EU GDPR: The first 100 days
After a two-year grace period, the EU GDPR was finally put into effect on May 25th of this year. One of the toughest challenges of the first 100 days that every company has faced is the incredibly high amount of documentation work involved in the extended accountability obligations. To comply with the new data protection requirements, every company has to identify which data within its organization is covered in the scope of application of the EU GDPR. After all, the regulation applies exclusively to personal data.
Personal data is all information that relates to an identified or identifiable living natural person. Based on this definition, companies must check their data pool to gain an overview of which data is subject to the requirements of the EU GDPR. In an era of ubiquitous data processing (Internet of Things, connected cards, big data, etc.), it's actually not easy to distinguish personal data from non-personal data. With increasingly higher performing and more affordable sensor and storage technologies, the scope of data processing in companies is growing steadily. New data analytics methods (big data) and the rising importance of software-based solutions (artificial intelligence) are causing a greater need for data collection for the purpose of data usage.
More rights, more complaints
The rights of data subjects, i.e. the right of the individuals whose data is collected and processed, were extended effective May 25th. Data subjects now have the right to all of their personal data, which includes accessing, deleting and restricting information, plus the right to object and revoke, and the new right to data portability. Despite the two-year grace period, many companies were not fully prepared when the regulation went into effect. This is probably due to partially unclear legal requirements and to companies' outdated risk assessment of data protection compliance. But it's mostly due to the fact that companies lack an overview of their own data. Many still do not have data protection experts, methods and the right software solutions to efficiently fulfill the regulations. Since the EU GDPR went into effect, however, the number of complaints received by supervisory authorities has quadrupled. To handle this rising number of inquiries from data subjects, companies have to check, adjust and extend their processes. It is absolutely necessary to make these adjustments. After all, consumer groups, citizens groups and supervisory authorities are providing people with tools and templates to help them take advantage of their right to information access. The first step of an official investigation is when someone lodges a formal complaint that their right to personal data access was unfulfilled. Given the more severe penalties now, companies urgently need to take action: those who violate the data protection regulation will not only face financial penalties, but also risk a damaged reputation and loss of trust.
Although no major fines have been imposed yet, we can expect to see more regulatory actions taken against companies in the future. Even the supervisory authorities need to increase and train their personnel regarding the new EU regulations. In other words, no one can be resting on their laurels here. The Berlin data protection officer reported that between May and July 2018, the city's offices received 1,380 data protection-related complaints from citizens. In the year before, it was a mere 344. Data protection officers from all over Germany are reporting a similar increase in complaints. The auditing firm Deloitte has experienced the same situation. One of Deloitte's clients, a German media company with 1,800 employees, had a 200% increase in data protection inquiries. The only way a company can effectively provide information is if it has a complete and orderly overview of its own data pool. If the company had not set up a software-based data inventory and made the necessary adjustments to its internal processes with the help of the consultancy, it would not be able to handle the flood of inquiries today. The data protection officer of the company is convinced that in doing so, it has managed to avoid a high number of customer complaints to supervisory authorities.
Identify and close compliance gaps
Another Deloitte client, an international confectionery manufacturer, also had the challenge of creating an overview of its own data pool and a record of processing activities (Art. 30 EU GDPR). Working with a small team of lawyers and IT experts from Deloitte, the employees of the company were able to create such a record within two weeks. The company now uses this as a means of adjusting its processes while Deloitte simultaneously conducts a gap analysis, which identifies possible data protection compliance gaps in the company. The gaps are then displayed and assessed according to risk, based on which implementation recommendations for eliminating the risks are made.
In addition to the rigid documentation responsibilities, companies also face major challenges due to the comprehensive information obligations, particularly regarding the purpose, type and scope of data processing. In contrast to what many were expecting, there has yet to be a wave of warning letters about incorrect or imprecise information. Many websites that are operated from outside of the European Union, such as the website of the LA Times, have completely blocked European access out of fear of sanctions. This is perhaps one of the most unpleasant consequences of the EU GDPR.
Anonymously processing data
Companies also face a two-sided challenge: On the one hand, they must take great care to create and implement a deletion concept that complies with the requirements of the EU GDPR. On the other hand, they must ensure that this concept does not stop them from utilizing the possibilities of more extensive and intensive data usage. One recommendation for this dilemma is to gradually remove personal references of data. Using pseudonyms or anonymizing tactics, companies have a way to respect the rights of the data subject while also fully mining the data to gain insights. The data protection officers of companies must factor in this situation when creating and maintaining a record of processing activities, as stipulated in Art. 30 of the EU GDPR, one of the most important documentation requirements of the entire law. To meet its strict stipulations, further methods and tools still need to be developed.
Harmonizing deletion and storage obligations
The data protection law requires companies to immediately delete personal data for which no legitimation under the data protection law exists (any longer). On the flip side, certain kinds of data are also subject to storage and archiving obligations — for example, as stated in the German commercial code (HGB) and in the German fiscal code (AO). To cope with these diverging obligations, companies need to develop both deletion and storage concepts that facilitate the use of data in the future. But this is a major challenge for many. It involves developing customized solutions for each data pool and data usage need. Deloitte has helped companies to determine and implement customized deletion classes, enabling them to structure corporate processes for data deletion as efficiently as possible. To streamline the implementation of the concepts, Deloitte recommends utilizing an enterprise content management system that offers the option of classifying data according to a storage and deletion concept. An ECM system also facilitates the technical implementation of the concept. For example, the ECM software solution Doxis from SER offers functionalities to classify data, which enables companies to fulfill their data protection obligations regarding all collected data through the software. This ECM solution can also automatically manage retention periods and storage deadlines.
Data sovereignty still a hot topic internationally
Companies around the globe face a rising number of requirements. The California Consumer Act in the US, for example, is one recent legislation that poses stricter requirements on companies; a federal data protection law is also in discussion. Meanwhile, in Europe, the ePrivacy regulation is currently being debated. It pertains to the data protection of electronic communications, in particular to the definition of the permissible framework for personalized marketing. Above all, there is still the question of how to define the power of data disposal. German and European lawmakers are working on an answer to one of the most important questions of our information society today: "Who does data belong to?" The situation remains exciting.