Much discussion has taken place regarding implementation of the General Data Protection Regulation (GDPR) in the EU, since May 25, 2018, when the sanctions for non-compliance went into effect. Just where the boundaries of the GDRP stop remain unclear, and compliance with the regulations present many challenges. (See GDPR full text.)
Results of a recent survey of over 1,000 organizations conducted in April 2018, by Ponemon, provide the following insight regarding GDPR implementation:
“71% of respondents say that failure to comply with GDPR would have a detrimental impact on their organizations’ ability to conduct business globally and 60% of respondents say it will significantly change workflows regarding the collection, use, and protection of personal information.”
Multiple challenges are posed by the GDPR, protections afforded personal information, in particular, will cause organizations to adjust their information management strategies. One specific section of the GDPR, Article 20, requires “Portability” of data containing personal information.
The European Data Protection Board (EDPB), created by the GDPR to replace what was formerly called WP29 (Article 29 Working Party), and it advises the EU Commission on protecting personal data. The WP29 has continued to issue guidelines interpreting GDPR principles, as the transition to the EDPB evolves. In April 2017, the WP29 adopted WP242, providing further clarity regarding the definition of data portability under the GDPR.
Further guidance regarding data portability under the GDPR exists in the GDPR Recitals (See GDPR Recitals), which provide information on the EU Commission’s rationale behind the GDPR’s various requirements. Recital 68 directly addresses portability and provides insight into the obligations imposed on business entities. Recital 66 discusses the “Right to Be Forgotten,” which imposes a “Purge-ability” requirement, which is closely linked to portability. Data Protection Authorities (DPA’s) are charged with enforcing the GDPR’s terms and will interpret the meaning of portability based on the guidelines provided by the EU governing bodies. The Information Commissioner’s Office (ICO) has a wide range of authority to enforce the GDPR, along with corrective power including the ability to impose sanctions.
Portability: What it Is and Why it Matters for GDPR Compliance
Portability is limited to circumstances involving a request from an EU citizen seeking to enforce his or her data protection rights under the GDPR files a “Subject Access Request” (SAR). The rights associated with a SAR are outlined in Article 15 of the GDPR. When an EU citizen files a SAR with an organization, the entity must produce a report regarding data that contains personal information about that individual. If an individual requests a transfer of their personal information, the portability requirement attaches. Portability requires that structured and unstructured data is produced in a readily usable format to any individual requesting their data, or asserting a “Right to Be Forgotten” (See GDPR Recital 66) under the GDPR. However, portability does not apply to all personal data in an organization’s possession.
What is portability and why does it matter? In a basic sense, portability is an organization ability to locate, collect and transfer personal data from one organization to an individual, or another organization, upon request. Organizations must locate, report, produce, and delete personal information in response to a SAR filed by an EU resident. In theory, portability requirements empower an individual, giving greater control over personal information and being able to transfer that information from one provider to another. The GDPR envisions a consumer moving contractual services from one services provider to a competitive provider, creating an easier means of transferring, and possibly deleting, the existing personal information that the former business entity possessed about the specific consumer.
The GDPR defines the right of data portability in Article 20 (1):
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided […]”.
WP242 states issued by the WP29 states, “Pursuant to Article 20(1) of the GDPR, to be within the scope of the right to data portability, data must be:—personal data about him or her, and—which he or she has provided to a data controller. Article 20(4) also states that compliance with this right shall not negatively impact the rights and freedoms of others.”
Beyond defining portability, just what type of information is considered “personal” under the rules of the GDPR? Various GDPR Recitals discuss personal data, giving insight into the definition of the term. In addition, the GDPR portability does not apply to all personal data. Data provided by smart devices and “Internet-Of-Things” (IoT) appliances, while possibly subject to a right of access request, such information is not likely subject to portability requirements.
