Is the new EU Data Privacy regulation an opportunity or a threat? What measures must be taken today to change a potential threat into an opportunity?
The new EU regulation (2016/68) has made it its goal that for the first time since 1995, they will systematically establish and govern the protection and processing of personal data. To avoid heavy fines (20 million or 4% annual turnover), companies should change the way they deal with personal data and with data in general. Regulation will be valid for all business entities, whether they deal with internal data only or also with customer data.
From a business perspective, a regulation is a unique opportunity for the company, either by itself or with the help of external consultants, to systematically change their data strategy regarding the usage and processing of personal data. Because of the scale of the change requested and the short timeline, companies should act and start implementing these changes as soon as possible.
What changes is the EU Regulation 2016/68 bringing to daily business operation, and what are their main changes and requirements?
Due to differences in technological advances in various EU countries, the expansion of social networks, and the increasing scope of processing and using personal data, EU countries introduced different local data privacy laws and regulations that were sometimes quite different, and there is also no formal cooperation between EU countries in cases of personal data abuse.
The new regulation, which will be enforced beginning in May 2018, defines the minimum requirements that each EU member state needs to apply. In general, the new EU regulation has tightened the needed security actions for dealing with personal data. This regulation will be valid for the entire EU, including companies that are not located in the EU but are processing data in EU territory (Facebook, Google, etc.).
The regulations main objective is to return control over personal data and the scope of processing back to the individual. At the same time, companies are encouraged to be proactive with the fulfillment of new requests by individuals. In the event of non-compliance to systematical change and individual rights, the new EU regulation introduces a maximum penalty of EUR 20 million or four percent of the total turnover. In addition, each individual now has the option to file a personal lawsuit if he or she believes that a company has abused his or her personal data.
This is a big change, especially for companies that have a big database of customers or a huge database of past information and are dealing with processing and using personal data on a daily basis.
In terms of processing personal data, this new EU regulation is a unique opportunity to change the strategy of how they currently capture, use, and process personal data. With proper implementation of EU Data Privacy requirements, companies will have opportunities to reduce the cost of data processing, increase data quality, reduce processing time, reduce legal risk, and increase usage of data as a decision tool. Basically, they will have the opportunity to increase the added value of any existing and new personal data captured. The second opportunity is that companies will be able to acquire the certificate introduced by the regulation, which is “proof” that the personal data of their clients are handled with care and in accordance with the legal requirements. This will increase the trust and loyalty of existing customers.
Opportunity for businesses: increase the added value of the data that you have
Companies should provide proven proactive activities about the capture, processing, and protection of personal data. The greater and more monitored the proactive activates are, the less likely it is that the business entity will be exposed to potential sanctions.
And here is the opportunity. Companies will need to adapt their data strategy in accordance with the regulation, so companies can utilize the needed activities in effect to change their data strategy and the ways they work with data. Harvard Business Review recently published a summary of the research on how different stages of controlling the data influence different parts of the companies’ operations.
Results show that if the data are processed and controlled at the level of occurrence, companies will receive more benefits and have less work than if they are to manage this at the end.
New individual user rights
As stated earlier, the main purpose of the EU Data Privacy regulation is that they return control over the captured personal data and processing of personal data to each individual user.
Consent of data usage and the exact purpose of usage should be clearly expressed and confirmed in writing from each individual. The individuals gain the right to request that the company completely erase their captured personal data. The regulation also introduces the necessary parental consent for the processing of personal data of persons under 13 years of age.
One of the major achievements and benefits for individuals (and an opportunity for companies) is that the user should be able to request the data transfer of their complete personal data, any completed transactions, and their purchase history. One of the practical examples is that the user will be able to transfer their bank rating bonuses from one bank to another bank.
Individuals will be able to request removal from any form of automatic processing of data, calculations, estimates, etc., where the result is based on the automated processing of their data.
The user would be able to request which personal data and other data is stored and which data they can use or process.
A summary of the new individual user right:
Companies’ new obligations and requirements
The regulation, in addition to ensuring compliance with and implementation of the individual rights, introduces and identifies additional activities to raise the level of awareness for the usage and processing of personal data.
The main change is that the regulation also applies to companies that are not physically located in the EU but do acquire or process personal data from EU territories.
The regulation introduces mandatory risk assessment and risk management for each database where personal data are used and also checks if the assessment is in compliance with all of the internal rules.
In some cases (no official criteria yet), a new EU Data Privacy regulation introduces a mandatory person who is dedicated to making sure that all of the internal rules, databases, internal policies, and everything else dealing with data is in compliance with the new regulation. The recommended title of this new position is Data Protection Office. It is important that this person is not under IT (CTO) authority in order to avoid a conflict of interest.
Another change is that in the case of breach or abuse of personal information data, companies will be required to inform the supervisory authority and in some cases also inform the user directly.
A new regulation also introduces a broader definition of what personal data is. In this new broader definition, personal data is defined as any information that anyone accessing the internal databases can obtain to define the real user. Examples of such data are IP addresses, MAC addresses, pseudonyms, email addresses, visuals, pictures, etc.
Four steps that can be performed base on our Indigo experience
As experts in the field of processing and data handling, as well as increasing the business value of your data, we recommend that you begin your process by taking the following steps:
• I. Review of the existing data landscape: which database you use today and which will be used in the future
• II. Review of the impact of the regulation and regulatory changes or other existing legislation on data: the integration of legal experts, legal review of the existing situation, the preparation of relevant documents to adapt to the requirements of the regulation, and preparation of internal documents
• III. Preparation of integrated management strategies and data strategy: activities to improve the business value of your data, such as the use of data for decision making, data analysis, Big Data strategy of data processing, risk management disposal of your data, access to the information they have about your business, etc.
• IV. Preparation of an operational timeline: preparation of key users, testing new processes and compliance with new individual requests, determining the persons responsible for protection and processing of personal data, full implementation of the proposed steps, etc.
Above is an illustrative view of the main activities, which may differ from company to company. Common to these activities is that they are the key elements of success to the adaptation of this new regulation: appropriate data processing, realizing the importance of regulation, all legal issues are solved and known, IT solutions changes are defined, internal and external communication has taken place with all involved stakeholders, etc.
So, if a company begins by introducing new rules and changes today, it will not only avoid heavy fines later but also have a clear strategy for increasing the added value of the data it holds and the consequent improvement of operation.
If you realize that you do not have the relevant expertise, the internal resources, and a comprehensive understanding of the new regulation, we can personally present our services to ensure that your business will be ready for this new regulation.
Learn about Indigo Consulting services http://www.indigo-pristop.si.
Klemen Ramoveš, Consultant