The General Data Protection Regulation (GDPR) is experiencing a major reform that will affect companies across the globe. Join us in exploring the changes happening to GDPR and their broader impact on data protection.
- GDPR: The Must Knows 20:27
- GDPR: The Business Benefits 18:40
- GDPR: Where It's Headed 25:38
Transcript - GDPR: The Must Knows
FV: I’m Filip Verloy, and today, we’re going to explore the upcoming General Data Protection Regulation, or GDPR, to understand exactly what it is and who needs to be concerned about it. Joining us today is Michael Kummermehr, a lawyer and partner at Hyazinth, whose services include advising companies on data protection and privacy matters.
We’re excited to talk to you today, Michael.
MK: Oh, thank you. It’s a pleasure.
FV: To start, tell us a bit about your background and your specialty at Hyazinth.
MK: Our law firm is situated in Berlin, was founded in the beginning of this year with a technology, commercial and venture capital background. Myself — I’m a legal professional for 17 years. I’m also a solicitor in England and Wales, and my main field of expertise is technology, intellectual property, litigation, and privacy.
FV: Onto the second question then. For our listeners who are not familiar with GDPR, could you provide an overview of GDPR and what it is trying to achieve?
MK: Filip, the EU General Data Protection Regulation, the GDPR, replaces the Data Protection Directive 95/46 and was designed to harmonize data privacy laws across Europe to protect and empower all EU citizen’s data privacy and reshape the way organizations across the region approach data privacy. Consequently, this also affects vendors outside the EU.
FV: Right. Very cool. We’re excited to have someone with your level of legal expertise on the show. Of course, I want to emphasize to our listeners that neither Rubrik nor Michael are providing legal advice in this podcast, but are focused on answering broader questions around the regulation and its impact. Which companies and organizations are affected by GDPR, and what are the penalties for failing to comply?
MK: The General Data Protection Regulation will be the most significant shakeup to European privacy laws for 20 years. It applies to all organizations collecting and processing personal data of individuals residing in the EU, regardless of the company’s physical location. The GDPR will not only bring a large change in sanctions, with fines of up to 4% of annual worldwide and group-wide turnover or €20 million Euro, but will also change the way your customers and others expect you to handle their personal information.
The height of the penalties amount will be mainly directed at the data controllers, which are usually the EU customers of the U.S. vendors. But, if they do not comply with the GDPR by taking out DPAs with their vendors, they will be mostly affected. The criteria for the height of the amount of the penalty will be based on the severance and the quantity and quality of the affected personal data.
FV: Okay. Looking through the regulations of GDPR, it’s both extremely robust and, in many ways, pretty vague. In your opinion, what are the key takeaways or changes that businesses should be focused on?
MK: Firstly, prepare for change now. The deadline is set. Review your existing compliance. Work out the kind of data you are processing. Companies have to demonstrate that they comply with the rules. You have to create and maintain records of the processes your company is carrying out. You may have to adopt product development and business use case processes.
FV: Okay. As I mentioned, the regulations of GDPR are often quite vague and open to interpretation. For example, businesses can only collect necessary data and store it for as long as needed for business use cases. So, what approach should organizations take when determining their business use cases to ensure compliance?
MK: A very cautious approach. There are two very important principles you just mentioned. The purpose limitation principle — that personal data may only be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner that is incompatible with those purposes. Secondly, the data minimization principle. The principle of data minimization is essentially the idea that, subject to limited exceptions, an organization should only process the personal data that is actually needed to process in order to achieve its processing purposes. Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which those data are processed.
FV: One term that sort of keeps coming back is “data protection officer.” Could you walk through the responsibilities of a data protection officer?
MK: A company under the GDPR may be obliged to appoint a data protection officer who has documentation reporting obligations. The DPO has the duty to actively monitor compliances to GDPR. It can be an internal role or an external role. The DPO must be professionally qualified. Executive C-level and IT managers are not suitable for that role because of obvious conflict of interest reasons.
The obligated companies should publish the contact details of the DPO and communicate them to the supervisory authority. The DPO must be involved in all data protection issues and must report directly to the highest level of management within the addressed organization.
FV: Okay. You mentioned that they may need to appoint a DPO. So, how does a business actually know if they should do it or not?
MK: Under GDPR, a DPO must be appointed where the core activities of the organization involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious belief, and the like defined in Article 9 [GDPR].