WP262 provides additional guidance on what types of data would be considered personal while also subject to a portability requirement. The GDPR distinguishes two classifications of data into 1) “Provided by the Subject” and 2) “Observed Data.” Provided by subject data consists of information actively and knowingly provided by the data subject (for example, mailing address, username, age, etc.), while “Observed Data” is provided by the data subject due to using a service or device. Observed Data may, for example, include a person’s search history, traffic data, and location data, and may also include other raw data such as the heartbeat tracked by a wearable smart device. Observed data is less likely to carry a portability attachment in response to a SAR.
Despite the limitations of the classification of data subject to portability requirements, GDPR compliance with this aspect of the regulation remains complicated. GDPR compliance requires organizations to know of the location and content of their digital assets and electronic records. Organizations must know where their data is located and have the means to search and retrieve required information, to meet stringent GDPR requirements. The sanctions imposed for violating GDPR obligations can be severe. To address GDPR compliance organizations typically implement information governance strategies, or revise existing policies and records management practices to address the new data protections. Time limits for responding to a SAR are short, with a response time of fewer than 30 days expected by the ICO. There are provisions outlined by the ICO for extensions of time requests, providing more time to respond to a SAR, but even with extensions, the timeframes to respond are limited.
Knowledge of data source locations is a key element of GDPR compliance. Without a thorough data map showing an organization where personal information is located throughout its’ internal dispersed data landscape, a business entity cannot be GDPR compliant. The need to know where the data resides is vital, and jurisdictional issues may restrict access to certain data depending on the geographical location where the data source is physically located. If the ICO investigates a complaint alleged under the GDPR, the locations where personal data might reside will be a component of that inquiry. Data maps and the ability to identify data from various locations are essential elements for the satisfaction of the portability requirement.
Once the organization understands the location of where digital assets and data stores are located, an ability to search through information and retrieve whatever relevant data is required. There is a clear need imposed by the GDPR for an organization to find and retrieve personal information in response to a SAR. Organizations also need to manage the consent documents pertaining to the use of personal information which they receive from users, indicating acceptance of terms and conditions attached to specific business transactions. Without an ability to determine which data contains personal information related to a specific individual, GDPR compliance is impossible.
Determining if, and where, personal information is located within an enterprise can be difficult. Organizations have disparate data sources within their enterprise, many systems do not communicate with other technology used within the environment. Searching through various databases to detect personal information can be a tedious task, requiring the same search to be performed multiple times across several sources. The volumes of data in possession of a typical mid-sized organization can be rather substantial and the cost and time associated with searching through electronically stored information in response to a GDPR request can be significant. While technology poses challenges, it also offers solutions designed to reduce the burdens of GDPR compliance.
Using Technology to Comply: Portability and the GDPR
Having the ability to index information at the file level from one dashboard, across an entire enterprise’s dispersed data landscape is a capability delivered by information governance platforms. Integration of information governance technology with other corporate systems provides an ability to identify personal data, across the entire I.T. landscape, with only one search. “Artificial Intelligence” (AI) and elements of machine learning, coupled with pattern matching software, can help automate the detection of personal information. Once the personal data in response to a SAR is identified, information governance technologies will assist with additional steps required by the portability requirements of GDPR, such as reporting of all personal information; ability to transfer selected data; deletion of data, and redaction.
Various actions may be required when personal information is located, depending on the SAR. A report on what type of personal information is in the organization’s possession might be the only request a citizen is making, information governance software assists in providing detail about files containing personal information.. Reports can show information regarding the file’s attributes and what personal information exists in each electronic record. Subsequent to providing a report in response to the GDPR request, the individual may request a transfer of all the data containing their personal information as defined by the GDPR.
Data transferred subject to the GDPR must be provided in a readable format to satisfy the portability aspect of the regulations. Many types of electronically stored files will readily convert to a PDF format and can be transferred in this manner. However, what about files that don’t convert well? There might be a need to provide information in a format other than PDF, especially for spreadsheet files that do not convert well to a page level format. eMail files may also require special handling to produce in a manner satisfying portability. Information governance technology can assist with the transfer process and convert the file formats to PDF, or other permissible formats, as part of the transfer requested under the SAR. Once the data transfer is complete, audit reports are available that memorialize the steps taken by the organization to comply with the GDPR request.
