GDPR, or the European Union’s Parliament-ratified Global Data Protection Regulation, will go into full effect in May. This regulation, binding across all EU countries, was passed in April 2016 with a two year ramp-up period designed to give companies and governments time to enact processes and protocols that will help them conform to what are some of the most-restrictive laws protecting personal data ever enacted. Further, GDPR is likely just the start of more--and more comprehensive--global consumer protection laws in the years to come.
It should be noted that GDPR covers protection of EU citizens’ personally identifiable data--data points that can be used to identify a single human being--rather than regulation of EU controllers of data and processors of that data. The GDPR, therefore, is binding against any entity that possesses, retains and processes EU consumer data, regardless of whether the company exists within the confines of EU countries. This is precisely why GDPR matters to U.S. and global companies, so long as they process or retain EU citizenry data now or in the future.
Excellent data stewardship should be the goal of any data professional. Corporations are beholden to maximizing shareholder profit within the guidelines of the law and the regulations under which their industries are governed. While data collection and retention is nothing new, the technologies that have emerged in the last 25 years have created three main drivers for regulations such as the GDPR:
1. Acquiring and storing data has become easier and more cost-effective than ever before.
2. The sheer volume of data available through business mechanisms and social media has made the scope--and intrusiveness--of data collection an issue.
3. Data is the new currency: The financial gains that can be realized through data mining are enticing enterprises from all sectors to become cultivators of data when they may not have the infrastructure, means or intentions to handle the data correctly.
Financial penalties are in place to keep less scrupulous entities in line within the GDPR. Organizations may be fined €20 Million or up to 4% of annual global turnover for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements, but there is a tiered approach to fines built into the regulation, depending upon the violation. Both “Controllers"--entities that collect and store data identifying EU citizens--and “Processers”--companies that may run calculations or utilize the data in some method to provide insight, services or goods for themselves or a controller that is a client, are subject to the GDPR.
Data Protection Template
The GDPR, while written in spartan fashion for legal documentation, is still a broad document spanning more than 100 pages. (The full text of the GDPR is available here.) It’s important to keep in mind that the principles behind the GDPR are the same principles of solid data protection that data professionals have advocated for many years. The GDPR provides guidance on how consent is given by individuals for processing of their data, how data breaches are communicated, requirements for hiring data protection officers, what constitutes personal data, and the rights afforded to EU citizens under the GDPR.
It is this last area that I’m focusing on here as it’s the area of governance that is providing the most concern for global entities.
Rights Afforded under the GDPR
Right to Erasure: a.k.a. (“Right to be Forgotten”)
The right to erasure has caused the most buzz as organizations prepare for the May deadline. According to the GDPR, data subjects have a right to request that their data be removed from a database in a reasonable timeframe. This pertains not just to live data, but also to data retained within backups. These requirements are leading many organizations to build obfuscation mechanisms and deletion methods that can be enacted when a request “to be forgotten” is submitted. These processes extend to restored backups that may hold data pertaining to these requests, and the rules are likely reducing the length of time many organizations choose to hold onto their backups or retain live data in their database systems.
It’s my opinion that this is also the end of natural keys for relational databases--particularly if a column that serves as a key is in any way considered a personally identifiable metric. This also adds difficulties to many “nosql” database systems that provide “soft deletes” of data--marking data as deleted with a flag or some signifier rather than removing the data records as a “hard delete.” I also anticipate issues when the need to retain data for business purposes directly related to calculating financial historical reporting, honoring warrantees or other existing legalities collides with the directives of the GDPR. Time will tell.
Right to Access
The GDPR lets data subjects request that all of their personal data being held by a controller be provided to them free of charge and in timely fashion. Organizations will need to build processes into every applicable system for exporting complete data sets for an individual. They will also need to develop a secured process for transmitting this information.
Right to Be Informed
Right to Restrict Processing
This right is in line with the right to be forgotten but is less extreme. It essentially says that data subjects can provide consent for organizations to store their personal data but not process it. This could shape up to be a logistical nightmare because it would require flagging--by individual--any records that would need to be part of any calculation falling into the category of “processing.” This means database schema changes, altering every execution codification that drives data processing, and all the overhead that comes with such a large-scale change to any application processing data.
The GDPR, while aimed at regulating how EU citizens' data is retained and processed, will have broad impact worldwide. This includes a big financial impact in terms of the time it will take to rework and augment existing systems and to build applications. It will also assuredly see its days in court, and the lawsuits that will undoubtedly be filed in the next decade will shape the data governance we’ll all be subject to for the foreseeable future as technology--and how we interact with it--continues to evolve.