Get Your Data Privacy Act Together; the EU Has Reached a Consensus
In politics decision making takes time, especially when there is a lot at stake. In Brussels, home of the European Union (EU), this has been the case for the new EU General Data Protection Regulation (GDPR).
In June 2015, the EU Civil Liberties and Justice Committee (LIBE) entered “trilogue” negotiations between the EU Parliament (representing the citizens), the EU Commission (the government of the EU) and the EU Council (all 28 heads of EU member states’ governments) on the proposed changes in Data Protection regulations. Near the end of 2015, LIBE announced that all parties had finally reached agreement consensus.
Today we know the GDPR will come into force on May 25, 2018, leaving companies the small window of under two years to get their data privacy acts together.
The major points of the package are:
- Explicit consent: Companies that want to use personal data for purposes other than delivering the service for which their clients provide the data, must seek formal, written permission from the client for such use. No more “general data processing” tick boxes. Instead, companies will need “explicit consent.”
- Right to be forgotten: In some instances, like when the data has been collected during a time when the data subject was a minor and in need of parental consent, data subjects have a “right to be forgotten.” Their personal data must be removed from IT systems, including those in test environments.
- Privacy by design: All IT systems must be “privacy ready.” Data protection must be by design, not as an afterthought.
- Onerous fines: Failure to comply will be met with massive fines, up to 4 percent of the offender’s global turnover. For large global companies, this could amount to billions.
- Timeframe: Upon enactment, companies will have two years to adopt.
As the LIBE rapporteur, Jan Albrecht put it, “The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.”
How easy is it to “forget”
The new rules coming into force with the arrival of the EU Data Regulations pose a major challenge for all companies that collect and store personal data. Take for example the “Right to be forgotten.” To be able to execute on this law it requires companies to be in control of where any personally identifiable information (PII) resides within their systems. This might sound pretty simple, but it’s far from it; organisations not only need to consider their own back-end databases and backups, but they also need to consider any data being used by outsourcers, partners or cloud service providers they’re working with. In many cases, data could even be in use outside of the EU—in the systems of an outsourcer developing mainframe applications for the business, for example. This would instantly create a breach of the new EU regulations unless the proper controls were in place.
Will we consent to having our data used for system testing?
Explicit consent seems simple. We all know the tick boxes that we already see when doing business online. But do we ever read and understand what our data is collected and used for? What data do these online services need to deliver the service request and what kind of data is collected that has ‘purposes other than delivering the service for which the clients provide the data”? Do we consent to the latter?
Translating this issue from legal into IT lingo, we can take testing as an example: testing applications with real personal data will require an explicit consent of the end customer. If customers were to reject to the usage of their data in testing it could severely impact application testing. Complex applications, such as those developed for the mainframe, are often tested using live customer data in order to create an impression of how they’ll perform in the real world. However, this practice is already unlawful when businesses have not treated the data as personal and put stringent controls in place, not to mention informing people what their data will be used for beyond “normal business.” This is even more significant when the data is being used by third-parties, such as outsourcers. Unless the business has explicit consent from the customer for their data to be handed to an outsourcer and used in controlled testing environments, they’ll be in direct breach of the new EU legislations and face a painful fine.
Impact on testing/development
Alarmingly, research by Compuware indicates that many businesses lack a clear understanding of how their testing practices will be impacted by the new data protection legislation. A fifth of firms do not mask or protect customer data before sharing it with outsourcers, with the vast majority of them relying on non-disclosure agreements that in essence do not satisfy even current data privacy regulation. It is therefore extremely important for all businesses to start looking at their testing practices to ensure that they can comply with the “privacy by design” demand of the EU laws.
If any real personal data is used for testing, it’s high time to start protecting it with a test data privacy project to ensure compliance with the existing as well as new EU regulations. There is absolutely no excuse for continuing to use unmasked customer data in testing projects, and those that continue to do so will have nowhere left to hide when the EU legislators come calling.