We read a lot about the General Data Protection Regulation (GDPR) today. We read about fines, and strict requirements around an organisation's disclosure of a breach affecting customer data. Yet there is one critical component of the regulation that doesn't get nearly enough exposure – this is the expansion of the liability following a breach.
Under the GDPR, as well as under the previous directive (Directive 95/46/EC), a 'data controller' is the first party responsible for managing personal data collected from individuals. If there are third parties who collect or process data on behalf of a data controller, those are referred to as 'data processors'.
So, if a bank asks a marketing firm to conduct a survey on their behalf using customer data, the bank is the data controller and the marketing agency is the data processor. Under current data privacy laws, if there is a breach and personal data stolen, the bank is the only party held liable, both to its customers and to the data protection authority. However, under the GDPR, the liability and accountability for a breach is expanded. The new regulation holds controllers, as well as processors and sub-processors, directly liable for lost or stolen data, no matter how far down the chain they fall. In this example, the data protection authority charged with enforcing the GDPR is able to levy fines on both the bank and the marketing agency.
Once you factor in our global economy, the cloud, and near ubiquitous outsourcing, the veil starts to lift: you realise that the GDPR is not a set of European laws, it is in fact a global privacy regulation able to directly hold accountable any party mishandling European citizen data, regardless of what country they are located in.
Many readers may view this as semantics – data controllers would already hold the data processors liable in their service contracts. However, the fact is many global cloud providers would never deviate from their standard contractual language, especially on the question of liability. The GDPR makes this moot: if third-party data processors accept the task of handling the data, they are by default accountable to the same standard as the data controllers.
I believe this to be the most relevant change within the new law. Any service provider currently working with personally identifiable data of European origins is expected to live by the articles and recitals of the General Data Protection Regulation.
The news is not all bad. As a result of shared liability and accountability, businesses have begun to put the work into their data handling processes by selecting partners who are able to demonstrate an adequate level of compliance. This gives agile, responsive service providers an advantage over competitors and acts as a substantial differentiator, especially for those who achieve GDPR readiness for their customers first.
Instead of viewing the GDPR as a burden, organisations should view it is an opportunity to take charge of their information and truly learn to understand the value and risk that comes with it.
Start your GDPR transformation today. Don't just focus on compliance, focus on the requirements and implications and make them work for you. If you approach the GDPR as a check box exercise it will be expensive, painful and most of all pointless; take the time to understand where you stand from the regulation and use that to your advantage.
Visit our GDPR hub to find out how Softcat and BlackBerry can help you prepare for compliance with the GDPR. Contact your Softcat account manager or get in touch using the button below for more information.
We would love to hear any comments you have about this article!