GDPR Mastered: Preparing for history’s biggest data privacy revolution
As Europe and the world prepare for the introduction of the new General Data Protection Regulation in May 2018, João Marques Lima talks to Sheila FitzPatrick, Attorney, data privacy expert and Chief Privacy Officer at NetApp.
Have businesses been left out of the GDPR discussion?
SF: Absolutely. There is a lot of miscommunication. Companies are trying to sell tools and technology to solve the GDPR problem and that is naturally a misunderstanding, because first and foremost, GDPR is a legal compliance issue.
If you do not have a solid data privacy compliance framework in place, the tools and technology are not going to help you. Same thing happens if you do not have the right policy and procedures in place, if you do not have bidding corporate rules and model contractual clauses.
If you do not have explicit consent or data privacy agreements or contractual agreements, how good are the tools and the technology?
Tools and technology are going to be extremely important, they help you maintain ongoing compliance with GDPR but they are not going to help you obtain compliance.
There is a subtle difference between obtaining the compliance and maintaining the compliance.
Form a data centre operator’s perspective, how is GDPR going to work?
SF: Under GDPR there is going to be more accountability and liability on the part of data processors and also on the cloud providers as defined as data processors. What is going to happen is that there has to be a tremendous amount of transparency from cloud providers which currently does not always exist on not only where the data centre is, because it is very easy to say that by putting the data centre in Germany we will comply with GDPR and you can keep your data in Germany.
That is not necessarily 100% true, but main data centres may very well be in Germany, but where is that data backed up and replicated?
If the cloud provider uses a third-party provider to support their environment, where are they located, because they might not necessarily be in the same jurisdiction which means that by default your data is already leaving the country where the data centre exists and there is more questions to ask around ‘how does your cloud provider comply with data privacy laws?’
This is where there are a lot of holes, because when you push back and say ‘how do you comply with GDPR?’ they default to Privacy Shield. But Privacy Shield is going to be invalidated, it does not meet the requirements from GDPR.
What should companies do in that situation?
SF: Companies really need to look at their risk profile from a privacy perspective: do you want to put your data in a public environment; could that harm you if that data is exposed; what happens if there is a data privacy violation on the part of your cloud provider; are you as a customer going to have full liability, because you could not negotiate the terms with your provider, which is currently the case.
Negotiating privacy terms is extremely difficult. You ask a privacy question, you will normally get a security answer.
What should companies take into consideration when writing explicit consent terms once GDPR comes into force?
SF: That is going to have to change under GDPR, because one of the requirements is clear: freely given explicit and unambiguous consent. And the consent language has to be easy to read.
It has to be very clear about what data you are collecting, how you are using that data, where it is going to be stored, how you are going to maintain it, and who is going to have access to it. In addition, you cannot have written a consent that is very small in print and too long.
No one is going to read three pages. It has to be very precise and very digestible and very simplistic so that people clearly understand what they are signing up for.
If the consent is too ambiguous, too long, too generic, if it gets challenged in court the complainers will lose, because the court will say “there is no way an individual knew what they agreed to because you did not write a consent that was digestible and readable”.
Are GDPR sanctions enough to deter companies and make them change their behaviour?
SF: It has already got their attention. It certainly is the one area where C-level executives are starting to pay attention. Four percent of a global annual revenue is pretty substantial and will put some companies out of business.
It will still be those large multinational organisations that their entire business relies on data that will try to push back and in their head they might think: there is no way we will be fined this.
However, what is going to happen is that the data protection authority is going to look for that first case, and that first case that they find, that first company that they can actually hold it accountable and sanction will become the poster child to get companies to rethink their position. They cannot be arrogant any longer.
Please continue through to the Next Page to read more.