Insights & White Papers

The General Data Protection Regulation (GDPR), which takes effect May 25, 2018, is designed to unify data privacy requirements across the European Union (EU). The GDPR has stringent requirements around data privacy and security and will have profound implications for organizations that market to or process information on EU citizens. While GDPR may look like a daunting challenge, Liberty Advisor Group is ready to arm you with the information you need to comply with this game-changing regulation.

What is GDPR?

The European Parliament adopted the GDPR in April 2016, replacing a previous law called the Data Protection Directive. The new legislation requires businesses to protect the personal data and privacy of EU citizens. It also regulates the movement of personal data outside the EU.

The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.

What companies are impacted?

All companies who currently hold data on customers who are EU citizens, have operations in the EU or have intentions to expand to the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). The GDPR will apply in all 28 EU members states on May 25, 2018.

Are there penalties for non-compliance?

If a company breaches the GDPR, they are subject to fines of up to 4% of their global annual revenue or 20 million pounds ($24.8 million), whichever is the higher amount. For some companies, a 4% fine for non-compliance could wipe out much, if not all, of their annual profit.

How will it the GDPR be enforced?

Agencies tasked with assessing fines will fund themselves with the fines they collect (i.e. they are incentivized to find offenders). Also, if an offending company uses Google, Amazon or other cloud computing servers to hold and process customer data, the company will be responsible for compliance, not Google. Meaning that firms can’t pass the buck by using services from outside computing servers.

Key elements of GDPR

1. Data Scope
   • These regulations go beyond traditional PII to also include expanded metadata such as IP addresses, SIM card IDs, mobile IMEI numbers.
2. Requirement to Obtain Consent from Individuals
   • Companies must get individuals’ explicit permission to use “profiling” to make automated decisions
   • Profiling = taking automated decisions taken in order to produce an action (e.g. to approve or deny a loan application). Under Article 4(4), data processing may be characterized as “profiling” when it involves automated processing of personal data and using that personal data to evaluate certain personal aspects relating to a natural person.
   • Individuals have the right to:
     • Object to profiling
     • Halt the profiling
     • Avoid profiling-based decisions
   • Consent can’t be opt out. It needs to be “a statement or a clear affirmative action it can be a checkbox, but the checkbox can NOT default to checked.”
   • For children under age 16, “Reasonable efforts” must be made to obtain explicit parental consent (again, this can’t be passive)
3. Right to be forgotten
   • Individuals have the right to have all personal data erased from company databases “once the data is no longer required for the purpose for which it was originally collected”.
4. Right to Receive All Personal Data
   • Individuals have the right to receive all personal data about her/him in processor’s possession.
5. Limits on Cross-Border Data Transfers
   • Personal data cannot be moved from a GDPR-compliant location to a country that is not on the “approved list”.

What Is Liberty’s Guidance?

Here are the steps that companies should take immediately:

1. Evaluate your exposure: Understand the data you store that are relevant to GDPR.
2. For all profiling decisions, develop a way for individuals to explicitly opt-in.
3. Develop the capacity to remove individuals from profiling (i.e. automated decisions). In addition, there also should be a manual mode to remove individuals.
4. Be able to generate a report showing all information about an individual.
5. Be able to articulate when data is no longer required for the purpose it was originally collected and be able to delete all individualized data about a person after that period has passed.
6. Evaluate their data residency strategy to gauge compliance. Firms might need to set up new Co-Los or AWS/Azure accounts to comply.

We see this as a two-phase process from an IT perspective

1. Phase One: Manual
   • This will be painful, but some firms are hiring people to manually generate individualized data reports and manually delete people who want to be forgotten.
2. Phase Two: Automated
   • Best-in-class businesses will make GDPR compliance a fully automated process
   • Customers opt-in via a website and the necessary batch jobs are generated behind the scenes.

Companies with limited exposure may find phase one is all they ever need.  Conversely, businesses with a high degree of EU-based personal data and high degrees of profiling may need to go straight to phase two.

Additional GDPR Details

Previously, the rules defined “personal data” as anything that could be used to identify a person. Under GDPR, the definition is extended to include other metadata, including IP addresses, mobile IMEI numbers and SIM card IDs, as well as website cookies and biometric data – all data companies may use to build profiles on customers to target ads, sell or determine creditworthiness.

