Friday, March 23, 2018
Does GDPR Impact Long-Term Strategies of Organizations in the EU Market?
by: C. D. Sutherland
The safeguarding of personal data has made a significant course correction. Any organization that handles personal data of EU residents must comply with a series of six, new individual rights or face draconian fines of up to 20 million Euros or more. Those new rights were written in the General Data Protection Regulation (GDPR), effective summer of 2018. While similar to the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule and the GDPR, there are enough differences to create serious conflict. This paper focused on developments in personal privacy over the last two decades, the rights of data subjects, solutions for compliance, and possible outcomes. Voigt & Bussche (2017) provided a virtual handbook of compliance techniques in their guide on the GDPR. As the EU courts and Big Data will no doubt clash over the details of compliance, the struggle will be to change not only the long-term strategies of the EU in dealing with data security but also of the rest of the world (Zarsky, 2010). While most authors referenced in this paper believe the GDPR forced massive changes on organizations, some believe it did not go far enough, arguing that unless individuals have access to the automated or AI decision-making events, individual privacy has not been achieved (Mittal, 2017). The potential for pseudonymization to become the workaround solution of much of the GDPR requirements has yet to be determined (Goddard, 2017). Likewise, conflicts of interests between the EU and state-owned and large revenue companies are yet to be played out.
Keywords: GDPR, Big Data, rights, compliance, non-compliance, pseudonymization
This paper began with a discussion of the changes that the GDPR requires of organizations operating in the EU market. Analysis of relevant literature was discussed, and recommendations and observations were made for adapting data handling processes for organizations to become compliant with GDPR. Such adaptation will impact long-term strategies of any organizations functioning in the EU market.
Organizations doing business in the EU market will be forced to either comply with the General Data Protection Regulation (GDPR) beginning May 25, 2018 or face draconian fines. The GDPR’s two-year phase-in period is ending and has already replaced the obsolete 1995 Data Protection Directive (DPR) along with multiple regional regulations within the EU market. The GDPR provisions were designed to protect individual rights, and they conflict with standard practices used by Big Data. Noncompliance will be dealt with harshly. Organizations that violate GDPR face potential fines up to 20 million Euros or 4% of worldwide revenues, whichever is more.
The EU and the US use different approaches to personal data protection and data privacy. Americans consider privacy as a property right whereas, in the EU, it is a fundamental right, which must be provided by the government (Ciriani, 2015). In 1995, the EU adopted the Data Protection Directive (DPR) to harmonize the protection of fundamental rights of the individual concerning data processing activities and ensure the free flow of data among EU member states.DPR was enacted, technology changed. Data legislation became fragmented across the EU, creating a legal minefield for regional interpretations of data protection (Tankard, 2016). As technology enabled new capabilities, the age of Big Data emerged, and the handling of data was monetized.
Big Data refers to the practice of creating and analyzing vast datasets, which indirectly involves myriad individuals. Much of Big Data's capabilities matured after the GDPR was initially discussed then drafted. During that period, Big Data voiced their concerns about the technologies that were emerging, but such arguments were received more like science fiction rather than fact. Since then, Big Data's new capabilities have become manifest and provide considerable advantages to businesses everywhere. GDPR will undermine the ability to exercise data analysis, and at the same time, Big Data technologies undermine some of the measures and distinctions of GDPR (Zarsky, 2017). The GDPR will hold controllers and regulators responsible for unfair or discriminatory data practices (Buttarelli, 2017).
The GDPR requires organizations to increase their data protection efforts to comply with the data subject’s rights. These rights are mentioned in detail in the 99 articles of the GDPR and include the right to access, the right to erasure, rectification and restriction, the right to be forgotten, the right to restriction of processing, the right to data portability, and the right to object (Voigt & Bussche, 2017).
The law covers the personal data of all EU residents, regardless of the location of that processing. The information protected includes personal data that can directly or indirectly identify an individual. Online data that identifies such things as IP addresses, cookies, location data, and more are affected by wider regulation than US privacy laws (Goddard, 2017).
The right to portability gives individuals the right to have a copy of the data a controller has of them. In the UK, individuals already have some data portability rights. Though resisted by many companies, mostly because machine-readable formats hardly existed when requirements were enacted. Since then, energy companies and banks have taken the effort to produce files. Companies naturally resist providing data on their customers. Their data makes up a large portion of their competitive advance (Mitchell, 2017). GDPR allows data, subject to change for the service providers, and grants more economic flexibility for consumers to move, copy, or transmit personal data from one IT environment to another. While it empowers consumers, depending on the scope of the applications, it could also put business secrets and practices of controls at risk (Voigt & Bussche, 2017).
