A year tomorrow, on 25 May 2018, the regulatory environment for privacy in the European Union will become much harsher with the introduction of the General Data Protection Regulation (GDPR). This will affect any business operating in the bloc, not just those that are based there. But how far along should companies be in their preparations today?
The GDPR will certainly have a huge impact, not least because it will allow regulators to fine companies up to 4 percent of their global annual turnover if they break the rules. These rules include heavier requirements for security and data breach notifications, and the need for any company handling significant amounts of personal data to have a data protection officer.
There will also be a massive shift of power towards the data subject: people will be able to restrict the profiling that companies do on them, demand the deletion of their personal data, and insist that companies let them take their data with them so they can switch to competitors.
Read more: Talend: GDPR compliance threats in the IoT
Not even aware of it
However, nearly a quarter of European companies aren’t even aware that the GDPR is coming, according to a survey conducted earlier this month by IDC Research on behalf of security vendor ESET (which, naturally, offers consultancy services for businesses struggling with their preparations).
Of the 700 companies surveyed, 22 percent knew nothing of the GDPR, a little over half knew about it but weren’t sure how it affected them, and 59 percent were not “fully GDPR-compliant”.
Another recent survey, this time conducted by Vanson Bourne for mainframe firm Compuware, suggested that large American companies are far more prepared for what’s coming. In a survey of 400 CIOs from large US companies, 88 percent claimed to be “well-briefed” on the GDPR. With almost all saying they held personally identifiable information on EU customers, 60 percent had “detailed plans in place” to comply with the regulation.
Read more: Three simple steps to secure your IoT system
“When I was in the US last fall, I was already surprised into how much detail privacy people from US companies had already dived, as far as the GDPR is concerned,” German tech lawyer Niko Härting told Internet of Business. “Generally speaking, in big companies the GDPR is dealt with as a compliance issue, and compliance is obviously taken even more seriously in the US than in Europe.”
In Germany, Härting said, those most prepared for the GDPR are companies that are “used to being very protective when it comes to data”, such as insurance firms and those in the financial sector. “In spite of all the alerts from tons of lawyers and advisers, the chances are that [it’s] a small minority of smaller companies that have actually started to look into what they have to do in order to be compliant under the GDPR,” he said.
“[Businesses] should already have a plan, ideally, and have done some groundwork to create that roadmap,” said Monika Kuschewsky, a partner at Squire Patton Boggs’s Brussels office. “Demand has certainly picked up in recent months significantly, but there’s still a lot of companies who haven’t come around and started doing something. They’re still considering if there’s anything they need to do and they’ve been very slow.”
Time to panic? Not according to Elle Todd, head of digital and data at CMS London, who told Internet of Business: “There’s still a year to go and, with some good project planning, it’s all achievable.”
Here’s what that planning should entail. “Having an action plan is the starting point – scoping out the things that need to be done and putting them in order, bearing in mind their logical sequence,” said Todd. “You have to create a project plan for it, looking at the different business functions – the actions HR will need to take, the actions marketing will need to take, a series of projects with very clear actions.”
Businesses in the IoT field “need to get a sense of what data it is they’re collecting and start thinking about privacy by design, and what they can do with existing devices that have all these sensors, because it may be difficult to change them to make them GDPR-compliant,” said Kuschewsky. “In some cases, highly complex technical arrangements may need to be configured or put in place.”
According to Härting, companies in the sector should start with a risk assessment, as “typically the collection of data from connected devices will be considered as a high-risk way of data processing, and for such high risk the GDPR requires a risk assessment”.
Finalised guidelines still pending
However, this is one of several areas where businesses preparing for the GDPR have a problem: the Article 29 Working Party, the body through which EU data protection authorities try to harmonize their approaches, is yet to issue finalised guidelines on several aspects of GDPR compliance, including what impact assessments should look like. Some national authorities have issued preliminary guidance, and the working party has put a draft out for comment, but businesses can’t yet be entirely sure what it is they’re supposed to do.
“Even existing guidance leaves a lot of grey areas,” said Kuschewsky. “It gives some flexibility, but businesses also want legal certainty.” Assessments aside, the regulators also still need to issue finalised guidelines on certification, and on notice and consent – although, as Härting pointed out, with the IoT “getting valid consent is in many cases difficult, so the advice is anyway not to rely on consent, but to ensure there is either a contract or legitimate [business] interest to support you” as the legal basis for data processing.
Another wildcard awaits
The other big wildcard is the EU’s new ePrivacy (PEC) Regulation, which is still wending its way through the legislative process, but is also supposed to come into force alongside the GDPR, with the same level of fines. This regulation is about electronic communications and, as Todd pointed out, it “specifically calls out machine-to-machine” communications.
“The GDPR doesn’t give a complete picture of everything you need,” Todd warned. “[PEC] includes detail around direct marketing consent, so you couldn’t come up with a complete plan for the GDPR, regarding marketing, if you don’t have PEC. Regarding IoT, there are provisions around the confidentiality of communications and the use of metadata that we don’t have a full picture of. We have the draft… but we don’t have a definitive answer about when we will get that, and whether it will definitively come into force on 25 May 2018 as well.”