Europe’s privacy law, the General Data Protection Regulation (GDPR), came into effect on May 25, 2018. It supports the European Commission’s strategy of harmonizing separate data protection laws for 28 European countries, and grants individuals greater protection and rights. Since its adoption, GDPR has been a hot topic, as it affects businesses around the world.
To many, the landscape is confusing, as the law is quite complex – it is 88 pages and 56,000 words, after all. In a blunder made several weeks ago, British Airways asked customers to post their personal data over social media, claiming it was necessary for GDPR compliance. One passenger discovered this, and pointed it out on Twitter and in an open letter on GitHub. “I do not recall explicitly consenting for my information to be shared in this way, nor do I see any way to opt-out or withdraw my consent. This all appears to be a violation of article 7 of GDPR for conditions of consent,” he wrote.
The GDPR conversation was in full force at IdentityNORTH’s Annual Summit this year, with a presentation from Deloitte’s Beth Dewitt, Partner, National Leader for Data Protection and Privacy Services, and Irene Reverte, EU Privacy Lawyer, Cyber Risk Services.
The rules were designed to create trust between individuals and organizations in the digital economy, said Dewitt.
“What most organizations know about GDPR is that it comes with heavy fines, and they don’t want to see those fines,” she said.
Reverte, an expert on GDPR, identified its top five challenges:
- Obtaining and managing informed consent
- Operationalizing the right to erasure across the enterprise
- Developing a record of personal data processing activities that can be kept up to date
- Keeping records to demonstrate compliance
- Allowing for data portability in certain situations
She also shared five key lessons:
- We’re not starting from scratch. We have a strong privacy legislative system in Canada that organizations already work with. Even though GDPR comes with new regulations, some systems are already in place.
- Record of Data Processing Activities (RDPA) is a key strategy piece. Develop and maintain a register of personal data processing to add value to your GDPR compliance strategy.
- GDPR is a risk-based piece of legislation. Assess the risk that your processing activities pose on individuals before allocating resources to mitigate them.
- Train your teams. Everyone should know what their privacy and security responsibilities are as part of their job duties, and what to do if there is a breach.
- GDPR is enabled by all business functions. It is no longer owned just by the privacy, legal and compliance functions. It is a team sport.
As businesses operate in an increasingly global context, putting privacy first and foremost is a necessity. GDPR draws attention to a longstanding truth that operating from a privacy respecting point of view from the beginning is preferable for customers and companies alike.
This is a summary of the session ‘GDPR: What Canadians Need To Know.’ To view the full Conference Report, join our community mailing list.
Miss the 2019 Annual Summit?
Join our community mailing list and receive the Conference Report