As much as the GDPR appears to favor the individual over the data controllers, not everyone agrees the rights will be sufficiently protected. Technology has enabled the movement of data across geographical barriers, along with it the capability to outsource data processing jobs to countries outside the EU. Some of the provisions of GDPR remain generically similar to the outdated Data Protection Directive; however, GDPR has incorporated some new provisions. Even though GDPR’s ‘right to be forgotten, legitimizing the role of consent, providing data protection by design and default, increasing accountability of data controllers and expanding the scope of provision of the directive to extraterritorial jurisdiction, it remains to be seen whether GDPR is nothing more than an old wine with the new label or something else in a wine bottle (Mittal, 2017).
According to Mittal, organizations still have enough room to violate the fundamental right of privacy by EU citizens. One area of concern is “the missing right to explanation” wherein an automatic or artificial intelligence algorithm will be legally mandated. When that happens, the individual is not guaranteed transparent and accurate decision-making, and there is no legally binding right to explanation in the GDPR. Because new capabilities are emerging, the details of how data will be exploited are not fully known to data controllers. Providing the algorithms that drive automated decisions to individuals would have little utility, except to minimize one controller’s competitive advantage over another.
Databases have so much information, which can be processed quickly. The output of that processing can provide analysis that was not even considered when the data was initially collected. The technology performs data-crunching when human operators do not know where to start (Zarsky, 2017).
One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation, and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals from a new beginning so as to determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection (
Despite the different approaches between the US and the EU, some similarities exist between the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule and the GDPR. At the same time, there are enough differences to create serious conflict. The US federal Department of Health and Human Services (HHS) and the EU are similar concerning maintaining the confidentiality and privacy of personal data and protected health information. The major differences between the two practices ranged from the narrow focus on the health industry with the HHS and the broad scope of the EU on data controllers. The HIPAA Privacy Rule is more detailed and directive in nature than the GDPR; however, the GDPR has greater regulatory inflexibility with regards to the ease of consent withdrawal, including the concepts of authorization and consent, the rights of amendment and rectification and the right to erasure (Tovino, 2017).
US Federal and state health laws require retention of medical, billing, compliance, and other records for at least five years, if not longer. Without such records, how could adverse drug reactions, allergic reactions, and other injuries be referenced? Without records, how could preexisting health conditions be known? Records are essential for dealing with fraud and abuse, detecting privacy violations, and to detect problematic prescription patterns. The contrast between data erasure provisions in HIPPA and GDPR make the two incompatible; this is an opportunity for global partnerships to work out the enabling compromises (Buttarelli, 2017).
GDPR is already a regulation, which was developed to mitigate the disparity of regional issues associated with the limitations of DPR. Member nations of the EU will add volumes to the 99 articles of this broad-reaching, transnational regulation. To avoid impending fines, companies should reorganize their internal data protection procedures to accommodate the GDPR. Ten steps are recommended (Voigt & Bussche, 2017).
Controllers and processes need records of processing activities to prove compliance. Such records must be thoroughly maintained, providing proof of compliance with the GDPR. Records must contain, among other things, information on the purposes of processing, the categories of data affected and a description of the technical and organizational purpose of the records.
Private entities are obliged to designate a Data Protection Officer if their business strategy consists of regular monitoring of data subjects or personal data on a large scale. Several groups of such undertakings may have a single Data Protection Officers.
If processing activities are likely to result in high risk to data subjects, organizations must conduct preventive Data Protection Impact Assessments for risk mitigation. If the results of the assessment do not enable the entity to determine which safeguards could be applied, it will have to consult with the Supervisory Authorities
As the obligation to develop and implement such concepts is directly enforceable, entities should address the concepts of Privacy by Design and Privacy by Default. The GDPR emphasizes preventive data protection concepts.
Data processors must implement technical and organizational measures to guarantee the safeguard of personal data. The appropriate data protection level must be determined based on the risk potential inherent to the entity’s processing activities on a case-by-case basis.
Individuals will have comprehensive information and other rights against data processors. Organizations will have to proactively fulfill many obligations towards the data subjects, such as granting information on processing, erasing personal data or rectifying incomplete personal data. Especially, the data subjects’ right to data portability may challenge entities as they will have to provide datasets to their customers upon request.
The GDPR introduces a general reporting duty of the controller towards the Supervisory Authorities in case of a personal data breach. Such breach might occur by way of a technical or physical incident. The notification has to take place within a 72-hour time frame after becoming aware of the breach. In case of an incident with a high risk for the rights and freedoms of the data subjects concerned, the controller will have to communicate the breach also to them. In such a case, assistance from the Supervisory Authority will be available to the controller.
Where feasible based on an entity’s budget and resources, compliance with the GDPR might be implemented and monitored by way of a Data Protection Management System. It is an internal compliance system that will monitor the fulfillment of the data-protection-related and safety-related requirements.
Organizations that fall within the scope of application of the GDPR without having an establishment in the EU are obliged to appoint an EU-located representative. The EU representative will serve as a contact point for data subjects and the supervisory authorities.
