Carol explains why it’s likely you could be affected by GDPR…even if you don’t think you are now or will be later.
There are two reasons that the IBM i community needs to pay attention to the EU’s General Data Protection Regulation, better known as GDPR. This article explores both.
First, GDPR applies only if your business is located in the EU, right? Wrong. The regulation is all about the personal data of the EU’s citizens. And it applies to your organization even if you’re not located in the EU but you process private information that identifies any of its citizens or offers services to any them. As long as those citizens reside in the EU, their data falls under the protections and requirements of GDPR, regardless of the country in which it’s stored.
Second, California has just passed a law that looks and smells remarkably like GDPR: AB 375, the California Consumer Privacy Act of 2018. As California goes, so goes the rest of the U.S. typically—at least as far as security and privacy-related laws go.
If you were one of those organizations that knew you were affected by GPDR and had to scramble to meet the May 25, 2018, implementation deadline or you’ve noticed a plethora of enhanced privacy notifications as you’ve visited websites or opened apps on your phone, you know that GPDR requires work to ensure compliance.
Maybe you’re one of those organizations that’s just realizing that you are affected by GPDR, or perhaps your organization does business with residents of California, or you simply want to be prepared. What do you do? Here are the simple premises of GDPR and the new California law that you should be aware of and prepare for:
- Find the personal information you’re storing. This means any information that could uniquely identify an individual on its own or in conjunction with other pieces of information. The obvious examples include bank account, driver’s license, and passport numbers. Other, not-so-obvious examples include IP addresses, browsing history, biometric information, and geolocation information. Once you find that information, evaluate whether you are actually using that information. If you’re not using it, delete it and stop collecting it. If you aren’t using this private information and can purge it from your systems, doing so will save you immense amounts of time and money.
- Once you identify and find the personal information you must retain, you need to protect it. In other words, you should encrypt it. That’s the safest way to protect this information. Because if this data is lost or stolen, your organization could incur huge fines. Organizations are strongly encouraged to implement additional security technologies such as installing antivirus software, enforcing role-based access, securing network ports and services, and configuring access controls to be “deny by default”…to name a few.
- Again, once you’ve identified the information you’re retaining, be prepared to explain to individuals what information is being retained and what it’s being used for. This is because both laws allow citizens to request this information, and you’re required to provide it.
- If you collect personal information and then sell that information to a third party, you’ll have to explain to individuals what is sold and to whom. Individuals will have to explicitly opt in (no more default or preselected checkboxes that automatically opt in participants). In addition, you’ll have to provide individuals with the ability to opt out of this collection. Buyers of the information will not be able to contact individuals on the list, because the permission to collect and use the information cannot be passed on, even if the seller received permission. And the California law is quite explicit that if someone opts out, you cannot penalize them in any way. In other words, if I were to opt out of your data-sharing practices, you must provide the same level of service to me as you would to someone allowing their data to be sold or shared. Here are the EU’s rules for third-party information exchange.
- Be prepared to entertain requests from individuals to be “forgotten.” In other words, be prepared to delete individuals’ data and all information about them. A couple exceptions to this requirement exist. If there are legal reasons you need to retain information—for example, financial transactions often have to be retained for seven years—you will not be required to delete the transactions that fall into that legal requirement. Another exception will be granted if it’s technically infeasible to remove the information. For example, many IBM i audit journal entries contain IP addresses. Because it’s impossible to modify the contents of an individual audit journal entry or remove an individual record, you will not be required to delete this information under GDPR. The California law also allows for retention of data if it’s used to detect security incidents.
- Once this personal information is no longer required by the business, GDPR requires that the data be deleted from the system. This underscores the need for organizations to have—and implement—a data retention policy.
- Another requirement is that organizations have both a security policy that supports these requirements as well as an incident response plan should this data be lost or stolen. I assert that organizations need to plan for more than private data being lost or stolen, but this is a good place to start if no incident response plan exists today.
As I said earlier, the California law has the same look and feel as GDPR. Assuming that the appeals for applying this law don’t result in major changes, many organizations will be affected and will need to be in compliance by January 1, 2020. Organizations already in compliance with GDPR will have few (if any) additional steps to be in compliance with the California law in its current form. If you’re not in compliance with GDPR, I encourage you to learn from the experiences of organizations that are already compliant. Implementing this type of regulation takes time and effort, and you’ll want to plan and budget for its implementation sooner rather than later.
I hope you see the importance of paying attention to both GDPR and its U.S. cousin, California’s Consumer Privacy Act of 2018. I encourage you to take these laws seriously, do research to determine whether your organization is affected, and start the implementation early.
Many thanks to my colleague Donnie MacColl, Director of EMEA Services and resident GDPR expert at HelpSystems, for his contributions to this article.