GDPR: Plenty of Nagging Questions Remain
The European Union's General Data Protection Regulation is not limited to European companies and will affect almost any organization that collects the personal data of EU data subjects -- citizens and residents alike.
- By Mike Schiff
- June 25, 2018
The European Union's (EU) General Data Protection Regulation (GDPR) became effective on May 25 of this year. It regulates the processing, collection, and retention of customer and employee personal data. The regulations define personal data as
any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Among the GDPR regulations are requirements for data privacy and anonymization, data breach notification within 72 hours of discovery, and the employment of a data protection officer (DPO) if certain types of sensitive data ("special categories of sensitive data" such as those relating to a data subject's religious beliefs, political opinions, sexual orientation, union membership) are collected and processed. The GDPR includes rights, such as the right for people to have their data purged and content about them deleted (also known as "the right to be forgotten"). Individuals can request that an organization not use their data for purposes other than for the reason it was originally collected and can view (and possibly correct) personal data an organization collects about them.
There has been much speculation as to whether non-EU countries would adopt the GDPR or use it as a template for their own data privacy regulations. I believe that some variant will, but not all organizations support it. Bloomberg reported that IBM sent executives to Washington, DC to lobby members of Congress not to adopt the GDPR but to create a new, possibly voluntary, data privacy framework "tailored to America's needs." Perhaps it lost sight of the fact that IBM stands for International Business Machines.
Lots of Questions
As data warehouse practitioners, we need to understand GDPR and its ramifications relative to what data we can collect and store as well as the rights of the individuals whose data we collect. We need to reexamine what data we collect and retain about individuals to ensure that it is relevant to our organizations' needs.
For example, after an order is fulfilled, can a customer's order details be stored in a data warehouse so that it can be used for targeted marketing and sales analyses efforts without first obtaining the customer's permission?
Because GDPR is new, companies need to monitor how the GDPR is enforced and what precedents are being set. For example, how is compliance being determined for in-house and cloud-based data warehouses? Is password protection enough or must the data also be encrypted? If so, are there specific encryption standards that must be employed?
Can employees demand that their data be deleted when they leave the company or can an organization successfully argue that it needs to retain this data in case a former employee reapplies for a job? If your payroll system deducts union dues from its unionized employees, is this considered sensitive data and thus requires the organization to have a data protection officer?
It should be noted that although the regulation applies to European data subjects, I could not find a definitive definition of who is (or isn't) a data subject. Although it is probably safe to assume that it would include both EU citizens and residents, would it also include an American citizen vacationing in Paris? If not formally clarified, concerns like this will likely be resolved by how the regulation is administered and enforced.
Although it was formulated to protect the data rights of European data subjects, the GDPR applies to virtually all organizations that collect this data and thus it likely affects us all. Furthermore, given the almost daily announcements of data breaches and the monetization of our social media data, we should anticipate similar legislature from nations outside the EU (if not immediately, perhaps after the U.S. midterm elections) better protecting an individual's data rights and likely influencing what personal data we collect and how it is retained.
While we await further clarification of these and other points we should closely monitor how the GDPR is being applied and enforced.
I recommend that enterprises consider taking pro-active steps such as updating privacy statements about how consumer data it collects may be used and even seek positive confirmation to use the data for analytics.
I would also recommend that organizations seek legal guidance about any post-sale-fulfillment customer data they plan to retain.
Try to ascertain if your organization will require a data protection officer and, if so, start planning how to train a current employee, or hire and fund a new one, to meet this requirement.
Organizations should also undertake a personal data inventory study to determine what data, and in which files, they store customer and employee data. In the event they request that their data be deleted or transferred, you will need to know where the data is to comply.
Most of all, assume that the GDPR-like regulations will be implemented in non-EU countries. If they don't currently apply to your organization, they most likely eventually will!