Since GDPR is a hot subject in and around Civitta, we decided to talk to Veronika & Ana Maria, our GDPR go-to employees. Here are the best bits from the discussion:
1. What is GDPR and why is it important?
GDPR (General Data Protection Regulation) may seem as just another EU regulation, but it is much more than that. The rise of the internet and digital solutions is radically changing business models and opportunities. This is a new era, where data has become the "new oil". GDPR gives a firm framework on how to use this regulation to its advantage. If accessed properly, GDPR is can be a change of an era.
Although laws governing the use of personal data have been in force in the European Union for over 20 years, GDPR unified this set of rules and made them directly binding for all entities. This applies to entities of any size, within and outside the European Union and it now enforces penalty fees for violations.
In order to understand the importance of GDPR, one should acknowledge the dangers of personal data misuse. It includes: discrimination of individuals in recruitment matters, access to services based on profiling analytics, manipulation of choices and behavior ranging from online purchases to political preferences, building a disadvantageous digital identity, and risks of disclosure such as including mass data leakages. GDPR aims not only to limit excessive use of personal data and to regulate handling of that data, but also to enhance and enforce the rights of individuals to request transparency and proper use of their data.
2. How will GDPR affect me?
GDPR ensures users data and provides clear and lawful methods to enforce them.
The way GDPR requires companies to work will make you, as a user, more informed and conscious about how your personal data is used by other companies. This will challenge their compliance and enforce GDPR. Here are some tips for you:
- You have the right to be informed. The company is obliged to explain what data they use, why and how long they are going to store it. You have the right to ask these questions and challenge them.
- You have the right to request a full report from the company, asking which personal data they have about you and requesting to know he purposes and duration of storage in a portable format.
- You have the right to request you personal data to be removed. Be aware, however, that the companies have the right to store your data, and they will only delete what they can and in places where your interests overrides their interests.
- If you have any doubt whether the company processes your data lawfully, you can request restriction of processing for the time of investigation. There are types of processing which can only happen with your consent, and the company must inform you about all such cases.
GDPR prevents companies from misusing your data without your knowledge.
There is a popular reaction to privacy regulations: “I have nothing to hide, I am a simple, normal, law-abiding person, and I don’t mind if a company uses my personal data”. However, it is important to know that your information helps in creation of big data through analyzing your personal customer behavior. For example, the information being showed to you will be based on the information the company has about you rather on your wishes and search preferences. These risks increase as we look into areas such as health data and political behavior.
Picture below: Ana Maria & Veronika
3. Do I need to change the way I work because of GDPR?
In short, yes.
- GDPR is about the mindset change and you should start with defining and thinking about your attitude about personal data. Data is a resource owned by a data subject and provided to you in return to services you provide. Personal data never becomes your property; you can't use it freely, store in places you want and share with friends. The reason why it was shared with you is clear. You shouldn’t violate the trust of data subjects by using it after the initial need expires. In other words, don't store sensitive, customer level data on your private storage device unnecessarily.
- Every time you receive datasets from the client, you need to know that the more personal data you receive, the higher privacy risks of data breach.
While it is a responsibility of the client to be considerate when sharing personal information, it is our duty to warn them and help minimize privacy information risks.
- Don’t keep any personal data which is not needed for the performance of a project/task.
- Expect data processing instructions from the client and be prepared to comply with them. The client can provide you guidelines on how the data should be processed. You are free to negotiate the data processing guidelines provided by a client, but you must follow the agreed ones. Very soon it will become a normal practice.
- General responsibility of the employees is to ensure confidentiality of data. If you are not sure how to comply with GDPR in your case, better consult your managers- or inform them immediately if you suspect you might have violated the regulation.
4. Tell us about your experience in dealing with GDPR and what is it like to work on a project like that?
Dealing with GDPR, and compliance-related projects in general, is different from typical management consulting projects. It is a regulatory implementation project - the result of the project is predefined by the regulatory framework, but the interpretation and ways to achieve compliance can be different. The main difference is the level of responsibility for the result, which will be estimated not by the client directly, but by controlling authorities.
GDPR is very broad and comprehensive and it touches upon the very essence of the business. Full implementation of the regulation involves adjusting business operations and internal procedures, internal and external communication, IT and security. In Danske Bank case the GDPR implementation has already taken around 2 years and involved more than 20 sub-projects, with over 600 people working on it.
If GDPR affects organizational and operational functions, it requires careful planning to balance compliance with operational needs, not to interfere with daily work, to match organizational structure and not to create a lot of noise in external communication.
5. What can Civitta offer to its clients in GDPR field?
Compliance projects consist of three standard stages: compliance audit (status quo or as-is situation), strategy for achieving compliance, and actual implementation. Civitta has the needed expertise to assist clients in each of these stages.
Our advantage is that we can make GDPR implementation a more business-oriented experience overall. This means that, besides legal and IT requirements, we know how to make sure the implementation is smooth, that solutions are agile and paired to other business priorities and considerations. In other words - what we offer is to use GDPR as a trigger to improve and optimize business operations and increase awareness of the business of their own processes and gain more control.
6. How many hours have you spent thinking about this topic?
Ana-Maria has been working with privacy laws for over 3 years, which makes it ~3 k hours in total. Veronika started working on GDPR 1.5 years ago, in a project was disguised as “solemnly process mapping”. In general, it has become our daily focus; we even use GDPR terms in our casual conversations.
We say that everyone becomes “GDPR-mature” the first time they become suspicious “why should I fill in my mother’s birth date to register on a website?” and it should stay in the back of your mind every time you share your personal details with anyone, especially in the online environment.
7. Are there any other major regulations coming after GDPR?
At the same time as GDPR, the EU Directive on Data Protection Law Enforcement was adopted. This sets out citizens' fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It came into force in May 2018.
More interesting for the business is the upcoming E-privacy Regulation, which complements GDPR and refers specifically to electronic communication. This Regulation covers also non-personal data which leads us to expect an even bigger impact. It will introduce stronger rules (e.g. explicit rules for metadata) but will also provide new business opportunities (more possibilities for the use of data in case of consent) and simpler rules regarding ‘cookies’.
8. Your opinion on recent FB/other data privacy scandals?
The scandals that we get to know about are only the tip of the iceberg. Most of us are probably not even aware about all the unveiled data breaches, for example, those tens of big breaches unveiled over 2017 only.
There is one big advantage in the leakage of such breaches: it proves that the threats behind the misuse of personal data are real and severe and not some paranoiac assumptions of the privacy lobbyists. Therefore, these scandals demonstrate the need for such regulations as GDPR. They should also lead us, as individuals, to be much more cautious about how we share our data.
Regarding sanctioning of lawbreakers, it could be argued that they are not left of the hook that easily. There have been several court cases in the European courts (Germany, France, Belgium) even under the previous Data protection directive and national legislations against actors like Facebook and Google, issuing fines and requiring adjustments of data handling practices. We can expect that under GDPR these kinds of penalties will harden, for the benefits of the user.