The European Union is a huge market for any online data providers and managers – the market itself is giant, and to many, represents a market with evolving value. Unfortunately, while many see the value of this market and rush to be part of it, they often miss the fact that there are legal concerns as to their interaction. Chief of these is the different way that the European Union handles privacy; this method is so different from the Americas, in fact, that they bear discussion here.
Today, we’re going to talk about one of those differences, the EU General Data Protection Regulation (GDPR). We’ll look at what it actually is, what it does, and why it’s important for businesses to understand and implement. We’ll talk about the punitive measures applied to those who don’t follow the GDPR, and how to avoid these measures in general.
What is the GDPR?
The General Data Protection Regulation, often referred to as GDPR, is a regulation considered and largely ratified by the European Parliament, the Council of the European Union, and the European Commission. It was undertaken as part of a renewed effort to address inadequacies in older EU regulations concerning privacy, with a specific focus on the digital space.
The GDPR takes major steps to not only bolstering the private rights on individuals to their data generation, use, and storage, but to simplify the business regulations for international businesses operating within the EU.
The GDPR is replacing a 1995 regulation called the Data Protection Directive, known officially as Directive 95/46/EC.
What Does it Do?
The GDPR does a few notable things, but in general, the goal of the regulation is as follows.
“One Stop Shop”
All member states of the European Union are covered under the GDPR, and all agree to the specific regulatory limitations, penalties, controls, and authorities. This was meant to simplify the international business impact of such regulations, as previous efforts resulted in an overly confusing and often limiting ecosystem for business.
Of note here is that all members of the EU being covered by the regulation means that any business, whether done in the smallest state or in the largest state, is governed by the regulation in the same way and with the same regulatory ethos.
Under the GDPR, data can only be collected with the expressed consent of the data originator. Data collection, movement, storage, and destruction must be within the purview of given consent from the data originator, and failing to do so is punishable by full regulatory punitive measurements.
The thing to keep in mind about this section is that it doesn’t divide “knowing data generation” from “unknowing data generation”. Businesses that generate data may not always know they are doing so, such as when they collect private details during bug reporting – regardless, this data is still covered under the GDPR for EU citizens, and thus this must be taken into consideration during development.
Under the GDPR, data must be pseudo-anonymized – this means that data should be anonymized in such a fashion that it cannot be traced back to an individual without additional information, typically for policing or governmental uses. This helps to ensure privacy for the user while maintaining the ability of law enforcement to prevent and stop international crime.
This can take any number of forms, of course, but the prime objective remains the same, and is a serious consideration for how your data systems must operate. This is not to mean all data must be anonymous – obviously you need to be able to find data within the system and mark it for deletion or review – but private data should be hashed, encrypted, and secured.
Punitive Measures for Non-Compliance
Non-compliance for an organization doing business in the EU is steep. Failing to adhere to these regulations means the following punitive measures can be applied:
- A written warning is first issued to the offending organization;
- After further non-compliance, data privacy audits may commence, and will routinely commence for a given time;
- Further non-compliance will result in a fine of 20 Million Euros or 2% of worldwide monetary turnover, whichever is larger;
- Final non-compliance will result in a fine of 40 Million Euros or 4% of worldwide monetary turnover, whichever is larger. Further non-compliance can result in exclusion from the market.
The Right to Erasure
Perhaps the most important element of the GDPR, and the one we are focusing on today, is the “Right to Erasure”. This right replaces the older “Right to be Forgotten” with a more powerful system of personal data management and erasure. Article 17 of the regulation allows the subject of the data collected to request erasure of said data on a wide range of legal justifications, and overrides any legitimate usage for the data by the data controller currently in possession of said data.
This is obviously of great importance for data managers, as ensuring the ability to mark and securely delete data is going to be key to the Right to Erasure – and with such huge punitive measures backing the regulation, making sure you get it right the first time is a huge concern.
Secure Data Deletion
When it comes to erasure of data, the EU regulations make it very clear that the data needs to be irrevocably erased when requested for legitimate reasons, as long as there are no legal requirements to keep the data. Accordingly, ensuring a complete data destruction process is hugely important.
First and foremost, it must be noted – simply “deleting” data is not enough. When data is deleted, more often than not it is simply unindexed from the server or operating system, and marked for overwriting. This doesn’t actually delete data, and in fact is a measure that can be punished under the GDPR.
Instead, data needs to be securely overwritten using industry standard data deletion techniques. A solution like ClaraWipe can help in this regard. When data is isolated on a disk, overwriting it is simply a matter of choosing the material to be handled, and then choosing the destruction pattern. Clarabyte supports all of the industry standard data deletion patterns, and even allows for custom patterns to be used in the process.
Once the data is marked, it is securely overwritten with the pattern selected over several passes. Once these passes are completed, an auditing report is generated for legal compliance purposes, and the data is verified as destroyed.
Of note is the fact that ClaraWipe does not only match standards for the EU, but for all major international standards, including:
- Sarbanes-Oxley Act (SOx)
- HIPAA & HITECH
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- US Department of Defense 5220.22-M
- CSEC ITSG-06
- Payment Card Industry Data Security Standard (PCI DSS)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- EU data protection directive of 1995
This means that ClaraWipe can be used for truly international data management, as it matches both EU and US regulations. This is hugely important – not every business is going to be working in only a single market, and as cross-market solutions become more commonplace, these types of all-in-one solutions are going to be worth their weight in gold.