GDPR establishes a number of key principles of data protection to be implemented for all EU residents. There is no escape from GDPR: organisations cannot outsource data processing to a non-EU country and thereby operate outside the auspices of GDPR. If an organisation processes EU residents' data, then it is "in".
There are a number of specific provisions in GDPR that enforce this position. Joint liability of data controllers and processors is a key one; the outsourcing of data processing does not absolve controllers of liability, but processors are also "on the hook" in the event of an infringement of the regulation. This will lead to the reconsideration of contractual obligations where personal data is involved, and this would include SaaS-based business applications such as customer services. Sub-contractors are also included in a never-ending chain of liability.
The EU worries that companies may seek to send data processing abroad (outside the EU) in order to escape their obligations, and so it has strict data transfer requirements. The basic rule of thumb is that movements of personal data within the EU are unrestricted, but they can only be transferred to a "third country" (non-EU member state) if:
Data transfers to the US are under specific scrutiny because the EU does not deem there to be an adequate level of data protection there, and many companies transfer data (including metadata) to the US, often as part of a cloud service. Privacy Shield is new and untested in court, and its predecessor — Safe Harbor — was invalidated in 2015. Few companies seem prepared to undertake the onerous process leading to BCRs, and so most firms are implementing standard clauses on a per-contract basis.
The role of the DPO (as introduced in the first blog of this three-part series) includes understanding when and to where data transfers occur. IT operations are likely to be the primary facilitator of this information transfer, including the use of datacentres by data processors and subcontractors outside EU member states. In particular, cloud-based data is often moved around the internet rapidly for a variety of purposes: for encryption/decryption, backup, indexing for search purposes, and so on. The collaboration between the DPO and IT operations will be key to continued organisational compliance with GDPR.
This three-part series has aimed to highlight the impact that GDPR will drive for organisations that handle the private data of EU citizens. It is expected to act as a call to action for both data controllers (the providers who "own" the relationship with the end customer) and data processers (those who handle private data on behalf of data controllers) to step up the discipline and rigor of their approach to data protection in order to meet GDPR requirements. The scale of fines that could potentially be levied on organisations found to be in breach of GDPR — up to 4% of global revenue depending on the degree of non-compliance — is enough alone to gain the attention of board-level decision-makers.
There are three particularly important requirements within the text of GDPR that this blog series has attempted to highlight. Organisations must adhere to these in order to build GDPR compliance into their operations and processes around data protection:
Upholding these principles is even more important than avoiding the loss of EU citizens' personal data. While the two points may at first sound like they refer to the same concept, there is an important distinction. In today's world, in which digital transformation technologies (i.e., cloud computing, Big Data analytics, mobility and social business) are commonplace, accompanied by a threat landscape whose ability to compromise security is outpacing the ability to prevent those attacks, data breaches are becoming an inevitability. In such an environment, the event of a data loss becomes less strategic than the processes and considerations that are put in place to make sure that personal data is not exposed to unnecessary risk.
External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2016 IDC. Reproduction without written permission is completely forbidden.