Introducing The New GDPR Law For Better Data Security
June 25, 2018 | 6 minutes read
Officially known as European Union Regulation 2016/679, the General Data Protection Regulation, is a new law with wide-ranging effects. What are the implications of the GDPR? That is the big question on everyone’s mind. The EU wrote it to contain all businesses that have any operating capacity within the EU; that means US businesses will be affected by this law as well. At the date of this writing (June 2018), the law is too new for us to understand its full implications.
Data Protection History in the EU
Protecting data became an EU priority sometime around the turn of the century. After countless terrorist attacks in the EU, many agencies strengthened their security protocols. From the beginning of its inception, the EU’s charter sought to institutionalize protection. It includes Article 8 (1), which states that the protection of processing data of people is a fundamental right.
Originally, Directive 95/46/EC was the sole measure to protect personal data. But as the turn of the century came, the EU quickly realized that the directive addresses a very limited scope (mainly payment transactions and financial applications) and did not go far enough in their opinion when it concerns digital content being captured.
The EU took several years to debate and construct a solution, but 2016/679 replaces 95/46/EC and is written more broadly to cover all aspects of data collection involving people.
What Changed in the Old Law?
The major changes concern the broad interpretation of data. Before the Digital Age, data was linked to computers processing transactions of people, as stated previously. Much of this was related to financial processing, so the original law focused on that industry. Now, with the advent of digital data in almost every industry, as well as the proliferation of its sharing between various entities, the EU has decided to re-write its original view of what constitutes data, and that means they’ve considered and incorporated every possible data and access point that captures personalized data of any kind.
The second major change in the law is that while the EU won’t require companies and people who capture personalized data to have a plan for mitigating that data preemptively, as soon as the EU discovers that they can’t honor requests from citizen to have that data removed from their systems, the fines begin to be issued. The fines involved are massive, and have the potential to put the strongest, most risk-averse corporations out of business the minute the fine is assessed, which is structured as €20 Million at the maximum level, but can even be tied to percentages of annual earnings in EU nations, upwards of four percent.
This means that far more businesses and people are affected by the law, and that means people need to learn the law, how it applies to their data-capturing scenario, and find appropriate ways of handling any potential requests.
How Does This Impact Business and Government?
The key impacts concerning GDPR are the requirements it places on certain organizations, both public and private. First, all organizations that are impacted by GDPR will have to be assessed through what is called a Data Protection Impact Assessment (DPIA). This assessment is meant to understand the data the organization collects, and how it is handled, stored, and managed.
The second impact is that organizations of a certain size will have to hire their own full-time Data Protection Officer (DPO). These people will have to be trained on the GDPR, and how to comply with it. Organizations that don’t meet the criteria for a full-time, in-house DPO are going to have a contract for services from an organization that has available DPO staff.
The goal is to redact (i.e. blackout) as much personally identifiable data as possible and to hold organizations accountable for doing so. But, the EU also granted some exemptions to GDPR processes in certain instances. Much of those exemptions can be found in Subsections 45 (concerning medical/public welfare/disaster concerns, 50 (scientific/historical & scientific research), 52 (employment/social protection law), and carries on into subsequent sections reaffirming the various exemptions.
In Article 2, Subsection 2(d), the EU spells out that there are exemptions for law enforcement when it comes to following the procedures outlined in removing data. The language makes it clear that law enforcement will have wide latitude in not complying with the law. However, compliance can be required on a case-by-case basis.
In Subsections 86 and 88, there are paragraphs dedicated to reporting data breaches involving the data safeguarded by the GDPR, which require timely reporting, and full transparency with law enforcement authorities when they begin investigations.
What the GDPR Doesn’t Address
The focus of the GDPR is on those entities collecting data in the process of business and official activities, that the EU believes shouldn’t be stored for a lifetime. The EU spent a great deal of time addressing those concerns. What they left out, and were intentional in doing so, was addressing private citizens collecting data for their own, specific purposes. The official EU explanation website cites an example where a citizen uses their address book to invite friends via email to an event. This falls under the household exemption. However, initial reactions suggest that not all activities by private citizens can be covered by this exemption. We’ll also explore that in later articles.
It also grants the EU Member States a major exemption, falling under the entitlements they have in a separate document, the Treaty of the European Union, in Title V, Chapter 2. We won’t go into the details here, but the entire Chapter reads over numerous scenarios where, when applied to the GDPR, makes it so the Member States can grant themselves exemptions. There’s likely some good reasoning for this but considering how tight the GDPR was written for everyone else, it does come off as insulting on the surface.
The GDPR also has a major component to it that it doesn’t address: the limits by which it can be applied. While the regulation discusses general jurisdiction, it would appear it has been written well enough to be vaguely open to possible interpretation well outside the EU. And that means a lot of headaches for all businesses and government bodies outside the EU. Again, a topic we’ll specifically address in a later article.
How To Comply
The cornerstone of data protection is data redaction. Personally identifiable information can be exposed in videos, audio, documents, and images. All of which require redaction. The importance of a good redaction software is paramount to GDPR compliance. To be effective in their job, a Data Protection Officer will need to be supplied with redaction software like CaseGuard Studio. With manual and automatic features, even complex redaction protocols can be streamlined to prevent backlog.
As the world becomes more and more digitalized, data becomes easier to access. As such, the laws surrounding data protection will become stricter. To ensure timely compliance, tools utilizing artificial intelligence will increase in importance. CaseGuard Studio uses top-of-the-line AI to automate document, audio, video, and image redaction.
Conclusions
The GDPR is a lengthy, complicated regulation that is trying to address major data collection and storage operations but is also trying to allow the government to operate the way it would normally operate. While a lot of effort, time, and intelligent thought went into this regulation, its application is still very new, and it means that how it will apply to all is still going to be worked out over time.
We can rest assured that many of the questions about how it applies have been well-thought-out, but court challenges can always strike down, alter, or emphasize portions. The real challenge will be when jurisdictions outside of the EU have to weigh in, which may lead to closing the expansiveness of the regulation as it rests now.