Much has already been written about the GDPR. But what most interests companies adjusting to the new regulation, are the organizational aspects and the internal processes to implement. Especially those relating to human factors.
GDPR, the new European General Data Protection Regulation, came into force on 25 May 2018. We have all heard about it and its important implications for companies and individuals, inside and outside Europe.
If you are a citizen, the advantages are remarkable: now, you can access any social network database and look in your personal locker. You are also able to rummage in and choose what to keep and what to throw away. Your name, your age, your photos, your taste, and your political, sexual and religious orientations: from 25 May 2018, nobody can save these data without your permission.
If you are an organization, things are a bit more complicated, but if you make the effort to comply you will receive great advantages too.
Much has already been written about the GDPR, as well. But what most interests companies adjusting to the new regulation are the organizational aspects and internal processes to implement, especially those relating to human factors.
These are the aspects on which we will focus, with the aim of guiding companies step by step in the application of the GDPR and, if requested, offering consulting services. Let’s start by answering a first, important question:
Which companies does the GDPR apply to?
Practically, all of them. The GDPR concerns mainly large companies, such as social networking platforms, banks, insurance companies, public administrations and corporations. It also has a big impact on small and medium-sized enterprises (SMEs), though. If your company handles personal data of European citizens, whether they are customers or employees, then you must comply with the GDPR. It is not necessary for your company to reside in Europe country: it is enough for it to own data of European residents.
Depending on the company, the new regulations distinguish between two figures: the data controller and the data processor. The European Commission provides a guide explaining their different functions and roles.
What is required of companies?
At the heart of data protection are two main issues: understanding what kind of data a company owns and why.
The first step for companies is therefore to analyze the types of data that they acquire, store and process. They must pay great attention to privacy, which they must integrate directly into business systems and processes. In order to do so, the GDPR requires companies to adopt a register, the Data Processing Register.
The second step concerns assessment of the risk of possible loss of information. Such a risk concerns both tangible and intangible assets, such as reputational damage. In case of data breach, the company is required to communicate the event to the Data Protection Authority.
This alone, however, is not enough. If the loss poses a risk to the freedom and rights of individuals, the data controller must inform all parties concerned in a clear, simple and immediate manner, and provide the correct information on possible solutions for damage limitation.
What do human and organizational factors have to do with the GDPR?
A first response comes from the GDPR Summit held in June 2018 in London. There, Ardi Kolah, Editor-in-Chief of the Journal of Data Protection & Privacy, stated that: “It is a mistake if your starting point, when looking at GDPR, is fines or sanctions”. On the contrary, he said, “trust is the starting point. If they can create trust, companies can do more, not less, with personal data”.
Indeed, this is the central issue. The GDPR is about creating a more comfortable and secure environment, where the technological, legal and organizational aspects of a company can coexist in a better way, and where people may feel they can trust companies with their data.
Restoring a relationship of trust between people and organizations that store their data is crucial. A recent survey by ForgeRock on “What the Internet of Things means for consumer privacy” shows that there is widespread concern among citizens about their own privacy. In fact, 86% of consumers say they want to control what personal information is automatically gathered. Also, 74% worry that even a small violation of privacy might lead to a loss of civil rights. Finally, 57% are concerned about too much data they share on the Internet.
The Economist Intelligent Unit, Consumer privacy meets the Internet of Things, sponsored by ForgeRock
There are also other security risks related to human factors that companies must address. Every day, in each company, employees access stored data to perform administrative, marketing or communication functions. Each access pointthey use represents a factor of vulnerability to personal data, which might fall into the wrong hands. For this reason, another focal point of the GDPR is the organisational aspects of a company.
The GDPR is a complex reform. Applying it in its entirety requires careful study of human factors, usability of data processing, security and protection technologies. These help identifying organizational and human factor vulnerabilities that could favour data breaches. For this reason, it is strongly recommended that you turn to a consulting firm in order to fulfil the obligations of the GDPR.
On what are the core principles of the GDPR?
We would like to stress some important data protection principles in the GDPR:
- Lawfulness, fairness and transparency. No more incomprehensible information: rules for users must be simple and clear, and it must be possible to change them at any time.
- Purpose limitation. Personal data, and in particular the most sensitive data, may no longer be disclosed without explicit consent.
- Data minimization. Companies can store only the data strictly necessary for them to work. For all other kinds of data, the rules are very strict.
- Storage limitation. More rules for companies, more security for people.
- Integrity and confidentiality. Companies must pay greater attention to data retention.
- Accountability. The Data Protection Officer is responsible for data protection. It must verify and be able to demonstrate that the GDPR is respected.
So, do you have a plan?
We cannot completely eliminate risks: it is possible that sooner or later a data breach occurs. But when that happens, one must have already done everything possible to make sure that the violation causes as little damage as possible. And be able to demonstrate that the company has taken all the necessary measures to minimise the risk. This is crucial to avoid penalties of up to EUR 20 million or 4% of the company turnover. Therefore, it is important to have a plan.
The GDPR can also be a great opportunity for companies to simplify rules and organizational processes, and save money. The regulatory nature of the GDPR implies its direct application. It does not require implementation by laws at a local level, something which in the past led to different interpretations by member states. The European Union estimates that this will mean an overall saving of EUR 2.3 billion per year for companies.
In short, the GDPR does not intend to make life more difficult for companies. On the contrary, it intends to make it easier, cheaper and safer to process and protect personal data, recreating a relationship of trust between citizens and companies that work with their data.
Alessandro Pollini (BSD design) contributed to this article. BSD design is a design and research centre on human factors, ergonomics and interaction design. It specializes in interaction with complex systems, user research and resilience of organizations. BSD design supports companies in the analysis of human factors and in the development of awareness and security actions in organizations.