1. GDPR Article 28 “Processor”: Managed Service Providers and Cloud Service Providers will be classified as data processors if they are hosting, sorting, organizing, or managing a name, photo, email address, bank details, social media posts, medical information, PII of EU citizens.
2. GDPR Article 22 “Automated individual decision-making, including profiling”: Individuals will have the right to challenge the way algorithms work and the decisions they make. Companies must get permission to use personal data and to process it in certain ways from the individual first.
3. GDPR Article 17 “Right to be forgotten” or the “Right to erasure”: Individuals who do not want certain data about them online can request companies to remove it.  Unless a company or organization can show a legitimate reason to retain an individual’s data, that person can request the information is deleted by the business without “undue delay,” which may present a significant administrative challenge for many organizations.
   • GDPR does not specify whether the company would have to pay the IT service provider to bear the cost of any risk or regulatory action. This is subject to negotiation on a deal by deal basis.

What can companies do?

1. Determine if the company is a data controller or data processor. This distinction determines what responsibilities companies hold under GDPR.
   • If Wakanda Co. sells widgets to customers and uses Gmail to email consumers and track engagement activity, then Wakanda Co. is the data controller, and Google is the data processor. GDPR treats the data controller as the principal entity responsible for collecting consent, managing consent-revoking, enabling the right to access. An individual customer who wishes to revoke consent for his or her personal data will contact the data controller to initiate the request, even if the data lives on the servers belonging to the data processor.  The data controller would request the data processor remove the revoked data from their servers. Note: controllers should only choose processors who comply with GDPR.
2. Develop a data mapping solution. Companies can develop a solution that helps determine what type of data is being collected throughout the organization. For example: a description of the categories of the personal data, where it is being collected, its sensitivity, the reason it is being processed, where it originates, with whom it is shared, the time limits for erasure, description of security measures taken, how it should be classified for storage or deletion.
3. Implement a process that makes it possible to withdraw consent or expunge a record upon user request. Create a scalable method for recording the data and the time of each consent.
4. Get a full picture of the entire IT infrastructure and inventory of all applications. Know which applications can process personal data to understand what to focus on.
   • Here are example resources companies are building around compliance. (1) Google Cloud has its commitment to GDPR.  It’s also rolled out a Privacy Dashboard helping users identify which Google products are storing their data, along with the Privacy Checkup and Security Checkup  There is also the Google Takeout feature which allows users to export all data stored in Google services and store it elsewhere, although Google does not automatically delete the data after exporting. (2) In January, following complaints about its data collection practices, Microsoft unveiled its Windows Diagnostic Data Viewer, which provides users an overview of data being sent to Microsoft’s servers by Windows 10, including device connectivity, configuration options, performance data, movie consumption, installed apps.
5. Test breach notification and incident response plans. Organizations have only 72 hours to report breaches after becoming aware of them.  CIOs must ensure their response to data breaches is as efficient as possible.
6. Review vendor contracts, and ensure they are GDPR compliant and have consent from individuals to process new personal data.
7. Update security programs as necessary (encryption at rest, data classification, etc), especially as it relates to mobile devices. Accessing customer or employee PII on mobile devices creates a unique set of risks for GDPR non-compliance.  If any apps access or store PII on a personal device, they must do so in a GDPR-compliant manner.
8. Document GDPR compliance progress, and conduct annual, ongoing assessments of GDPR compliance to identify and remediate gaps.
9. Consider cyber insurance. There are many companies who feel like they are not ready for the 25 May 2018 deadline, have difficulty interpreting GDPR, or believe they cannot financially pay for GDPR fines.  If a client/prospect is struggling in this area, contact the BTI team as buying cyber insurance may be an option for them.  Cyber insurance is not a catch-all solution to GDPR fines, but it does cover costs of a breach, communications, and various related aspects.

There are many benefits to being compliant with GDPR – better data quality, deeper customer engagement, improved incident response – and the best way to avoid fines is to make sure the company is compliant.

Liberty Advisor Group is here to help.  We provide advice and technical experts to help you through the GDPR compliance process and minimize internal disruption.

Liberty Advisor Group is a mission-focused advisory and strategic consulting firm.  We partner with our clients to solve their most complex business issues and improve enterprise value.  Our experienced team has a proven track record in Business and Technology Transformation, Data Analytics, Business Threat Intelligence, and Mergers and Acquisitions.  We offer original thinking combined with factual data to develop comprehensive, situation-specific solutions that work.  With straight talk and proven results, we accelerate growth, drive efficiency and reduce risks.  We are experienced. We are doers. We are Battle-Tested.