On January 31, I took part in an IAPP-hosted webinar on managing risk and big data analytics under the EU General Data Protection Regulation alongside Gwendal Le Grand, the Director of Technology and Innovation at the CNIL, France's data protection authority, and Mike Hintze, former Microsoft chief privacy counsel and now partner at Hintze Law.
Based on interactions with companies and regulators following the webinar, we found that companies are at varying stages of adjustment to the upcoming regulation. Understanding these five stages, we believe, can help companies that control and process personal data find a solution to their needs. So, here we go:
Stage one — awareness
At this stage, a company is aware that the GDPR contains new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors. Since compliance enforcement commences in the spring of 2018, many companies are stuck at this stage and are postponing moving to a solution. Yet preparation for compliance with the GDPR should begin now.
The company is usually also aware of the GDPR’s broad jurisdiction. It applies to all companies processing personal data for one or more EU citizens, regardless of where the company is located or has operations.
The company is also aware that penalties for noncompliance can include fines of up to four percent of global gross revenues, along with class-action lawsuits, and direct liability for both data controllers and processors for data breaches, data breach notification obligations, and so forth.
A company at this stage realizes it cannot rely on prior approaches or legal bases for data analytics, artificial intelligence, or machine learning. While consent remains a lawful basis under the GDPR, the definition of consent is significantly restricted. Under the GDPR, consent must now be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”
These requirements for GDPR-compliant consent are not satisfied if there is ambiguity and uncertainty of data processing, as is the case with data analytics, artificial intelligence, or machine learning, or what we'll refer to as big data henceforth. These heightened requirements for consent under the GDPR shift the risk from individual data subjects to data controllers and processors. Prior to the GDPR, risks associated with not fully comprehending broad grants of consent were borne by individual data subjects. Under the GDPR, broad consent no longer provides sufficient legal basis for big data. Data controllers and processors must now satisfy an alternate legal basis for big data processing.
Stage three — understanding requirements
At this stage, a company appreciates that the GDPR does provide a means to continue big data processing, provided that GDPR requirements for “legitimate interest” are supported by satisfying two new technical requirements: pseudonymisation and data protection by default.
Stage four — evaluating technology
A company at this stage is evaluating technology to determine if it satisfies GDPR requirements for both pseudonymisation and data protection by default.
Pseudonymisation requires separating the information value of data from the ability to attribute the data back to individuals.
Data protection by default requires revealing only that data necessary at a given time, for a given purpose, for a given user, and then re-protecting the data.
Stage five — ensuring continuity of operations
Companies at this stage of adjustment are seeking to verify that technology vendors satisfy GDPR requirements for pseudonymisation and data protection by default, so that by using the technology they can ensure ongoing continuity of operations.
What stage is your company at?
This article originally appeared in IAPP. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
How GDPR compliant pseudonymization requirements have evolved from prior standards: