GDPR threatening to catch third parties off guard
It has been two years since the EU’s General Data Protection Regulation (GDPR) was announced, but there are still companies unaware of how wide-ranging the changes they need to make are and how little time they have left to make them.
Law firm Blake Morgan conducted a survey in September into the readiness of UK companies to meet GDPR requirements, and found 23% of companies were completely unaware of the new regulations.
The number of companies that had started to take steps to compliance was also worryingly low. Only 13% of respondents had updated their privacy policies, despite it being one of the key requirements.
Hamish Thomas, EY
GDPR is intended to update the existing EU Data Directive. Implemented in 1995, its rules are now vastly inadequate to meet the volume of data now being processed online. Under the new rules, customers will have to give explicit permission for companies to hold data about them, and the companies must have proof that permission has been granted. Customers will also be able to exercise their right to be forgotten, and any information stored about them must be deleted.
Hamish Thomas, partner, EMEIA FSO advisory at EY, says: “GDPR is raising questions about how data is shared and protected. There needs to be a balance that recognizes both the opportunities and risks. Enabling customers to choose who can use their data to provide the services they want, whilst keeping the data safe.”
GDPR will go live on May 25, 2018. The rules apply to any business based in the EU, and any company internationally that has the data of EU citizens. Unlike earlier regulations, it requires the data processors, as well as data controllers, to be compliant. This is impacting the third-party processors.
Tony de Bos, EY’s EMEIA GDPR lead, says the regulation extends far beyond financial institutions: “Besides banking, other organizations that need to review what they are doing with data include insurance companies, telcos, retail, healthcare and government organizations.”
The aim of the regulation is to keep customer data safe in an increasingly complicated and interconnected digital world.
Thomas says: “Financial crime and security are broader, ongoing challenges. However, it is possible to create a trusted and secure platform for sharing data with customers’ permission. By applying new technology it can keep customers' information protected whilst improving the services they use.”
Under the banner of new technology, cloud-based solutions provider Amazon Web Services launched the data processing agreement (DPA) tool in April 2017 to help all its customers hit the GDPR standard.
While new technology may speed up meeting the standard, De Bos says those that have not yet started to work towards compliance may have left it too late: “We see that more and more organizations are encrypting, pseudonymizing and anonymizing data. However, GDPR is risk-based. Organizations need to understand the risks and implement the right protection for their consumers’ data.”
Companies will no longer be able to simply store information for the convenience of themselves or their customers. If the reason for storing the data is not considered justified, it may have to be deleted.
This may mean internal operations will need to be overhauled. For example, customers may now need to enter their information each time they make a purchase online. Companies need to find a way to make this a simple process, or risk services and transactions being abandoned by the customer if the process proves too lengthy.
De Bos says although some companies know what is expected of them, they do not understand how deep into their organization these changes go: “Many are starting with a compliance book exercise, but often learn quite quickly that the GDPR impacts every part of the organization significantly. Often remediation is needed for all activities processing Personal Identifiable Information (PII).”
PII relates to data that can identify a specific individual. This includes names and date of birth, down to biometric records.
The impact of not meeting the standards is likely to be sizable. For any companies failing to protect data to the standard set out in GDPR, the penalty is set at either 4% of annual worldwide turnover or $20 million, depending on which is greater.
Any security breaches have to be reported within 72 hours. The risk of fines extends to ensuring that the books are kept in order. If proper breach logs are not kept, or breaches not reported in time, companies can be fined $10 million, or 2% of global revenue.