Data has become a valuable resource and currency over the past years. Methods of data processing, profiling and automated decision making are improving constantly, enhancing business processes and customer relations.
From the perspective of the EU, it was just about time to update the old 1995 Data Protection Directive to protect its citizens against data and privacy breaches. Adopting the General Data Protection Regulation (GDPR) after four years of development back in April 2016, the new regulation will be fully enforceable by the May 25, 2018.
Replacing the old directive, the EU for the first time forces its Data Protection framework unto all EU and non-EU companies, institutions as well as third parties which are processing or want to process data from data subjects residing in the EU. In addition to that, fines have been increased up to 4 percent of annual global turnover or 20 million euro for most serious compliance infringements.
Business Impact: Example Japan–EU
Under the given circumstances related to the extra-territorial applicability of the GDPR, Japan’s own Act on the Protection of Personal Information (APPI) released back in May 2017 by the Personal Information Protection Commission (PPC), and the fact that Japan has not been whitelisted yet by the EU Commission according to Adequacy Decision – art. 45, Japanese companies are facing a hardship of changes to reach compliance.
Discussions between the EU Commission and Japan’s PPC are still ongoing with first alignments regarding cross-border data transfer. Yet further differences need to be clarified, especially those related to security breach notification, data protection officer (DPO), and data portability.
Japanese startups in particular will need to take into account that, if they want to offer services to EU citizens residing in the EU, and as such process their personal data, a representative of this company will be required to be located in a country of the EU where the data will be actually processed. This position was defined as necessary to assure direct communication to the local data protection authorities and data subject related inquiries.
In addition to that, art. 37 (Recital 97 – Data Protection Officer) requires that a business holding the data responsibility (controller) and for example their external provider (processer) designate a DPO. This is in Japan still a burden simply because this role has been defined by the APPI as a “person responsible for dealing with personal data” and differs from the GDPR design. However, if the obligation to appoint a DPO depends upon business core activities, and even if a company is not obliged to appoint a DPO, other new strict obligations such as:
- Art. 33 Notification of a personal data breach to the supervisory authority
- Art. 35 Data Protection / Privacy Impact Assessment
- Art. 30 Records of processing activities
- Art. 25 Data Protection by design and by default
would at least require consulting a privacy professional. This is highly recommended, because every article and its recitals of the GDPR such as those mentioned above are leaving space for interpretation. Accordingly, business core obligations need to be identified carefully and their implementation to be supervised.
Moreover, the GDPR is a dynamic framework, which means that further updates and additions such as the upcoming e-Privacy in 2019 can be expected.
Yet besides obligations, the GDPR framework also brings benefits in form of simplification. Examples are:
- Art. 6 Lawfulness of Processing
A simplified overview for determining legal grounds for lawful processing of personal data. In some cases, customer relation possibilities have been simplified as well.
- Art. 46 Cross-Border Data Transfer
Once Japan will be added to the European Commission’s approved list, the Adequacy Decision will be in place and other transfer mechanism like Binding Corporate Rules (BCRs) will not be necessary.
Rethinking Your Business
On first glance, the GDPR might just look like another new regulation with high fines and huge impact on business processes and IT-Infrastructure. But in truth, it is a new milestone in data and privacy protection – and finally a framework dedicated to IT-Architects, IT-Engineers and Developers.
Protection and privacy by design is the key concept of the GDPR, and in the upcoming years the role of DPOs with sufficient IT knowledge will become a business-critical position in case of governance, processes, development and IT infrastructure.
Reputation – Data Ethics
Every advanced technology at the end requires a legal framework. It helps improving user protection and at the same time further improves technology. Commercial aviation for example has become one of the most secure methods of travelling. This is in large part because the legal framework for aviation is so strict – as human life is endangered – that there is no room for mistakes from legal and technical perspective.
Basic personal data in combination with profiling leaves a digital footprint of an individual’s character and behavior. The Internet is our vehicle, services our destination, and our data is the access. Data breaches can endanger a data subject with social environmental impacts. In worst case scenarios, these can cause human casualties. So where is the difference?
GDPR in combination with Data Ethics is then a very good method to improve and maintain business reputation by showing customers that their social environment is precious and should be treated as such.
Competition – Data Protection Quality
Since users are now beginning to get aware of the importance their data, it is just a matter of time when data protection will become a new big thing for advertisement. This is simply because it is a new quality, which businesses should take into consideration to differentiate themselves from competition.
There are many strategic and technical possibilities to improve data protection quality and cost performance during the migration to the GDPR, as well as for the future mode of operation in cases such as of usability, maintenance, and audits.
The GDPR is a first step into the right direction and could be an inspiration for further upcoming frameworks. Since technical improvements are usually faster, investing top-management attention into being compliant with the new regulation is an opportunity for businesses to bring “Privacy and Protection by Design” to the next level.