In Germany, the new Federal Data Protection Act, for instance, extends the scope of the GDPR and requires the appointment of a DPO for companies that employ at least 10 people who are constantly tasked with the automated data processing.
FV: Okay. So you think it’s fair to say then that GDPR can be even tighter depending on the local implementation of each country, as in Germany?
MK: Yes, there are opening clauses to GDPR. This is the reason why not everything is figured out yet with regard to the exact implementation of GDPR. The opening clauses allow in certain instances the member states to give that member state a certain discretion with regard to the implementation.
FV: Okay. So, it sounds like we’re definitely not yet at the end of the discussion.
MK: No. No. We are not. We are definitely not at the end of the discussion.
FV: Okay. You spoke about personal data. Is there any clear definition about what constitutes personal data exactly?
MK: There’s no clear-cut definition. There’s only a legal definition, of course, which does make it easier. But the EU has a very wide concept of personal data. It’s data which identifies an individual or which makes an individual identifiable. It does not have to be direct identification data like the name, the address, the telephone number, the email address, but also other more abstract ideas, like log files, log information, and IP addresses, which do not directly identify the user. But, with help of a set of other information, clearly may enable third-parties to individualize that particular person. So the concept is very wide, and, when in question, usually, there’s a case that a particular piece of information is personal data.
FV: Right. When in doubt, treat it is as personal data. That’s what you’re saying.
FV: So there’s also been a lot of discussion around backups and whether data needs to be deleted from all historical backup copies. Is there already a clear answer around this concern specifically, you think?
MK: There’s still a lot of discussion around this one as well, especially with regard to the technical means of backups. Article 17 of GDPR states that data subjects have the right to have said personal data removed from the systems of controllers, of data controllers, and processors under a number of certain circumstances, such as removing their consent for processing. Upon such request by the data subject, assuming there are no other regulatory requirements for retaining this data, the data controller is required to delete all copies of the data subject’s personal data. This includes the data in any backups and archives, but it’s more complicated than that principle of course.
So data subjects have the right to obtain erasure from the data controller without undue delay. If one of the following applies: firstly, the controller doesn’t need the data anymore or the subject withdraws consent for the processing with which they previously agreed to. The subject uses the right to object to the data processing or the controller and/or its processor is processing the data unlawfully, or there’s a legal requirement for the data to be erased, or in case the data subject was a child at the time of collection.
If there is such a case, usually the controller and its processors would be required to delete the data. But of course, there are exceptions. Data might not have to be erased if one of the following grounds apply: The right of freedom and expression; the need to adhere to legal compliance (eg. a bank keeping data for seven years); reason of public interest in the area of public health, scientific, historical research; or public interest for archiving purposes or for supporting legal claims.
Then there are cases where the right to erase data is out of scope. Most importantly, this is the case if the storage was not made of electronic documents, filed into a random piece of microfiche or a paper notepad. They are not classed as personal data under the GDPR, and are therefore not subject to the right to erasure. Some personal data sets are impossible or unfeasible to edit or to remove individual records e.g., server backup or a piece of microfiche.
Importantly, and this is the key takeaway, these exceptions cannot be used as a general overwrite. For instance, to allow the controller to keep considering the subject as an active customer that they can still keep marketing to. So, if there’s a request for erasure and if the exceptions do not apply, documentation should not be kept live.
FV: Okay. So definitely not straightforward, I hear. So GDPR also places a lot of emphasis on security and preventing data breaches. What steps can a company take to ensure it’s meeting these high security standards, and what technology can support these efforts?
MK: Firstly, you must keep personal data secure. This obligation is expressed in general terms, but does indicate that some enhanced measure, such as encryption, may be needed. Secondly, you have to report security breaches to the data protection authority and, in some cases, to the affected individuals within a very short time window.
Consider as a takeaway setting up a central breach management unit to collect, review, and notify breaches where appropriate and review and update your security measures in light of the increased security obligations in GDPR.
FV: Okay. So this central breach notification unit, that’s an internal team I reckon that you need to then setup?
MK: Yes, an internal team. But you also can get external help by service providers. I think there are a lot of service providers now who are offering services in connection with the implementation of GDPR.
FV: Okay. More and more companies are also storing their data across private and public cloud of course. So how should companies treat data in the public cloud to ensure GDPR compliance?
