Will GDPR lead to a slew of access requests from data subjects?
GDPR is a massive undertaking for organisations, particularly those that aren’t multinational corporations with vast swathes of information and resources to mine in order to be compliant with the new rules.
As well as being extraterritorially applicable, GDPR will also introduce the possibility of fines for companies found to be in violation come 25 May. The conditions around consent are also going to be more straightforward and must now be clearly presented, with no legalese.
The regulation is all about allowing the user to regain some control over their data – how it is used, what data is actually being retained and whether or not organisations can hold on to it. The individual rights GDPR will bring to EU citizens range from the right to access their data, to the right to object to data processing and the right to be forgotten under certain circumstances.
While the larger companies have been dealing with data access requests for years now, many other organisations around the world with EU data as a core element of their processes are feeling anxious about the possibility of having to deal with a deluge of requests from members of the public, newly aware of the options they now have.
Siliconrepublic.com spoke about the individual rights elements of GDPR with Chris Babel, privacy thought leader and CEO of leading privacy technology firm TrustArc.
Company size does not equate to maturity
According to Babel, the level of preparedness for GDPR does not always correspond with the size of the company. He described the levels of maturity as “shockingly different” from organisation to organisation.
“Some companies are looking at 25 May and they are feeling pretty good about where they are; they have all their data inventory mapped, they know how data flows throughout their organisation, they’ve done some data protection impact assessments, and are looking at consent management and future risk management.”
He said that these steps are “end-of-process for companies to be ready for GDPR because if you don’t have precursors ready, then you can’t handle this”. He noted that the level of preparedness was pretty disparate at an event in Dublin a month ago. “People were walking up to me saying, ‘I don’t know what GDPR stands for, I’m here at this conference and I’m petrified.’”
As Babel said, larger tech companies that deal primarily in user data are well used to receiving such requests, but other organisations may be in the dark and have no idea what to expect. “You may have never gotten one of these requests in your life, and have no idea what to do.
“We have talked to some of the people in the healthcare space saying they have received some of these requests, typically from people who have participated in drug trials etc, and I’ve asked them, ‘How many of those data subject access requests have you gotten?’ and the answers I hear is, ‘One or two a year.’ You have no idea how many you’re going to get.
“If you’re one of the big guys like Facebook or Google, you’ve been used to and had requests like this for years, because some of these things aren’t really new, like the right to be forgotten; Google has been dealing with that for years, Facebook as well.”
Babel said intriguing patterns are emerging around what is concerning organisations the most about the regulation. “It has been interesting to see different people pick different parts of the GDPR to get petrified about. We still have a lot of people who are still trying to figure out their data flows by business process.”
He said these concepts are some of the basics of data protection, the building blocks towards being able to deal with things such as data requests and more complex user interactions under the individual rights management umbrella.
A strong foundation
For TrustArc, the team there followed the pattern of building a strong foundation. “We started with launching assessment manager and data flow manager to get those fundamentals and now, as we are getting closer to the deadline, we are updating our cookie consent, our broader individual rights management, and we are launching these offerings because it’s kind of end-of-process.
“You get a consumer individual rights request, what do you do with it? If you don’t know what data you have and how it flows around your organisation, you don’t know where to look to give someone access to it, to purge it – you just don’t know. It starts with fundamentals and then you can get to the point where if someone wants to delete or purge or be forgotten, then you can work on those things.”
An uptick in requests?
Babel said that although GDPR will effect every EU citizen, it may be a while after the deadline before organisations see an increase in people exercising their individual data subject rights.
“I think that, on a consumer basis, there are privacy advocates like Schrems that certainly know but I think the average consumer doesn’t know or understand these things yet, so what you may see is a slew of them to start. The question there will be if it’s advocate-type people or something more sustainable. I think those types of things take time. It’s making diamonds – pressure and time.”
According to Babel, “US businesses worry more” and there are numerous reasons for this hypothesis.
“I think that, to some degree, Europeans have been used to these rules and regulations for 20 years. An EU business would have a higher starting point and less distance to go there to get to compliance than a US business. US businesses have had to deal with the FCC, a body known for its aggressive approach and lack of hesitation when it comes to fines.”
Although, the EU has changed recently, with the Google antitrust fine a prime example. US firms are also more likely to engage with legal counsel around GDPR than EU counterparts, in Babel’s experience.
Compliance is about consistency
As someone who spent more than a decade in the security industry prior to working in privacy, Babel is passionate about trust. “Covering up a breach and not providing notifications gets to me on a personal level.”
In terms of just how compliant companies and organisations will be come May 25, his outlook is sanguine. “A lot of companies will get to somewhere” and regulators will need to “make certain that you have done something and you have a path to get that something complete”.
Consistent compliance will require maintenance, automation and scalability. Babel is hopeful, though, adding that most of the people he deals with are “very receptive”.
In his view, sharing knowledge and a willingness to learn are the most important elements for any GDPR readiness plan.