With the continuing growth of ‘big data’, the tech industry will be greatly impacted by the implementation of the GDPR. Top data companies like Google, Facebook, Amazon, and Microsoft, along with all tech companies, will be required to restructure many of their policies and procedures in order to become GDPR compliant before its implementation.
What is The GDPR?
The General Data Protection Regulation (GDPR) is a European Union law that will have a great impact on any company that processes EU citizens’ data - even if the company isn’t located in the EU. The GDPR will be in effect on May 25, 2018, and companies are encouraged to begin preparations now in order to meet the requirements by its implementation.
There are eight rights the GDPR extends to all EU citizens, and they are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
GDPR and the Tech Industry
The GDPR will transform the way businesses in the tech industry operate. There are currently over 2.5 quintillion bytes of data produced every day, and much of that data is personal in nature and used for various reasons by tech companies. Because of the massive amount of data being processed and controlled, the GDPR is reported to be one of the most expensive pieces of regulation in history. Given its importance and the consequences for not being in compliance (a potential 4 percent fine based on global revenues or €20 million, whichever is greater), it is imperative that companies ensure their policies and procedures are clearly defined and meet GDPR law.
Challenges for the Tech Industry
Many in the tech industry have cited four of the GDPR’s requirements to be the most difficult to meet:
- Documentation of all the “personal data” the company has processed or stored and being able to delete it or provide it to the individual upon request.
- Hiring Data Protection Officers, a great expense for many companies.
- Identifying and reporting data breaches within 72 hours.
- Customers will be allowed to download and take away their data, potentially giving it to a competitor.
Marketing and Profiling
Much of the data being processed and controlled within the tech industry is for marketing and profiling purposes. The GDPR explicitly protects an individual's right to deny their data to any company for these purposes. The Information Commissioner's Office states that “individuals have the right to object to direct marketing (including profiling)”. The ICO further explains this requirement:
- You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
- You must deal with an objection to processing for direct marketing at any time and free of charge.
- You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
- This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
Data Protection Officers
Many companies in the tech industry will be required to appoint a Data Protection Officer (DPO) because they “carry out large scale systematic monitoring of individuals”, mostly for the sake of marketing. The DPO will be required to monitor the company’s compliance with the GDPR, including managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits.
Consent is one of the prominent factors of the GDPR for companies in the tech industry and is causing many issues for “companies that share data and for the cloud service providers, such as Microsoft, Amazon, IBM and Google, which host information in data centres on behalf of other companies” according to Financial Times.
The GDPR sets a high standard for consent and defines it as, “offering individuals genuine choice and control,” and all of the responsibility for consent is placed upon the company. You will be required to not only ask for an individual’s consent, but you must also keep a record of who, when, how, and what you told people regarding consent. The ICO suggests building regular consent reviews into your business processes to ensure continual compliance.
The wide-ranging requirements of the GDPR which must be implemented in a compressed time period present significant challenges for organizations in the technology and data industry. LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating critical new processes that now need to be executed to achieve compliance – as well as enhancing existing manual processes, such as third-party risk management, that must incorporate additional privacy considerations when assessing data processors. With May quickly approaching, the more you can centrally manage and automate the extensive GDPR requirements, the closer you will be to reaching compliance.