Despite all the talk about GDPR, as we are entering the final stretch before it kicks in, there's a lot of fear, uncertainty, and doubt. GDPR is complex, and many aspects of how it will work in practice remain unclear even for experts. ZDNet discussed it with a wide range of experts, aiming to decipher the real-life applicability and impact of GDPR.
A starting point for this discussion was the fact that, according to many surveys, most organizations will not be ready for GDPR on May 25, which makes one wonder: Is it because they did not manage to get it right in time, or could it be a strategic decision, factoring in the actual possibility of being audited and the complex landscape of enforcement?
Andrew Burt, chief privacy officer and legal engineer at Immuta, said that neglecting GDPR could be extremely costly for organizations, given the fines it levies for non-compliance (up to 4 percent of global revenue). So, he doubts that organizations will look at the regulation, perform a cost-benefit assessment, and decide it's in their strategic interest to ignore it.
Immuta is an information governance platform that integrates data sources for data scientists. The view coming from one of the major consulting firms is a bit different. Julia Jessen, manager at Accenture within the financial services industry, and Henk-Jelle Reitsma, senior manager of finance and risk for the Benelux practice of Accenture, do not rule out the evasion possibility.
Jessen and Reitsma believe, however, that in general industries and organizations have not deliberately deferred action because of a lack of urgency with regard to the topic, but rather failed to grasp its full implications as a result of regulatory overload:
"Most industries face an ambitious regulatory agenda, and have been doing so for years. When considering GDPR two things happened: Firstly, it was de-prioritized in relation with other topics with an earlier deadline, secondly organizations have been -- across the board -- underestimating the impact of the new legislation on processes and systems.
When GDPR was eventually picked up in a structural way, it has become increasingly clear to most organizations that, although they will be able to put into place policies and processes, the long tail will be in the implementation of various aspects into the (legacy) IT landscape. This is bound to be a large part of the post May 25 backlog for most of them.
Strategically not complying should be a thing of the past, where previous legislation would in the worst case fine relatively small amounts. GDPR more fundamentally will become part of the license to operate with serious implications, both monetary as well as reputational. The biggest fear for heads of communication and board members alike is becoming the showcase in the media in the coming weeks, months."
Sue Friedberg, shareholder at Buchanan Ingersoll and Rooney law firm and co-chair of its Cybersecurity and Data Protection Group, noted that US-based companies with a strong EU presence in facilities, employees, sales force and/or customer base have been thinking about GDPR since at least mid-2017.
She said that over the past several months, EU customers have required their US service providers ("processors" in GDPR terminology) to sign new data protection agreements or amendments to existing agreements that meet GDPR requirements, which translates to significant costs, even for companies with sophisticated security and well-staffed IT departments. But what about the rest?
"Other US-based companies who think they have only a limited EU footprint are either less aware of GDPR, have adopted a cautious wait-and-see approach, or have begun to try to figure out how GDPR affects their operations and whether there is some reasonable short-term way to meet some of its requirements, if not all.
There are companies with no physical or employee presence in the EU, no active targeting of their marketing to EU customers, or limited volume of business in the EU. These companies are reading all of the publicity that's been circulating and are very uncertain about what, if anything, they need to do. Some are considering not doing, or starting, any business in the EU."
Burt concurs, noting that a product called "GDPR Shield" actually carried some negative reactions to GDPR into practice, blocking all EU users to websites so companies wouldn't have to worry about compliance: "I think there's a real risk that some technology companies -- especially the smaller ones -- will try to avoid the EU market at all costs because of this compliance burden," he said.
Will US-based organizations really be scrutinized under GDPR?
But how real is the fear, or promise, of GDPR? Jessen and Reitsma think enforcement across the pond won't bother most individual organizations but that specific enforcement at specific organizations will:
"Regulators will not have the manpower to scrutinize a substantial population of organizations and industries and will therefore rely on sampling and guided investigation, with complaints or other notifications guiding the prioritization.
We foresee regulators taking a risk based approach in supervision, starting investigations with companies that are notorious for excessive capturing, processing, publishing, and sharing/selling of large amounts of personal data. We feel it is especially the social media (Facebook, Instagram, WhatsApp) and search platforms (Google) that will be first in line for the supervisor's scrutiny.
There has been much talk about 'grace periods' on e.g. social media and blogs. We think this would be a pretty tricky strategy, both for the regulator as well as the regulated industries.
For the regulator, if the decision is taken to provide a grace period, what precedent would that imply? And for which industries would it be applicable and which not? Why would a large international insurer be allowed more time while a small local recruiting company is fined immediately? Arbitrariness is the last thing a regulator wants to signal.
For the companies regulated counting on a grace period puts their fate in the hands of third parties, which we would not consider a strong strategy. If a grace period would come into effect, such a period would likely apply to requirements, such as transparency, or the customer's right to insight in what data is being captured and processed, and especially sent to other parties."
And how would a GDPR audit be initiated? Friedberg said that audits are something that comes up in the context of the required written contract between a controller (an entity that determines the purposes for which personal data is used) and a processor:
"Under the GDPR provision governing processors, a processor is required to make available to the controller the information necessary to demonstrate that the processor is in compliance with its GDPR obligations and the controller to audit the processor's activities.
Interestingly, it's been an established 'best practice' for US organizations, subject to data security requirements, to include the right of a customer to audit a third-party service. This audit right should cover any provider who has access to personally identifiable information for which the customer is legally responsible.
By putting this requirement into law and making it apply to the broad range of personal data protected by GDPR, the EU has expanded what has been a well-established principle of 'vendor risk management.' The major processors (e.g. AWS, Google) seem to be trying to address this by offering internationally recognized third-party certifications and access to some more detailed information about their security practices.
Whether that will pass under GDPR remains unknown. It's hard to see how any other than the very largest controllers have the resources to carry out these audits and the disruption to processors who need to undergo audits would be substantial."
How to exercise your rights under GDPR, and what to expect
Controllers and their jurisdiction is a topic in and by itself, as there are many actors involved. There is the European Data Protection Supervisor, who is responsible for overseeing GDPR, but then there are also local data protection commissioners for different EU countries.
But how would things work, say, if an individual wanted to have data that a US-based company has on them deleted? For starters, how would that request have to be submitted?
So GDPR does not give a recipe for that, such as a web form or email template, for example, but leaves it up to controllers to tell processors how to let their users reach out. Friedberg noted GDPR is very prescriptive about how the controller is expected to "facilitate" the exercise of these rights.
But when an EU resident makes a request directed at a US-based organization, does it mean it will be acted upon? Lorena Jaume-Palasí, executive director of NGO Algorithm Watch, noted this is precisely one of the most unclear parts:
"A German data protection officer can place demands to Google in the US, but this request will depend on the legal cooperation mechanisms with the US and the US legal interpretation. Overall, it is going to be confusing and there are already different interpretations on the status of fundamental concepts, like e.g. order data processing.
For some EU member states, order data processing (contracting a third party to carry for instance the accounting) is data processing, for some other countries it is not. The duties and obligations of those two concepts are different. GDPR is not clear enough, so jurisprudence will be key and this will definitely lead to a rag within the EU landscape."
If you think that's complicated, wait till we get to the part that concerns auditing data in the cloud. But GDPR is not all complication, FUD, and compliance-related costs. The flip side is that it can drive user rights forward worldwide, act as a motive to get data governance right, and even spur innovation. More on that in part two of this GDPR special.