Finally, while not mandatory, a self-regulation mechanism, such as Codes of Conduct and Certifications, will have higher practical relevance under the GDPR. Whereas Codes of Conduct specify the obligations under the GDPR for a certain sector or technology, Certifications will prove compliance with the certified activities with the GDPR. The use of these internal guidance instruments will facilitate the burden of proof for compliance towards the Supervisory Authorities.
The solution to becoming GDPR compliant is obviously a reorganization of grand scale. With the right precautions in place, organizations should have little to fear. Tankard (2016) insists the time and effort required to achieve compliance will vary significantly from one organization to another, but it would be well worth the effort and expense.
Some have suggested that pseudonymization will become the default for all research projects. Done right, the data record can be disassociated with actual people; however, it also provides a future pitfall and costly punitive actions for organizations that maintain decoders for re-identification (Goddard, 2017).
GDPR is the reality for organizations in the EU market. The impending clash among global partners, Big Data, and the EU suggest three potential futures: One where the EU leads the world into a new age of protecting individual data, another where the world rejects the EU and leaves it behind politically and economically, and a third future where many compromises must be made (Zarsky, 2017). Whatever the outcome, the EU courts will be the final decision-makers for the EU market. The effort to protect individual rights is a noble one, but solutions that negate Big Data and place the EU in a non-competitive situation with the rest of the world would have a long-term impact on the economy of its member states.
Companies with less than 500 million euros of annual worldwide revenues will significantly change their long-term strategies to comply with GDPR unless they make the unlikely decision to withdraw from the EU market. State-owned and high revenue companies may employ political and economic instruments of power to influence EU decision-makers that favor their long-term strategies regarding GDPR.
US-based companies that have not entered the EU market need to consider the requirements of GDPR as they establish and update their data control systems. The serious differences between HIPPA and GDPR suggest there are years before a worldwide system of regulation will be uniform; however, common logic suggests a growing global economy will eventually find a way for individual privacy rights to be guaranteed while still providing a viable and profitable market for business.
As technology has enabled Big Data and organizations that thrive on the services they provide to monetize their activities, the GDPR data security requires processes to change. The primacy of the individual rights over the data put the data handlers in a comply or be punished scenario. Organizations that operate in the EU market have had two years to reorganize and adapt their data processing procedures, so some think the clash between the courts and the organizations is imminent. The solutions to compliance are readily available (Voigt & Bussche, 2017). The EU effort to protect individual rights is a noble one, but some concerns over the impact on Big Data are yet to be resolved (Zarsky, 2017).
This paper focused on the speculation about the impact GDPR was expected to have on organizations operating in the EU market. Beginning with the summer of 2018, challenges to the GDPR are most likely to become available in the public domain. A viable source of information should be open-source news data as companies found out of compliance are brought into the EU courts. A ubiquitous source might be the absence of large and state-owned companies that are not penalized by the EU. While interviewing companies with EU customers may produce useful information, the front line of the EU court system may be a better source. Ultimately, the changes organizations make based on the actual enforcement of the GDPR should be researched and considered.
Buttarelli, G. (2016). The EU GDPR as a clarion call for a new global digital gold standard. International Data Privacy Law, 6(2), 77-78. http://dx.doi.org.ezproxy.libproxy.db.erau.edu/10.1093/idpl/ipw006
Ciriani, S. (2015). The economic impact of the European reform of data protection. Communications & Strategies, (97), 41-58,153. Retrieved from http://search.proquest.com.ezproxy.libproxy.db.erau.edu/docview/1678885971?accountid=27203
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6) 3. doi:10.2501/IJMR-2017-050
Mitchell, A. (2016). GDPR: Evolutionary or revolutionary? Journal of Direct, Data and Digital Marketing Practice, 17(4), 217-221. http://dx.doi.org.ezproxy.libproxy.db.erau.edu/10.1057/s41263-016-0006-9
Mittal, S. (2017). Old wine with a new label: Rights of data subjects under GDPR. International Journal of Advanced Research in Computer Science, 8(7) Retrieved from http://search.proquest.com.ezproxy.libproxy.db.erau.edu/docview/1931130276?accountid=27203
The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR. International Review of Law, Computers & Technology 30(3) doi: 10.1080/13600869.2016.1189737
Tovino, S. (2017) The HIPAA Privacy Rule and the EU GDPR: Illustrative Comparisons, 47 Seton Hall L. Rev. 47(4) 973 Retrieved from https://advance-lexis-com.ezproxy.libproxy.db.erau.edu/api/permalink/860d5901-b1fd-425b-92a2-3124046f6932/?context=1516831
Voigt, P. & Bussche, A. (2017). The EU General Data Protection Regulation (GDPR) A Practical Guide. Cham, Switzerland: Springer International Publishing.
Zarsky, T. (2017). Incompatible: The GDPR in the Age of Big Data, Seton Hall L. Rev. 47(4) 995 Retrieved from https://advance-lexis-com.ezproxy.libproxy.db.erau.edu/api/permalink/55b06ec3-fb3f-41bd-ae9c-7fd57496b3e0/?context=1516831