Friday, October 20, 2017

Five Realities Around GDPR

As the European Union’s General Data Protection Regulation (GDPR) enforcement date of 25May2018 approaches, a practical exercise for privacy pros and their implementation teams could be to begin thinking of the “R” in GDPR as standing for “Reality”, (as opposed to “Regulation”).  This writer offers the following thoughts and observations on some realities of operationalizing GDPR, as seen through a technical, “real world” lens.

First and foremost, the reality is that the GDPR is here to stay.  Consider that Recital 1, Sentence 1 of the GDPR reads: “The protection of natural persons in relation to the processing of personal data is a fundamental right.”   The EU government has set a high standard for citizens’ personal data protection, and it is EU law, today.  As a population, EU data subjects (users) now have the fundamental right to compliant data protection visually and continually wherever and whenever their personal information is moved or touched by enterprises (data controllers and processors).  The scope of protection extends to personal information activity involving desktops, laptops, tablets, smartphones, apps, wearables, IoT devices, apps, and in-person venues.

Since the GDPR became EU law 15 months ago, a great deal has been written and discussed about how the Regulation will affect large and small enterprises trading in Europe, yet very little attention has been given to exactly how operationalized GDPR will look and function when it daily serves real citizens in the real world.  As implementation teams and IT staffs prepare for actual GDPR “rubber-on-the-road” implementation, a Privacy by Design approach is helpful.

In concept, GDPR is all about enterprise and user engaging together to protect and manage user’s personal information responsibly, promoting positive-sum personal privacy and building mutual trust.  In practice, this activity will most often take the form of a proactive software-supported dialogue between the parties at each real-world encounter, or user touchpoint.  In real world operation, both enterprise and user need to participate in turn as clear details about policy and legal basis are presented, as appropriate consent is informed, negotiated, and gathered, and as individual user rights are proffered, and optionally exercised.

A practical, GDPR-compliant touchpoint dialogue will incorporate the following default functional elements:

·        Software infrastructure meeting the standards set forth within GDPR Article 12, to proactively present clear and plain language notice as the enterprise talks to the user in a dialogue explaining policy and options.

·        Software infrastructure meeting the standards set forth within Articles 5, 6, 7, 8, 13, 14, & 22 to disclose the legal basis for collection, then initiate and manage the negotiation and gathering of appropriate affirmative consent, affirmation of legitimate interest, etc., as the user responds to the enterprise, and opts accordingly.

·        Software infrastructure meeting the standards set forth within Articles 13, 14, 15, 16, 17, & 18 covering the disclosure and fulfillment of individual rights, as the enterprise proffers optional processing rights to the user, then acts accordingly, directed by user response.

·       Software infrastructure to log, track, and report discrete touchpoint dialogue events as they occur, supporting downstream user, DPO, and DPA dashboard reporting.

Prebuilt, prototype touchpoint dialogues and related installation toolsets are available today to facilitate privacy office and IT integration.  Click here to schedule a comprehensive, remote demo.

Another important risk-related reality concerns an enterprise’s exposure to GDPR compliance scrutiny and possible enforcement activity. Since a vast majority of enterprise landing page and data capture screens can be publicly accessed over the internet, any given enterprise’s dedication and commitment to GDPR compliance (and stewardship of user PI) can be quickly and easily assessed by regulators and users alike. A simple screen shot can provide instant documentation.

A final reality is that the European Union’s GDPR initiative has inspired transformative data protection activity beyond the bounds of Europe. A substantial number of countries around the globe appear to be planning and implementing privacy standards and laws patterned upon and congruent with the spirit of GDPR. The EU’s pending ePrivacy Regulation covering confidential communications will likely rely heavily on GDPR principles as a foundation. In this writer’s opinion, the privacy world is steadily moving towards a GDPR privacy standard. Now is the time for privacy pros, GDPR implementation teams, and IT staff to focus on real-world implementation.

Dale Smith, CIPT