GDPR establishes a number of key principles of data protection to be implemented for all EU residents. There is no escape from GDPR: organisations cannot outsource data processing to a non-EU country and thereby operate outside the auspices of GDPR. If an organisation processes EU residents' data, then it is "in".
There are a number of specific provisions in GDPR that enforce this position. Joint liability of data controllers and processors is a key one; the outsourcing of data processing does not absolve controllers of liability, but processors are also "on the hook" in the event of an infringement of the regulation. This will lead to the reconsideration of contractual obligations where personal data is involved, and this would include SaaS-based business applications such as customer services. Sub-contractors are also included in a never-ending chain of liability.
The EU worries that companies may seek to send data processing abroad (outside the EU) in order to escape their obligations, and so it has strict data transfer requirements. The basic rule of thumb is that movements of personal data within the EU are unrestricted, but they can only be transferred to a "third country" (non-EU member state) if:
- The third country is assessed by the EU as having "adequate" (that is, broadly equivalent) data protection legislation in place
- There is an agreement between the EU and the third country (EU-US Privacy Shield, for example)
- Binding corporate rules (BCRs) or standard clauses are adopted
- A binding code of conduct is adopted
- A certification mechanism is in place and adhered to
- Consent has been obtained by the data subject (and they know what they are consenting to!)
Data transfers to the US are under specific scrutiny because the EU does not deem there to be an adequate level of data protection there, and many companies transfer data (including metadata) to the US, often as part of a cloud service. Privacy Shield is new and untested in court, and its predecessor — Safe Harbor — was invalidated in 2015. Few companies seem prepared to undertake the onerous process leading to BCRs, and so most firms are implementing standard clauses on a per-contract basis.
The role of the DPO (as introduced in the first blog of this three-part series) includes understanding when and to where data transfers occur. IT operations are likely to be the primary facilitator of this information transfer, including the use of datacentres by data processors and subcontractors outside EU member states. In particular, cloud-based data is often moved around the internet rapidly for a variety of purposes: for encryption/decryption, backup, indexing for search purposes, and so on. The collaboration between the DPO and IT operations will be key to continued organisational compliance with GDPR.
Some common pitfalls for the DPO to look out for include:
- Data in motion versus data at rest — While cloud service providers (CSPs) may advertise the fact that data is stored within a datacentre located in the EU, what happens when the data is in use? While some CSPs may advertise that data stored by them is hosted in EU-located datacentres when at rest, data may be transferred to non-EU locations when in use (i.e., data in motion). Make sure that your CSP's data residency approach is made clear.
- "Brexit" is no excuse — The location of a data controller's/data processor's operations, headquarters, and so on, is immaterial. It is the nationality of the user's/customer's data that is important. No matter the political decision-making process, the UK is likely to remain a member of the EU until 2019 at least, while GDPR becomes enforceable from April 2018. Organisations handling UK citizens' private data during this "inter-regnum" period remain subject to GDPR.
- Encryption is not a silver bullet — As with the data in motion/data at rest point, depending on the provider and the structure of delivery, the encryption/decryption process may result in data being transferred to a separate (potentially non-compliant) geography. What is more, consider carefully the impact of encryption on usability. Weigh up the security that encryption represents against its impact on usability, and whether key management is best delivered in-house or via a third party.
This three-part series has aimed to highlight the impact that GDPR will drive for organisations that handle the private data of EU citizens. It is expected to act as a call to action for both data controllers (the providers who "own" the relationship with the end customer) and data processers (those who handle private data on behalf of data controllers) to step up the discipline and rigor of their approach to data protection in order to meet GDPR requirements. The scale of fines that could potentially be levied on organisations found to be in breach of GDPR — up to 4% of global revenue depending on the degree of non-compliance — is enough alone to gain the attention of board-level decision-makers.
There are three particularly important requirements within the text of GDPR that this blog series has attempted to highlight. Organisations must adhere to these in order to build GDPR compliance into their operations and processes around data protection:
- The implementation of "appropriate technical and organisational measures" that support data protection principles.
- Consideration of "state of the art" technologies in developing/maintaining these principles.
- Understanding the implications of transferring personal data from within the EU and into "third countries", where approaches to data protection may differ from those laid out by GDPR.
Upholding these principles is even more important than avoiding the loss of EU citizens' personal data. While the two points may at first sound like they refer to the same concept, there is an important distinction. In today's world, in which digital transformation technologies (i.e., cloud computing, Big Data analytics, mobility and social business) are commonplace, accompanied by a threat landscape whose ability to compromise security is outpacing the ability to prevent those attacks, data breaches are becoming an inevitability. In such an environment, the event of a data loss becomes less strategic than the processes and considerations that are put in place to make sure that personal data is not exposed to unnecessary risk.
External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2016 IDC. Reproduction without written permission is completely forbidden.