The European Union’s new data protection regulation takes effect in 2018 and will have a bigger impact on European organizations than many might yet be aware of. For those approaching the subject from the right angle, the new rules do not just bring obligations, but also a variety of opportunities.
Since May 2016, the European Union’s new data protection rules (General Data Protection Regulation, GDPR) is in force, establishing a harmonized data protection framework for personal data across the entire European Union and European Economic Area (EEA). The regulation is now being transposed in all EA/EEA member states and will take effect as national law in May 2018. With this comprehensive regulation, the all Europeans are provided with a variety of new rights when it comes to protection and handling of our personal data. For all organizations collecting, processing and storing information, the new law first of all carries a broad range of obligations and new requirements they have to understand and comply with. Failing to keep personal data appropriately secure can result in fines of up to 20 million Euro or 4% of global annual turnover, whichever is greater.
The new regulation aims to strengthen people’s rights in the digital age and to simplify rules for internationally acting businesses by unifying them. After all, the data protection regulation is replacing varied national laws with just one framework that is equally valid in the entire EU/EEA. The ultimate goal is to give everybody more control over our personal data.
How are organizations affected?
The impact of the new regulation on organizations will be manifold and no business will remain unaffected, especially in the light of the ongoing digitalization. Organizations have to understand which of the information they are keeping are impacted by the regulation and how it is handled today, where and why it is kept and how it is protected. It requires understanding and adaption of business rules, business processes, information systems and IT infrastructure. Sounds like a complex and pretty big task to get on top of, and, bad news first, it is for sure not something that is done overnight. But the good news is that now is a good time for getting prepared, and that both methods and tools exist for getting a good grip on the job. Organizations that already have control over the enterprise’s architecture get a head start when it comes to understanding how they should react to changing market dynamics. And businesses that already today are managed with a strong process orientation can gain an advantage when it comes to easier transformation. QualiWare and Qualisoft, having over 20 years of experience as experts in the fields of Business Process Management (BPM) and Enterprise Architecture (EA), already started supporting our first customers in this transition with a structured approach. Such a structured, holistic approach is the perfect starting point for slicing the elephant of what is the new data protection regulation.
What is “personal data” and who is affected?
Understanding what “personal data” is a good thing to start with, and already comes as a surprise to many organizations. The EU defines “personal data” as “any information relating to an identified or identifiable natural person” – both directly and indirectly. Following this wide definition, not only names, addresses, credit card numbers or log in names, but also mailing lists, minutes of meeting, cookies or even photos from the last company picnic fall under this category (everything that makes somebody “personally identifiable”). Some data needs more protection and special rules apply for such sensitive data.
It becomes clear that the new regulation will affect virtually any company that is operating in the EU/EEA, not at least the public sector and those handling sensitive personal data. Most organizations are dealing with more personal data than they know. What you don’t know, you can’t control. It’s about time to get an overview.
What to do now?
It will take some time and resources to get accustomed to the new rules and transform the way of working in order to be compliant, so it is smart to start planning already now. But where to start? An issue that many will face is that it is not yet entirely clear to anybody what the new regulation will actually mean and how it actually will impact businesses. The Norwegian Data Protection Authority (Datatilsynet) is currently working through the 156 pages strong EU law, trying to break it down to practical guidelines and actionable tasks for getting a grip on the situation – but will not be finished with doing so until late 2017, only a few months before the regulation already becomes law. Do not wait that long. Even though you might not yet fully understand what the law will mean for your business and where you will actually need to adapt your policies and processes, there is a lot that you can do already now in order to be prepared. Be proactive rather than reactive. Start with understanding your organization and establish a sound information basis. This means you will need to:
- Get an overview over relevant requirements and where they are affecting your systems and processes
- Get an overview over which information you have today that is affected by the new law. Find out which data you are handling, why you are handling it and how it is used
- Ensure that the organization is compliant with the current law – this is the best possible basis!
The new law will affect organizations on many interrelated levels, from their processes down to the technology they are using internally and for exchanging information with third parties. Get an overview over both the current and the new law and understand where on those levels you are complying today and where your gaps are. After that, map up the information that your organization is using, where you are using it (processes) and where you are storing it (systems and technology). With your first comprehensive overview of how you are using personal data today, it allows you to easily identify requirements for your information and the rationale for handling it. A repository-based tool like QualiWare Lifecycle Manager will make your life a lot easier in these regards, both in terms of uncovering relations and dependencies as well as in terms of collaboration and maintenance.
The information basis that you now established is what you need to start your enterprise transformation journey – identifying gaps and defining necessary actions to close them through adapting your way of working through methods of business process transformation. The job of mapping up requirements against your organization that you did earlier will also help you here.
Establishing these overviews and relations before the new law takes effect in May 2018 will make you well prepared. Make sure you are not just waiting to see what will happen and trying to react as good as you can, but be proactive and gain control over both what you have and what you need to do. It is also a prerequisite for creating proper plans and allocate resources.
Enabling positive change
If you now think that the only answer to the question “Why do I need to do this?” is “Because I have to”, you can be assured that compliance is not the only thing you can gain from this exercise. It is not just a legal obligation; it is also an opportunity. If you approach the topic from the right angle, several benefits can be achieved:
- Internationally operating companies can achieve substantial financial savings through unifying their policies and way of working
- Demonstrating compliance with the new law will build trust of the customer and also promote innovative use of data
- Process-based transformation and management leads to better business performance through a more coherent way of working, consistency in changes and increased consensus amongst employees
- Better alignment of business and technology through a holistic architectural approach, resulting in saved IT cost and a more efficient processes
- A generally improved approach to information security and compliance with international standards such as ISO 27001
Several of our clients have already started dealing with the new regulation and are gaining necessary overview through their management systems. After all, the most important advice for action is to not spend your time waiting. Be proactive, start looking into the new rules and understand where your organization is today. Are you prepared?
- Reform of EU data protection rules
- European Commission fact sheet on the data protection reform