Privacy legislation: the panic is yet to come
April 12, 2016
The European General Data Protection Regulation (GDPR) will probably be approved by the European Parliament in May and will apply throughout the EU. The legislation will force companies to privacy compliance by means of an extensive package of requirements. There will be a transition period until 2018. During that period, the legislation's impact on organizations will become clear. In any case, a company will have to:
- document all processing operations and data streams;
- execute DPIAs on processes which potentially pose a high risk to privacy;
- adjust privacy statements/policy and processing agreements;
- apply privacy-sensitive architectures (privacy-by-design) in design, purchasing and policy processes;
- make written agreements with those sharing responsibility for the legal obligations.
John Borking: "Has panic broken out? Most companies know absolutely nothing about what is going on. A lot of information still needs to be given. Panic will probably start with a trickle."
Mandatory Data Breach Notification Act
There is particular concern about the Mandatory Data Breach Notification Act, the part of EU legislation that has been brought forward by the Netherlands and which has been in force since January 01, 2016. Its contents are known. If data is leaked, companies must inform the Data Protection Authority within two working days of them being aware of the breach. All data breaches must be sufficiently documented. So organizations must indicate exactly where in the systems breaches have taken place and what consequences they have. They must also inform the owners of the leaked data. This means that companies will have to create procedures as soon as possible for implementing the mandatory notification of data breaches.
For many companies, the documentation of data streams is nowhere near properly arranged, notes Borking from his discussions with information managers. "They have little insight. Many have never properly mapped those data streams. And if you don't map them properly, then you also cannot map your organization's vulnerabilities."So in the coming time he expects a big increase of published data breaches.
But the EU privacy legislation includes more than mandatory notification. The GDPR requires an obligatory Data Protection Impact Assessment. That is not to be underestimated, warns Borking. "If you build a system or make changes to a system, then you have to map its effect on the protection of the personal data of all the people stored in your system."
Such an impact assessment is far-reaching: from making a data analysis, the working out of data streams and the systematic description of the processing operations on data, to the execution of penetration tests and making a risk analysis. "Have you mapped all privacy issues and their consequences? Then you need to describe in a report to which privacy risks your customers are exposed and how you intend to cover the risks. If you are unable to cover those risks, then it is quite possible that on grounds of the law such a system will not be allowed to be built and used. They will be subject to fines of as much as 4 percent of the global annual turnover or 40 million euros." There are as yet no standard schemes for impact assessments, although they have made a lot of progress in Canada.
Set up the architecture differently
Organizational measures are not enough in order to obtain control over data processes and systems. Privacy-by-design is necessary, according to Borking. "Measures need to be taken in the system itself in order to prevent personal data from being processed unlawfully. That demands a different architecture. Various privacy enhancing technologies (PET) and architectures are under development for this purpose."
As an example, he mentions audit logs which are built into a system and make the processing of personal data, and those to whom it is sent, transparent. Reputation systems demonstrate whether a company that you are sending data to, is reliable. People also need to be given the opportunity of protecting their own privacy. "Sticky policies make it possible to stick your own policy to your data. For instance, you can indicate that after two years the data may not be used, unless permission is requested. Research shows that this can be done, but systems need to be built so that those sticky policies are also accepted.
New information manager
Impact assessments, privacy-by-design, privacy certification: the information manager better start preparing himself. Where should he start? "He will have to a considerable amount of knowledge", says Borking. "He may have to employ people who possess the necessary knowledge, such as a data protection officer. The data protection officer will have to have good legal as well as technical skills. The new information manager might well be the person who will conduct consultations with all these specialists in order to create proper policy.
Of course that will be hard for the SME, he agrees. And a lot of start-ups will have nowhere near enough time for these sorts of questions. Unless such a start-up has privacy protection as its unique selling point. That is why, according to him, tools will have to be supplied to help companies to quickly and effectively implement measures. "So that you don't have to keep on reinventing the wheel." Universities can make a contribution here with research. And also: "I think that institutes will have to provide more information. Overall, industry will have to be given a lot more information. Training programs will also have to focus on it."
Increase Top management awareness
There is yet another important task for the information manager. He will have to start internally increasing people's awareness that far more stringent requirements for protecting personal data are on the way. "You will have to give them training, they will have to be made aware. To a high level.", according to Borking. "Top management will have to realize that privacy protection is an asset which generates confidence in a company and increases your reputation and competitiveness. And that your organization will suffer the negative consequences of neglecting it. A number of organizations are prepared. But I am convinced that most companies are nothing like awake yet."
In the future a conflict will arise between privacy protection and the pressure to simply collect more and more data. That will call for new strategic questions for companies. "Big data, the Internet of things, psychograms, clouds: these are trends that are putting privacy protection under pressure. With clouds it is still unclear which legal system is applicable." Privacy protection will be a big issue for society, he emphasizes. "And it won't go away. The information manager is going to play an important part here. I think he will be one of the most important officials of the coming ten years."
Executive Master of Information Management
Dr. John Borking is privacy-by-design expert at TIAS. He teaches the subject "Legal & Privacy Aspects" in the last module of the Executive Master of Information Management. This program offers you the expertise to analyze organizational processes and to design and implement them via strategically set up IT processes.
Read more about this Master