POWER > Systems Management > Security

Organizations Globally Alter Data Handling Practices in the Wake of GDPR

Illustration by The Image Foundation

For one Portuguese hospital, its current claim to fame, however, isn’t related to its standards of care. Rather, it has gained notoriety as the recipient of one of the first widely-reported major fines under the European Union’s (EU) General Data Protection Regulation (GDPR).

At the end of October, it was revealed that the medical institution was appealing two separate penalties from the Portuguese data protection authorities, totaling 400,000 euros. The fines were issued for allowing inappropriate access to patients’ medical records, and for failing to secure data adequately. According to reports, 985 users had doctor-level access to clinical data—more than 3x the number of physicians employed by the hospital.

What is GDPR

GDPR, which came into force on May 25, 2018 (see “GDPR Timeline”) gives data privacy authorities in the EU’s 28 member states unprecedented powers of oversight regarding the way that companies handle personal data of data subjects (defined by the EU as customers and employees). It has empowered those who live in Europe with the right to ensure that their personal data is captured, stored and processed in a way that’s transparent, secure and appropriate, wherever in the world those personal data activities take place.

If an organization fails to meet the standards of GDPR, it can be punished with fines of up to 20 million euro or 4 percent of annual turnover, whichever is higher.

The 99 articles of GDPR are broad enough to cover everything from the importance of audit trails in data processing (Article 30) to archiving data for public and scientific interest (Article 89). The principle that underpins the whole document, however, is best summed up as security and privacy “by design and default” (Article 25).

“GDPR isn't perfect by any means,” says Richard Hogg, global GDPR evangelist for IBM. “But it does set the bar very high as a way of applying protection to personal data.”

Complying With GDPR

End-to-end encryption of data, for example, isn’t mandatory under GDPR, but it’s referred to several times as an option for protecting personal data as a minimum bar.

“Encryption is not a panacea,” Hogg says, “But it’s something that everyone should be doing.”

GDPR also goes beyond the common opt-in/opt-out terms and conditions for gathering data, which have previously given organizations the right to sell data to third parties. “Data subjects,” as the language of the regulation puts it, must be kept informed about how their information is being used if it falls outside of the original purpose for which consent is given. They also have the right to make a Data Subject Request (DSR or SAR), and ask for, amend or remove records held about them, within certain limitations at least. Organizations now need to show transparency and accountability while handling personal data, they also need to be clear on what legal basis of processing they're using it for, with each data subject.

Winning Back Trust

GDPR was introduced at a time when public trust in the ability of organizations to respect their privacy and guard their own data effectively is at a low, thanks to well-publicized scandals such as Facebook’s arrangement with Cambridge Analytica, or the exposure of 143 million credit card records at Equifax. A recent HarrisX survey found that 83 percent of U.S. citizens believe technology companies should face tougher sanctions when they suffer a data breach (bit.ly/2JfUDrG), while in 2017, the U.K. ICO found that only 20 percent of people “trust and have confidence in companies and organizations storing their personal information” (bit.ly/2CGiH7i).

Poorly protected personal information has serious material effects, too. The U.S. IRS says that in 2016, it handed over $1.6 billion to criminals who used identity theft to claim tax rebates (bit.ly/2RNrCb8).

Much has been written about the potential for GDPR to help fight this kind of crime and give technology companies the tools and language to win back the faith of end users. While it may sound optimistic that “GDPR compliant” could become a badge of respect, there’s early evidence that it may be working. The U.K. ICO followed up on its 2017 report a year later and found that the number of people who said they trusted data organizations had risen from one in five to one in three (bit.ly/2x2UBj6).

Indeed, says Hogg, the message coming from Europe’s regulators is that they’re far more interested in assisting organizations with becoming compliant than they are in handing out millions of euros in fines. This appears to be more than just talk, as enforcement agencies have been very quiet about fines issued so far. In the case of the Portuguese hospital, a judgment was made in July—but only became public knowledge when the hospital itself began an appeal process two months later.

Regulators also have leeway to moderate fines based on whether leaked data was adequately protected, and are likely to be lenient on companies that had suitably protected their data stores, but were subject to sophisticated and more-or-less unavoidable attacks.

“GDPR is a transformation charter,” Hogg says. “A chance to get your house in order and manage your data more transparently, in a way that will win back customer trust and encourage them to share more information with, which you can use to tailor products and services to their needs.”

Certainly, citizens are more aware of their rights around data protection today than they were a year ago. The Irish Data Protection Commission saw complaints rise nearly fivefold after GDPR came into force (bit.ly/2Ar68Nk). The French regulator also saw a 60 percent increase in referrals.

The Road to Compliance

Given the importance of data privacy to consumers and the powers that GDPR gives regulators to hold organizations inside and outside the EU accountable, it’s surprising to find that few companies were adequately prepared. Despite a two-year gap between passing the legislation and GDPR coming into effect, a study conducted by IPSOS, on behalf of data protection firm Shred-it, found that only 44 percent of large U.K. corporations had taken the basic step of appointing a data compliance officer as required by the regulation (bit.ly/2DgpRPk).

That left just 35 percent of European companies able to comply with an SAR during the first four months of the new regulation, according to a study carried out by 451 Research on behalf of Talend (bit.ly/2AWVhsE).

The situation is improving, according to Hogg. “I still get organizations phoning me to ask about GDPR every week,” he says.

One key area of confusion is that GDPR applies to any company, anywhere in the world, which holds data on EU residents. That means that potentially, your global supply chain needs to be ready. While there’s some debate about how enforceable that rule is, Hogg says the issue is moot.

“We made the decision at IBM to implement GDPR compliance throughout our entire organization throughout the world,” Hogg says, “We share the methodology that we use on our ibm.com/gdpr website, and we drink our own champagne: The same tools we use in-house are the ones we offer to clients to help with data discovery, cataloging, encryption and reporting.”

Incorporating Best Practices

Many elements of GDPR, Hogg maintains, represent information governance best practices, which all companies should be adhering to regardless of their location, and he’s keen to help them improve their own processes. One key element in ensuring compliance is understanding what data you actually have access to: The challenge of the “data silo,” in which customer information can be held in multiple places relating to different services, means that the permissions granted to store that data may be different, too.

Banks, for example, tend to operate a mix of legacy databases that have been compiled at different times. Tools such as IBM’s InfoSphere* Guardium* are designed for this kind of data discovery, and using them for GDPR can help with other business solutions too.

“It is harder to do ‘big data’ analytics under GDPR,” says Hogg, “In order to bring in personal data about anyone in Europe, you must likely get the consent of that person for any profiling or automated processing, and need to adhere to opt-outs and make sure that it is anonymized. But you should be doing that with everyone’s data anyway, regardless of whether or not they’re in the EU.”

Adam Oxford is a freelance writer based in South Africa. He’s covered technology-related issues for more than 20 years.

comments powered by Disqus



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


Analytics Can Be Your Best Defense Against Corporate Fraud


Apply Best Practices to Satisfy Regulatory Standards

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store