MK: On a technical side, use a trustful cloud service provider. Use a cloud form that protects and manages and monitors the data across all your environments. Companies have to invest in data management solutions that are equipped to ensure up-to-date enterprise IT environments from data sender to cloud, while ensuring end-to-end data security solutions, like data encryption.
You should use a provider that ensures that the data can be managed in a single system, manage retention periods, retention reporting, visibility solutions. You must be able to have a granular central control of user access data. Secondly, on the legal side, you must have data processing agreements in place with your vendors, with your hosting storage providers, especially also with your cloud hosting company where you store your data. Thirdly, European customers may insist that the cloud storage has to be on a side in the EU or the European economic area.
FV: Okay. You spoke about data controllers and data processors. So, in terms of public cloud providers, how should companies approach the role of the public cloud provider in that light?
MK: A company that uses the services of a public cloud provider has to ensure that the data which is being processed and stored on the public cloud provider is legally compliant with the requirements of the GDPR. This means that the data controller has to ensure that the data processor, which is the public cloud provider, adheres to certain obligations described by GDPR. These obligations are laid out in so-called data processing agreements, and if the data processing takes place outside of the EU, the data processing agreements have an attachment. The standard model clauses provided by the EU ensure that adequate level of protection of the data will also be maintained outside of the EU, by that particular data processor, in order to ensure the level of adequate protection of personal data outside of the EU.
FV: Okay. So, you mentioned these external companies or service providers, as you call them before. So there seem to be a lot of self-proclaimed GDPR experts popping up all over the place offering their services to companies trying to wrap their hands around the implications of GDPR. Do you see any risks associated with this trend?
MK: Firstly, yes. There is a trend. But wherever there is a shroud of mystery, there’s usually money to make. Obviously, those providers are popping up. I think that good solutions under technical side and the data security side are valuable and therefore cost money. I cannot give recommendations, but you should be very careful and cautious to choose a good provider. On the legal side, I recommend to have legal counsel in Europe to prime you on the legal side of things on DPAs and on the wider legal implications.
FV: Okay. So, assuming that a company, against all recommendations, hasn’t taken any necessary steps to move towards compliance yet. What, in your opinion, should they start doing right now?
MK: They should start now. Take the baby steps. Look whether they could be affected by the GDPR and find an assistant to do their data audit, and have a lawyer look into their documentation.
FV: Okay. In your own experience as a legal professional dealing with these matters, have you seen a major increase in inquiries in your own firm around GDPR and its potential implications?
MK: Yes, of course. With deadlines on the horizon and the pending threat of ridiculous fines, there’s a lot of activity in the market of course. Right now, as the deadline approaches, we get more and more requests from outside the EU, especially from the U.S., with regards to compliance. I think the increased workload will keep on until the middle of next year.
FV: That’s certainly good news depending on how you look at it, of course. What, in your case, do you think people are most worried about? Is it the height of the fines or the impending deadline? Or what are people asking you about the most?
MK: The fines are more a theoretical scenario, I think. The U.S. companies who have big customers in their EU are required by their customers to comply with the GDPR requirements. The motivation to look into these issues is clearly motivated from the customer side. Because more nervous than the U.S. vendor is the customer in the EU, because he’s directly on the hook. If there are fines, they would be easily enforceable against the EU customer, and therefore the EU customers are very, very anxious and cautious — if they deal with vendors outside the EU — to have the right documentation in place and to make sure that the technical and organizational matters within the U.S. vendor, for instance, are in compliance with the GDPR.
FV: Okay. Any final thoughts or final recommendations from your end on GDPR before we wrap up?
MK: Like I mentioned, wherever there’s mystery, there’s alarmism, and there’s activity in the market. Right now, there are a lot of political, technological, and legal discussions on the topic. It will all go back to a certain level of normalization over the course of the next year, I’m sure. But I urge anyone to be prepared for the general structure of the requirements GDPR has in place.
FV: Okay. So, thank you very much for speaking with us today, Michael. GDPR is quickly approaching, and you’ve helped certainly break down some of these complicated regulations. To learn more about Michael, visit Hyazinth.de or follow Hyazinth on Twitter @Hyazinthllp. Stay up to date with Buzzword Bingo and other industry trends by following us on Twitter via @rubrikInc.
Thanks for listening. Talk to you soon.