore the silver lining: At its core, the GDPR represents a massive change in the way society treats the topic of individual privacy. It’s a seismic shift toward enhanced personal protections over the data we all share online, every day.
With so many high-profile instances of data being misused in recent years (I’m looking at you, Cambridge Analytica), the data privacy movement is gaining momentum worldwide, especially in the European Union.
The times are changing, and with those changes comes the opportunity to do better. Individual autonomy over the information we share is, at its core, an ethical issue. Companies may be required to comply (or else face hefty fines), but I also view this as a chance to continue driving ethics into the center of business for a better world.
However, before we dive into that, let’s briefly review how we got here.
A brief history of society’s approach to data collection and protection
In many ways, the desire to more carefully protect data subjects began after 9/11. The European Union, and the rest of the world, watched as the US government amplified its surveillance of citizens. In a 2014 press release, EU vice president and justice commissioner Viviane Redin wrote:
“Data collection by companies and surveillance by governments. These issues are connected, not separate. The surveillance revelations involve companies whose services we all use on a daily basis. Backdoors have been built, encryption has been weakened. Concerns about government surveillance drive consumers away from digital services. From a citizen’s perspective, the underlying issue is the same in both cases. Data should not be kept simply because storage is cheap. Data should not be processed simply because algorithms are refined. Safeguards should apply and citizens should have rights.”
She even called out US companies specifically:
“And finally a message to our American friends. Data Protection rules should apply irrespective of the nationality of the person concerned. Applying different standards to nationals and non-nationals makes no sense in view of the open nature of the internet. Ultimately, distinguishing between the rights of individuals depending on their nationality and place of residence impedes the free flow of data. Europe should be very proud of the fact that it treats data protection as a fundamental right – a fundamental right on which every human-being can rely.”
It’s a fascinating press release (and worth a read) that paved the way for passage of the GDPR in April 2016
Answering the question, “Why the GDPR? And why now?”
Clearly, we’ve had a problem on our hands for some time now. European lawmakers recognized the problem several years ago, but high-profile scandals from the likes of Facebook, Tesco, eBay, JP Morgan Chase, and many others have turned the issue into a matter of intense public interest.
Despite countless news cycles covering so many violations of personal privacy, many people are still unaware of how easily and frequently their personal information is shared across organizations (and not always for purposes they would agree to if they had the full story).
We absolutely need to balance technology with privacy, which is what the GDPR aims to do. As ethics and compliance professionals, we’re even in a unique position to spearhead the movement toward that balance. Granted, we don’t have much choice other than to comply with the GDPR, but that’s besides the point.
Regardless of the difficulty in maintaining compliance, the fact that this legislation will champion the data rights of individuals can’t be disputed. I know that I speak on behalf of the entire Convercent team when I say that we are all ardent supporters of this basic right.
What do ethics and compliance professionals need to know about the GDPR?
You can learn all about the specific ins and outs of the GDPR here, but there are four key areas covered by the GDPR that will impact you:
Privacy by Design
Privacy by design requires the inclusion of data protection from the outset in the design of systems, rather than as an addition. In practice, this includes both organizational and technological considerations.
Who hasn’t clicked, “Accept Terms and Conditions” without actually reading those terms and conditions? These documents are typically riddled with legalese that people don’t read, but the GDPR mandates consent be:
- Provided in an intelligible form using clear and plain language.
- Easily accessible – not buried in an employment contract.
- Able to be withdrawn easily.
Right to Access
Under the GDPR, data subjects will have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Further, the data controller must provide a copy of the personal data, free of charge, in an electronic format.
Pre-GDPR, companies often charged a small fee if an employee wanted to access their data, so this will be a big change for some organizations. While we don’t yet know if there will be an increase in these types of requests, it’s always a smart move to be prepared.
Right to be Forgotten (aka Data Erasure)
Data subjects will soon have a ‘right to be forgotten,’ which means personal data must be erased when consent is withdrawn or at the request of the data subject. When this right is exercised, further dissemination of the data will cease and potentially, third-parties will stop processing the data.
Until now, there hasn’t been a standard around data retention (though it is important to adhere to the company standard). The provisions of the GDPR on the topic put compliance professionals in an interesting scenario:
If you delete certain information, you lose historical analysis. It becomes difficult to identify and assess trends. Deleting information prematurely is a negligence in the duty of care, but failure to delete information could become negligence on behalf of the individual.
Luckily, there are solutions that can help you achieve balance.
Convercent’s Ethics Cloud Platform & the GDPR
The Convercent team has been following the development of the GDPR closely, and we’ve been hard at work ensuring our customers can comply without sacrificing the fidelity of their valuable data history. Each new enhancement is integrated directly into the existing Ethics Cloud platform, and has been strategically designed to target the biggest challenges of GDPR compliance.
As one of my favorite examples, users have the flexibility to surgically redact information while retaining context. Personally identifiable information can be erased and replaced with black marker within the Convercent platform. You can still perform analytics on the issue reported, but all confidential PII information is hidden. It’s a powerful, user-friendly way for ethics and compliance professionals to help the movement toward individual privacy continue, without sacrificing the fidelity of their valuable data history.
You can learn more about the GDPR and Convercent’s solution here, but we’re not done yet. I expect that this new legislation will evolve quickly over the next few years as its application and enforcement is tested (and Convercent’s solutions will evolve in tandem).
For example, there are specific challenges when it comes to comparing the obligations of duty of care (which would drive an organization to retain every allegation and accusation, just in case a pattern of actual behavior emerges) versus the right to have an unsubstantiated allegation erased. As this new legislation makes its way through the courts, we’ll acquire further insights and knowledge about this scenario and others.
While the uncertainty around GDPR compliance may feel troubling at the moment, we’re all in this together. Soon enough, we’ll learn how the new law of the land is being interpreted and how to implement it most effectively while managing other obligations and legal requirements.