International business comes with a huge range of benefits, drawbacks, and caveats. A major caveat is the difference between data privacy regulation in the European Union and the United States. While many consider the EU laws to be just that - laws applicable only within the EU - companies who do business with clients or customers in the European Union are required to comply just the same as any EU citizen or business.
Accordingly, understanding these diverse laws are important to maintaining data compliance and legality. Adopted in 2016, the General Data Protection Regulation is a new data protection standard that will be enforceable starting in May of 2018. Building upon previous data privacy regulations, this legislation has a huge impact on businesses operating in the European Union, changing some major points of consideration and superseding previous regulation.
Today, we’re going to look at these laws, and how they apply to data collection, management, and ultimately, data destruction. Keep in mind, we are not lawyers, so nothing said here should be construed as legal advice.
Why You Should Care
A point needs to be made before we jump into the nitty gritty that it doesn’t matter if your business operates in the EU, only that your customers do. According to the regulation, the data subject, i.e. the customer, residing in the EU has EU protections, regardless of where the corporation is based.
Because of this, it’s vital to understand that you must comply with this regulation regardless of where the data request originated, and that, especially if you are based in the United States, you are held to EU laws by trade agreements between your country and the EU.
Scope of Data
When we talk about data, it helps to understand what we’re really talking about specifically. Under EU regulations as proposed for the General Data Protection Regulation, data is considered “any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.
Therefore, when we consider data creation, management, and destruction, we need to keep in mind what we’re actually talking about handling - it can be something as simple as someone’s IP address or as complex as their banking information.
Responsibility and Accountability
Now that we understand the scope, we can get into the real meat of the legislation. Under EU regulations, all compliant organizations not only need to limit the nature of their data collection to only the relevant data, whose collection is authorized and consented to by the subject, they also need to notify the retention time for the data itself, as well as the responsible party.
What this means is that, unlike certain other regions which allow data to be retained indefinitely for certain purposes after consent, data collection has an “expiration date”. While this is a hassle in some ways, it’s freeing in others, as a data plan with a set data expiration allows for better planning of hard disk space requirements and expectations.
Of note is that, under the new accountability regulations, businesses must set their data security to high levels, and consistently audit core operations that utilize this data. This makes processes such as data collection and even data destruction much more important to audit, as latent “forensic data” that is often left behind from improper destruction absolutely violates this clause.
The Right to Erasure and Data Portability
There’s even more complications to be found when we start talking about data portability. Under these regulations, any subject has the right to request their data be erased from systems. This has a related consideration of data portability, wherein the subject has the right to request movement of their data from one processing into another without the data controller, or the assigned person handling the data, stopping them.
This comes with several obvious problems, notably the securing of data and forensic data, and the establishing of automated systems to secure data transfer. These aren’t small issues, either - they might be simple items to comply with, but they can be easily missed by retaining information used in another process, not enforcing cascade change rules to database, etc. that can result in high costs, quickly adding up sanctions.
The Cost of Non-Compliance
These small violations can quickly become larger, too - under this regulation, sanctions of up to 20 Million EUR or up to 4% of the annual turnover for the following year (whatever is greater between the two is the applied sanction) can be applied to repeat and egregious violations.
While there are smaller sanctions, specifically warnings in the case of unintentional non-compliance, knowing these rules and choosing not to comply is extremely costly.
This is ignoring the actual and real tangible costs of lawsuits and such as well. Violating these EU regulations come with their own sanctions, but also open up the door for civil losses due to negligence, especially scaling as to the loss of the subject in monetary terms and the resultant costs to ensure compliance moving forward through training and remediation.
Finally, there is the very real consideration of your client base as well. How are clients going to respond to knowing that you are not compliant with the very laws they are expected to live under? How will a client feel if you have to let them know you not only collected more information than you should have, but that the information collected has been lost due to a data intrusion, and their private data is no longer private?
From an ethical, legal, and economic perspective, adhering and complying to these rules is of vital importance.
What Can We Do?
With so much at stake, what specifically can be done to ensure compliance with these new regulations?
Much of these regulations are actually common sense. You should probably tell customers before you collect their data from a moral standpoint, so it makes sense to alert them to the data collection. Being responsible for large amounts of data makes you a big target, so securing servers from intrusion and breaches is part and parcel to business.
The big weak point is really in data collection and destruction. Every other process, approach, or method is an indirect threat or failure - data collection and destruction are direct, controllable actions, and accordingly where the majority of violations are likely to occur.
Keeping that in mind, here are some things you can do right now to ensure best practices and compliance:
* Implement a proper data management plan. Note when data is collected, why it is noted, and for how long the data is retained. Then, alert your consumers as to the data collection, either through direct notice (i.e. a static alert on the bottom of webpage or a splash on a purchase screen);
* Use a secure, legally compliant solution to wipe data. ClaraWipe is a great solution, as it adheres not only to the EU data protection directive of 1995, upon which current regulations are based, but also to industry specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
* Audit your server security. Secure servers are not only better in terms of ensuring compliance, they’re better in terms of ensuring data protection for corporations and companies. This should be something you’re already doing.