Data protection: A growing need
On 25th May 2018 a new set of rules, the General Data Protection Regulations, or “GDPR”, was put into effect in the European Union.
We think this is one of the most important changes to EU data privacy regulations in the last 20 years, succeeding the Data Protection Directive 95/46/EC established back in 1995. GDPR has broad ranging implications for multinational corporations that conduct business in the European Union as well as those domiciled in the EU.
The aim of GDPR is to strengthen and unify the rules around the protection of individuals’ data inside the EU, as well as the export of personal data from the EU. The primary objective is to give control of personal data back to the individual and to simplify the regulatory environment for businesses. As a consequence, EU residents will gain more control over how their digital data is organized. This includes the so called, “right to be forgotten”, which gives residents the power to remove their data from company servers, update and amend it, as well as the power to access their data and transfer it to other companies (a right known as, “data portability”). Companies will also be required to obtain explicit permission from individuals before targeting them for advertising purposes1.
This new regulatory framework creates many challenges for multinational institutions, such as “What personal data do we have stored in our company, and where is it, both in terms of computer system and in terms of geographic location? On what legal basis do we hold it, and if it has reached the end of its useful life and should we retain it?”
Additionally, since many companies have dozens or even hundreds of internal systems, there is the issue of who has access to that data. This does not just include internal employees, but also external third parties, such as cloud storage providers, advertising and marketing agencies, IT subcontractors and business-process outsourcing companies. The GDPR do not only apply to digital data, but they also cover physical hardcopies such as paper-based contracts, letters, wills, leases, customer complaints and so on.
In digital era, privacy must be a priority.
Al Gore, Former US Vice President
Overview of GDPR
The aim of the GDPR is to protect all EU citizens from breaches and misuse of data in an increasingly data-driven world that is vastly different from the time in which the Data Protection Directive back in 1995 was established. It seeks to modernize the legacy framework and will impact every company which does business in the EU (and therefore in possession of data which originates from the EU). The most important changes are:2
- Standardize the law across member states: The GDPR aims to harmonize the law across the member states, granting lead investigative and remediation powers to supervisory authorities. Penalties will be imposed in proportion to the severity of the violation, with maximum fines reaching 4% of global revenue or EUR 20 million, whichever is greater.
- Expand the territorial scope: Under GDPR companies that process personal data of individuals in the EU must comply, regardless of the domicile of the company or the location where the data is processed. In this context, “processing” is defined very broadly and includes the terms: collection, recording, organizing, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Clarify the definition of personal data: The new regulation broadly defines personal data as any data that identifies a living person, including personal identifiers such as email addresses or phone numbers. This can also include online digital identifiers, such as IP addresses, device identifiers and cookies.
- Data sovereignty: GDPR prohibits storing data in or transferring data through countries outside the European Economic Area that do not have equivalent strong data protection standards.3
- Breach notification: GDPR requires that companies report all data breaches to the affected individuals and to a supervisory authority within 72 hours. The nature of breach and the preventative security measures employed at the time of the breach must then be evaluated to assess repercussions and ensure future compliance.
- “Right to be forgotten”: Also known as “Data Erasure”, is the right to be forgotten and entitles the individual concerned to have his/her personal data erased, cease further dissemination of the data, and potentially to have third parties halt the processing of their data.
- Right to Access: This gives citizens the right to access their personal data as well as information about how their personal data is being used, processed, by whom and for what purposes.
- Data portability: This provides individuals the right to transfer their personal data from one electronic processing system to another.
To summarize, the intention of the GDPR framework is simple: To provide EU citizens and residents greater control over their personal data. Location or domicile of the company in possession of the data does not exempt the company from GDPR compliance. Neither does size. The GDPR will apply to large multinational corporations and small businesses alike. There is no exclusion for businesses with only a few employees.
Consequences for companies
Compliance with GDPR will carry costs which include data audits, IT upgrades and internal expert consultants to ensure ongoing compliance. Organizations often take a “wait and see” approach to observe how rules are enforced and how their peers are reacting, before they make critical changes or decisions. However, in the case of GDPR, we believe such a passive wait and see approach is ill advised for the following reasons:
- Evidence shows that privacy is becoming an increasingly sensitive topic and has a high priority among consumers: Over the last few years, the use of ad-blockers has increased significantly.4 A recent report by data analytics company, PageFair, showed that ad-blocker usage has increased by 30% and that 615 million devices around the world were using ad-blockers at the end of 2016.5 It seems there is a rising awareness of the potential abuse of “personally identifiable information” (PII).
- The GDPR is the biggest shake-up to data privacy in a generation, but organizations must remember the overriding principle of these new regulations: To unify data laws across the European continent in order to shift the burden of proof from individuals to organizations. A “wait and see” approach makes sense only if the potential risks are outweighed by the efforts required to prevent them. Compliance with GDPR may require a rethink in processes and operations in the beginning, but in most cases, it comes down to the adoption of best practice for data handling and management, and these are steps that companies should be taking as a matter of course.
- Where once citizens needed to show that they were the victims of data misuse or security breaches, organizations must now demonstrate that they have taken adequate measures to protect personal data appropriately. Beyond the immediate cost burden of compliance with GDPR, the impact on reputation and brand from a failure to use personal information responsibly can be far greater in the long run, as the recent Facebook incident has shown.
We believe that GDPR will force companies to locate, track and monitor where all instances of personal data are stored in order to comply with the new requirements for data access, the right to be forgotten and data portability. The proliferation and spread of data, as well as the need to track where data has been copied, will make robust and consolidated data management platforms necessary.
The new EU data protection regime will be directly relevant for many multi-national companies which conduct business activities in the EU and have access to personal data from EU customers, suppliers or EU employed staff. GDPR is a complex, multi-part regulation and compliance will demand the implementation of a set of solutions that work together to meet all the requirements that apply for an organization. Whether the organization is considered a controller (the entity that collects the data) or a processor (such as a cloud services provider that simply processes data on behalf of a controller), failing to comply with the relevant GDPR rules can have significant consequences.
In our opinion the introduction of breach disclosure requirements bodes well for the IT Security industry. CIOs and boards of directors need to take a critical look at their overall IT Security environment and will likely need to spend more on prevention capabilities. While it’s hard to believe that the threat landscape has not already produced incremental spending, we think that breach disclosure can drive an additional spending requirement.
As GDPR shows, the theme of security & safety is becoming increasingly omnipresent in our daily lives, and the implications for the automation of data management are also becoming more critical. As a result the relationship between security and automation, or robotics, is symbiotic, with more regulation requiring more security and controls to be put in place, and in turn, more automated systems and tools are needed to manage and maintain these checks and controls efficiently.
As long-term oriented investors, we believe that IT security and more broadly speaking security and safety in general are compelling long term secular growth themes for patient investors. We also believe that we are still in the early innings of these structural growth trends. Based on these convictions, we are shareholders of a number of companies which provide innovative solutions and technologies for Data Loss Prevention, Email and Data Archiving, as well as Identity and Access Management.