GRC Tuesdays: Part Two—Big Data Privacy Risks and the Role of the GDPR
In last week’s blog, we discussed the six personal privacy threats and the two parties prompted to take protective actions. These are individuals and companies:
- Individuals can distinguish the risks they want and ask themselves the following questions:
- Which data am I making publicly available and where are the potential threats?
- What risks am I able to avoid, and on which data do I have no influence?
- Do I have any right to claim my data? Where can I make that claim?
- With the new European Union General Data Protection Regulation (GDPR), companies are prompted to take extra efforts to guarantee data privacy rights of its business partners like employees, customers, vendors, and so on. The EU GDPR sets a base for future development in global data protection and security:
“The European Commission has finalized the text of the General Data Protection Regulation (GDPR). It is fair to say that this new legislation is the biggest and most impactful change in privacy and data protection regulation in history. This regulation came about after more than four years of deliberations and negotiations and will impact organizations worldwide.” 2
GDPR – Required Fundamental Changes3
Data Protection Officers (DPOs)
- DPOs must be appointed if an organization conducts large scale systematic monitoring or processes large amounts of sensitive personal data
Accountability: Organization must prove they are accountable by:
- Establishing a culture of monitoring, reviewing, and assessing data processing procedures
- Minimizing data processing and retention of data
- Building in safeguards to data processing activities
- Documenting data processing policies, procedures, and operations that must be made available to the data protection supervisory authority on request
Privacy Impact Assessments
- Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data
- Consumer consent to process data must be freely given and for specific purposes
- Customers must be informed of their right to withdraw their consent
- Consent must be ‘explicit’ in the case of sensitive personal data or trans-border dataflow
Mandatory Breach Notification
- Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals
- If there is a high risk to individuals, those individuals must be informed as well
- The right to be forgotten—the right to ask data controllers to erase all personal data without undue delay in certain circumstances
- The right to data portability—where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible
Privacy by Design
- Organizations should design data protection into the development of business processes and new systems
- Privacy settings are set at a high level by default
Obligations on Processors
- New obligations on data processors — processors become an officially regulated entity
- Data protection responsibility might split among several controllers
Though responsibility to protect their data does lie on every individual using internet services (whether online shopping, banking, gaming, or social media), the new EU regulations explicitly requires that companies take a more active role in data protection.
Given these changes, the role and importance of information management and governance in data privacy will be a key success factor for all organizations with EU customers.
SAP solutions are designed to help customers gain visibility and motivate to take actions, and support control activities with solutions and services that provide protection, availability, resilience, and governance for their most important assets—an individual’s data.