Deloitte speaks on six months after GDPR was enforced
The European Union’s (EU) General Data Protection Regulation (GDPR) is considered as one of the most comprehensive privacy laws drafted over last two decades and its extra territorial reach beyond the EU is making it one of the most discussed regulations around the world.
Like most of the global organisations offering goods and service to the Eu-based customers, Sri Lankan organisations offering similar services would need to prepare for the GDPR, if they access or process personal data of the EU customers or data subjects.
Being a sector neutral law, quite a few organisations are considering the GDPR as a benchmark to establish their privacy and data protection framework, even if they aren’t processing personal data of the Eu-based customers and don’t need to be GDPR ready.
The EU announced the adoption of the GDPR in 2016 and provided two+ years for organisations around the world to be Gdpr-ready. It’s been a month, since the time the GDPR got enforced effective May 25, 2018; let’s look at the most prominent aspects of this post-gdpr enforced regime:
For customers
Most of the customers experienced (or probably are still experiencing) a huge influx of emails from their goods and service providers. These emails were largely intended to inform customers about updated privacy notice and to refresh their consents. As one of the means to ‘Lawfulness for Processing’ the personal data, the GDPR mandated a collection of an explicit (and not implicit) consent, which must be specific, informed, unambiguous, freely given, genuine, purpose-limited and withdrawable at any point of time.
However, the question is how many customers are really reading and understanding the updated notices and the need for re-consent.
For organisations
Majority of the organisations updated privacy notices to adhere with the GDPR requirements. A privacy notice is a good channel for organisations to notify consumers, employees, vendors, supplier, etc. about details such as the personal data being collected, how it is shared and how it is used by the organisation, etc.
Organisations who didn’t prepare and are now prioritizing their efforts to be Gdpr-ready as well as the ones who designed a framework to protect data as per the GDPR, are working to operationalize it. We look at the GDPR as not a onetime effort or a tick in box and requires a long-term sustenance. As extended team and vendors play an important part of operating ecosystem, organisations are continuing their efforts to work on service contracts terms.
A lot of discussions continue to minimize the data i.e. relooking at the entire data lifecycle to assess if there are any components of personal data (of customers, employees, vendors, business partners), which are collected and/or processes without any legitimate means and can be avoided from further collection and/or processing.
Requirements such as 72 hours breach notification, processing data subjects rights, cross border data transfer (outside the EU) continue to be complex and pose challenges to operationalize.
-Breach notification: Organisations will have to, without undue delay, notify the supervisory authorities of the personal data breach not later than 72 hours after having become aware of it. The organisation will have to notify the data subjects, if the breach is likely to result in a risk to the rights and freedoms of natural persons.
-Data subject rights: A wide range of rights to data subjects are to be processed by organisations once exercised by data subjects. These rights are namely the right to consent, right of access, right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object and automated decision-making including profiling.
-Cross border data transfer: The cross border data transfers lays out two conditions for adequate data storage and processing:
1. Data can be allowed to transfer to countries that provide adequate level of security as per the adequacy list maintained by European Data Protection Board (EDPB).
2. It is the responsibility of the controller to foresee the level of protection. Another critical aspect is culture of privacy, especially for organisation operating in the regions where local privacy laws don’t exists or are weak. To build privacy culture organisation are mandating regular privacy trainings.
To summarize, efforts being put before May 25 continue the post-may 25 scenario as well, considering organisations are still to conclude their GDPR readiness journey. Customers may continue to receive notification emails and request for re-consent. Regarding administrative fines, concrete cases of sanctions and penalty are yet to be heard.