What the EU General Data Protection Regulation (GDPR) May Mean for Icelandic Businesses, And How to Take Action
The General Data Protection Regulation (GDPR) will take effect across Europe in May 2018, replacing a number of data protection laws across its member states, making data privacy for consumers a priority. While measures are ongoing, it’s expected that Iceland will adopt the regulation next year. The new law will apply to all businesses, not just those that are based in the EU, but also those dealing with EU citizens. Any company with a website offering goods or services (including cloud services) to EU citizens may be subject to the regulation.
A key theme of the regulation is that businesses will be required to provide individuals with greater power over their personal data. Customers and end users will have new and increased rights over their personal data that is collected, what it can be used for, and what happens when they no longer consent to data collection.
Among other things, the GDPR includes a ‘right to be forgotten,’ which, in specific circumstances, gives individuals the right to have personal data erased and to prevent processing, as well as the right to know when their personal data has been hacked, and replaces rules dating back to 1995 when the internet was in its infancy.
The new rules give businesses new opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data, while giving individuals clear, effective information about what their data is being used for. Providing information transparently will help build trust in analytics and innovation for the benefit of all.
The GDPR rules will be backed up by harsh penalties, including fines of up to 4% of a company’s global revenue, or 20 million euros, whichever is higher.
Businesses should be aware of the primary aspects of the GDPR that will affect their customers and users:
Privacy by design
According to the new regulations, when users download an app or sign up for a service, they should not be asked for data that is not directly needed or relevant for the purposes of interacting with that app or service. Services should no longer ask for capabilities they don’t actually need, which will immediately restrict data leakage.
Explicit permission
When customers and end users give permission to a business providing digital services to have or use their data in a specific way, the company cannot use it for any other purposes or sell the data to third parties without explicit consent from the user. This marks a significant shift in the way data has been used, and will likely impact the way that many businesses have leveraged customer data to generate revenue.
Data portability
Under the GDPR, individuals will have the right to ask for any data that a business has been holding about them. Businesses will need to be able to return individually collected data in a machine-readable so their customers can reuse it. For example, businesses must be able to provide collected personal data to customers so that they can use the data with another service provider if they choose.
Right to be forgotten
End users have the right to revoke their consent to a company that is collecting data about them. Under the GDPR, this is known as the “right to be forgotten.” Customers will be able to ask companies or platforms to delete their data if they no longer want businesses to have it. There are some caveats to this right; for instance, it does not apply to information if there is a legal requirement to keep it — medical records, for example.
Right to be informed in plain and clear language
The new rules will put an end to “small print,” complex, “legalese” privacy policies, and require that businesses provide information to customers in clear and plain language before any data is collected.
Clear and affirmative consent
Businesses will need to provide clear and affirmative consent to their customers before private data is processed. This will require an “active step,” such as clearly stating to users the data that the business would like to collect and for what purposes, and requiring that users tick a box indicating their agreement. Under the GDPR, silence, pre-selected boxes, or inactivity will not constitute consent.
Clear limits on the use of profiling
The GDPR places new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling will only be allowed if there is explicit consent of the person concerned, where permitted by law, or when needed to pursue a contract. The regulation requires that any profiling should explicitly convey a human element, including an expectation of the decision to be reached from the data. Any profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion, or sexual orientation.
Technical requirements
The new rules promote techniques such as anonymization (removing personally identifiable information where it is not needed), pseudonymization (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data.
Regulatory one-stop shop
Businesses will only have to deal with one regulatory body, rather than 28, making it simpler and cheaper for companies to conduct business in the EU. Among other savings (which are expected to reach €2.3bn each year), the new regulation will eliminate the need for businesses to consult with local lawyers in each country in which they have dealings.
While the GDPR is complex and wide-ranging, there are some basic steps that businesses can take to tackle the compliance challenges. Below are initial steps that can help your organization better understand the implications of the GDPR, as well as measures that can help make sure your current customer data management policies don’t result in hefty penalties.
Form your stakeholder team and understand your mission
While every organization works differently. If you haven’t already done so, you’ll need to identify the stakeholders across your company that need to be involved in your GDPR initiatives. You may need to select partners — legal, technical, and strategic — that are qualified to assist with your GDPR compliance. They should be familiar with the effects that the regulation will have on your particular industry. Your organization’s size and location might also factor into your decision.
Readiness assessment
With your identified stakeholders, conduct an early assessment of whether, or how, you are likely to be affected. Determine if you have EU customers or handle data from partners and customers that do. Also determine whether your business has any plans to do business in the EU or might be hiring EU citizens sometime in the future.
Prepare to tackle the GDPR as a business initiative
Do not be lulled into thinking of the move to GDPR compliance as a technology-only project. Consider its impact on all business units — legal, financial, technical, etc. Technology can certainly help to bring about your transition to GDPR compliance, but it’s not a magic pill.
Identify and map out your data
Consider all the data that your business collects, processes, and stores. Get a clear overview of how it is stored and backed up, and how it moves through your organization. Also, if you have not already done so, consider who has access to data, and maintain clear records regarding that going forward.
Create a plan that goes beyond the regulatory requirements
While you’re preparing your GDPR compliance, you’ll need to take a broader look at all the data your organization processes. Pay particular attention to personal data and corporate intellectual property. Create and implement training programs to keep staff attuned to both risks and processes for proper handling of sensitive data. If you don’t already have an incident response plan in case of security breach, you will need to create one. If you do, make sure that it’s being followed and that records are kept so that your incident response performance can be reviewed.
Roadmaps involving stakeholders and continual communications will allow you to articulate how you plan to get there. As your organization moves through the compliance process, you may have new roles, processes, and controls to introduce, such as a data protection officer, processes for personal data access, rectification, erasure or transfer, or processes for breach notification and impact assessment.
Monitor and report
The new GDPR legislation makes it clear that “security by design” is the new normal. This requires architects, compliance professionals, and business executives to build compliance into the design of all current and future business and IT processes. That may sound straightforward; however, balancing the requirement for rigorous information controls with business demands for market agility, quick customer insights, and, if applicable, migration to the cloud, is a tall order.
Here’s the good news: If you’ve completed the previous steps, you’re likely already on the path to building the means to monitor the compliance of your business processes and IT. Now your task is to ensure that you have the ability to intercept and quickly remedy any non-compliance.
In May next year, you could be confident that your processes and data protection measures are going to make the May 25, 2018 deadline a good day, but you’ll need to start focusing on how you’re going to get to that comfort zone. The one year countdown has already started.
Dattaca Labs is a living lab that is leading the personal data economy from Iceland. The business works with public institutions, local and multinational companies, and entrepreneurs to develop innovative solutions and services across a wide range of sectors, including health tech, fin tech, telecommunications, and IoT. Its mission is to help businesses and institutions improve the value exchange between end users and digital value providers, with an emphasis on empowering the individual.