Certain scenarios raise additional information management challenges under the GDPR, causing additional exceptions to the request for personal information and to the portability requirement. When an individual’s personal information appears on a document where other person’s personal information also appears, the organization must still protect other individual’s privacy rights. Information governance solutions can assist with identification of personal information belonging to individual’s that aren’t involved in the specific SAR but also contain data about the subject. Technology can auto-redact personal information belonging to parties not involved in the specific request while leaving the personal information about the requesting party visible.
Simply because a request has been made under the GDPR, the organization is not always required to delete the information. Only in the instance that an EU citizen making a SAR enforces their right to be forgotten does the deletion requirement arise. Where deletion has been requested, information governance platforms can be configured to delete information from other internal systems. The technology used to identify personal information across the enterprise can also manage the deletion process when required. A detailed report regarding the deleted information can be provided to further satisfy the portability requirement and any audit that may arise. Portability and purge-ability compliance can both be accomplished through similar means.
Navigating the directives of the GDPR requires planning and the stakeholders for various business units should create, or revise, information governance protocols with a focus on data protection compliance. Plans for how to efficiently and cost-effectively respond to a right to be forgotten request will prove vital toward establishing compliance if an audit arises. As with other GDPR requirements, technology is a key element in demonstrating the ability to comply with the portability obligation. Readily performing these tasks: search and locate personal information belonging to one individual; search across all data sources across an enterprise; collect information; produce and transfer information in readable format; protect privacy rights of other third parties; delete information on request; and report on actions taken in response to a GDPR request, becomes a much easier obligation when proper technologies are in place.
Failure to comply with the GDPR poses a tremendous risk. There are two defined tiers of administrative fines for non-compliance: 1) Up to 10 million Euros or 2% of global revenue; 2) Up to 20 million Euro or 4% of annual global revenue…in either instance the fine levied will be the higher option. Each individual violation brings its’ own fine. The ICO considers several factors in imposing any fines for GDPR violations, those elements include the level of prior knowledge of non-compliance by the organization and the organization’s adherence to industry standard practices for data protection. Despite the risks of non-compliance, many organizations are still suspect about their own capacity to comply.
“Despite undertaking measures to improve data security and privacy, 38% of global organizations responding to a survey say they are still not compliant with the new general data protection regulation (GDPR) requirements… Harvey Nash and KPMG spoke to 3,958 tech execs for their latest annual CIO survey with the worrying number of respondents saying in April that they expected not to meet the just lapsed May 25 deadline.”
U.S. based entities are lagging behind EU counterparts on average, in terms of compliance. U.S. based organizations doing business with EU citizens may find themselves subject to a SAR and will be sanctioned if they cannot comply with GDPR regulations. Other privacy regulations and data protection laws on the horizon at the U.S. State level will also further compel a change in how organizations manage their information. An increased need to rely on technology to assist organizations, improving capabilities to respond to SAR’s under the GDPR is apparent.
Portability and associated purge-ability requirements will require organizations to adapt. However, GDPR compliance is possible and the portability requirement is manageable. Since sanctions are already in effect, entities that feel their own internal capabilities to respond to a SAR are inefficient should address data protection with a growing sense of urgency. Due to evolving data protection regulations such as GDPR, there will likely be an increased number of organizations evaluating technologies to improve their data portability workflow. Worth noting is that organizations need to address budgetary considerations for the adoption of technologies they are evaluating, and the evaluation period for adoption of a new technology can be lengthy. Organizations faced with a larger number of SAR’s than anticipated may find they are faced with a need to escalate the priority of adopting new technologies to assist with GDPR compliance.
As the challenges posed by new data formats and the development of new technologies continues to increase, it is evident that GDPR compliance will require ongoing revisions to workflows and processes. Properly managing information and technology are complex tasks, as new sources of data are created, new solutions will be developed to help address yet unforeseen challenges. The technology used for GDPR purposes also provided additional knowledge management benefits to organizations, by improving the ability to locate and retrieve the required information. While portability may be a burdensome requirement, if proper plans are in place to use technology with features designed to address GDPR compliance, then there is a high probability of success.