GDPR: The Only Thing Clear About Regulation is That it Isn’t Clear

Over the last several months, I’ve been speaking with as many companies as possible about GDPR and the one topic that continuously comes up, is that the regulation is open to interpretation and that the upcoming law is unclear about how to achieve compliance. One must wonder; if this version of Y2K in 2018, is a huge rouse or another way for attorneys to make a boatload of money. For the latter, the lawyers are making money, but not for sinister reasons, they are here to help us interpret a sizeable law and one that is indeed, unclear.

If you haven’t read the General Data Protection Regulation or the Regulation, as it’s referred to, it’s 11 chapters, 99 articles and 173 recitals. And all of them are unclear and in some cases, contradictory.

The law was enacted a couple of years ago, but now the European Union and its Member States are getting serious with countries such as the United States – a country, where the European Union doesn’t believe that we are stringent enough, when processing their citizen’s private data.

The intent of GDPR is to regulate the collection, use, storage, disclosure and processing of personally identifiable information for a natural person. A European citizen, is also known as a natural person or a data subject.

Article 1 states:

  • To respect the fundamental rights and freedoms of the data subject
  • By ensuring a high level of data protection
  • In a framework that is based on control and certainty

Controls and certainty are a large part of the Regulation and if you take away one point from this article, please let it be that you understand that any company that is processing personal data for European Union citizens, must comply to the Regulation.

In the Regulation, there are roles, such as data protection office (DPO), data controller and data processor and terms like, subject access request (SAR), data privacy impact assessment (DPIA), and data processing agreement (DPA).

To make my point, a couple of weeks ago, I gave a presentation to a group of CIOs. At one point, I knew that I had sparked a nerve, when forty-five minutes into the discussion, we were still on slide two. The question that caused so much angst was,” Where does the European citizen need to be located to process personal identifiable information or PII?”

So, I went back to my data protection officer, who happens to be my chief legal counsel and asked the question yet again. Where does the European citizen really need to be and how does a company know whether they need to comply with the Regulation? His answer to me was “it depends.”

Alright, for those of you that are confused, let me provide you with a few examples of how GDPR works and why your company needs to pay attention to this regulation.

In my company, first and foremost, I am the Global CIO & CISO, but I also wear multiple hats in leading teams that support internal activities, where I wear the hat of the data controller and my HR partners are the data processor. Processing HR data for health care benefits, hiring and terminating employees, are all examples of PII. As CIO, I need to make sure that only a set number of individuals have access to the HR data and can process it.

In this example, in my role as a controller, I work closely with the internal teams and with our Chief Legal Counsel or data protection officer (DPO). Together, with the DPO, we make certain that the requirements of the Regulation are being followed, so that we are compliant to the Regulation; in doing so, we are making sure that data is protected and being used appropriately. With the addition of these controls, we are minimizing our risk to be subjected to a fine or charged with damages when we process data regarding our employees. Fines for non-compliance to the Regulation are up to 20 Million Euro or 4% of global revenue, whichever is higher.

In a 2nd example, in my company, from an external facing standpoint, our Engineering team produces data processing products, by creating external facing applications, where data is processed for our customers. In this scenario, our customer acts as the data controller for their customer’s PII and my company is the data processor.

Let me cite one more example, and one that may pertain to your business. This example shows the difference in where services are used and where processing occurs. An EU citizen goes to Disney World in the US. They rent a car with a US only based company and pay cash for the car. No processing of PII has been performed, therefore, GDPR is not applicable here. Then, this same EU citizen, takes the car to a US only gas station and fills up the tank with their EU credit card. The gas station is not worried about GDPR, but the credit card company is, because they have processed PII for an EU citizen, and the credit card company’s processing occurred within an EU member state.

Like any good law, there are always exceptions and GDPR does not apply to organizations with less than 250 employees. There are other exceptions regarding official requests and publicly disclosed information, but we won’t have time to go through all the nuances in this short article. Just know that the Regulation goes into effect on May 25th of this year.

While the Regulation is currently specific to the European Union, it also can pave the way for other countries to follow suit with their own compliance initiative. So, getting prepared now isn’t such a bad idea.

@2018 All Rights Reserved

Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at sue.bergamo@episerver.com.

*The content within this article are the sole opinions of the author.


Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Jane Fonda
How Jane Fonda Achieved a Net Worth of $200 Million
William Burr
How Bill Burr Achieved a Net Worth of $8 Million
Why is Health Insurance So Expensive?
James Lico
10 Things You Didn’t Know about Fortive CEO James Lico
The 20 Most Expensive Stocks in 2019 By Share Price
Advice on Obtaining a Credit Card as a College Student
Takeaways from The 2019 Student Card Survey from Creditcard.com
American Tower
Why American Tower is a Solid Long-Term Dividend Stock
20 ‘Smart’ Technologies That Will Be Available Before We Know It
embedded personal devices
Where are We With Embedded Personal Devices?
20 Smartphone Technologies That Will Blow You Away
bullets that change direction
Where are We With Bullets that Change Direction?
WOW Air
The 20 Worst Airlines in the World in 2019
Swift and Sons
The 20 Best Steakhouses in Chicago
Caladesi Island
The 20 Best Beaches in Florida in 2019
Why La Cosecha Argentinian Steakhouse is One of Miami’s Finest Steakhouses
Hybrid Cars
The 20 Best Hybrid Cars of All-Time
Rolls Royce Silver Seraph
The Rolls Royce Silver Seraph: A Closer Look
The Rolls-Royce Silver Spirit
The Rolls-Royce Silver Spirit: Its History and Its Evolution
Rolls Royce Twenty
A Closer Look at the Rolls Royce Twenty
A Closer Look at the Hublot Bigger Bang
IWC Big Pilot's Watch Constant-Force Tourbillon Edition Le Petit Prince
A Closer Look at the IWC Big Pilot’s Watch Constant-Force Tourbillon Edition Le Petit Prince
A Closer Look at the Jaeger-LeCoultre Master Ultra Thin Tourbillon
Time Traveling: The Hublot Classic Fusion Zirconium