Personal Data Processing is a Corporate Risk
Have companies been adapting in a timely manner to comply with the RGPD rules?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data has entered into force simultaneously on 25 May 2016, in all Member States of the European Union. The Regulation imposes uniform discipline between the various Member States as from 25 May 2018, the date on which the transitional period of two years specified therein expires. Private and public companies and organizations will be subject to a set of obligations rules, the non-compliance of which will lead to fines of up to € 20 million or 4% of the organization’s worldwide turnover (there are two levels of application of fines see article 83). In the application of fines, a number of factors will be taken into account, but their mitigation will depend on the ability of organizations to demonstrate the application of appropriate data remediation measures. The new sanctioning framework raises the privacy and security of information regarding the treatment of personal data to a Corporate Risk, necessarily leading organizations to consider this matter in their guidelines and management decisions. We observed in the Portuguese market that organizations began in general to mobilize for the need to analyze the provisions and implications of the RGPD substantially from the end of the first half of 2017. The transitional period of two years was not really taken advantage of, in assessing impacts and investment needs, in formulating priorities and options, and in planning the actions to be undertaken.
In the first phase, we noticed that organizations perceived the Regulation to not only be a problem of a legal justice nature and, consequently, a matter to be addressed and resolved through the use of skills and means in these two fields and disciplines of intervention.
What are the main questions asked by the companies that ask you for advice on the new RGPD?
Doubts and requests for advice addressed the formal aspects of legal compliance with the provisions of the Regulation and in parallel to the identification of technological options, ie in terms of recommending software solutions, to worship in response to security measures processing of personal data. The formulation of requests for advice has often resulted in a consultation and / or request for the provision of professional services for the “implementation of the minimum requirements of the RGPD” in the organization concerned. This approach implies a common perception by organizations of the supposedly prescriptive nature of the Regulation and also of the frequent assumption by managers of the existence of “minimum requirements” for compliance. The Regulation lays down principles, sets out rules and obligations to be observed by data controllers, their subcontractors and joint controllers, but is not prescriptive as regards measures, in particular safety, technical, organizational and procedural, or procedural (article 32.0), to be implemented by organizations.It is not, nor should it be. A safety measure, regardless of its nature, is aimed at acting on an identified risk, with a given control objective, risk prevention; its elimination, or until transfer to third parties (example: insurance contract). Risks arise from existing vulnerabilities and affect an organization’s assets, which include information assets, including information that results from the processing of personal data. The risks associated with different economic activities are naturally different, although there may be some common risks. In a given sector of economic activity, operationally different organizations, in terms of their organizational model, their business processes and supporting technology (software, databases and hardware infrastructure, communications, among others), will necessarily have different vulnerabilities . The integrated risk and vulnerability assessment enables the control objectives to be defined and, depending on them, to determine the necessary security measures, which may be of different natures and typologies (organizational, procedural, technological), individually considered or combined. That said, “implementation” of RGPD compliance requirements requires prior exercise in identifying and assessing risks and vulnerabilities and management decisions of the organizations regarding the control objectives and, consequently, the actions to be taken to address them.
And the adoption of other types of solutions that the market offers?
Recommendations and/ or adoptions of software solutions, although widely advertised in the market, without proper evaluation of the organizational context in all dimensions relevant to the formation and deconstruction of the problem, may have the same effect as that resulting from the treatment of a “viral infection with antibiotics “or the treatment of “ a bacterial infection with the wrong antibiotics “. The safety measures must meet the control objective(s) of the risk(s), but their choice and implementation must be consistent.
Consistent, because the outcome of a security measure may depend on the prior implementation of another security measure or the development of a set of actions that are in themselves a prerequisite to the implementation of that measure. These variables have to be addressed through planning. Consistent, because managing and controlling risk is inevitably an exercise in economic and financial viability for organizations. Minimizing risk also means maximizing control, which presupposes investments and changes in operating costs, present and future. Thus, in order to safeguard the privacy and security of personal data, it is necessary to determine the security measures necessary for the effective compliance of the organization with the RGPD, the adequacy of security measures, financial management. Resources are always limited. Regulation does not generate business and, as such, RGPD will be a challenge to the management of organizations.
Do you believe in the good preparation of companies to comply with the new legislation after May 25?
By the end of 2018, I believe that most private sector organizations will focus and work on fully preparing themselves to respond to the formal compliance aspects of the RGPD to fulfil the Basic Principles of Treatment (Articles 5.0 to 11.0), the Rights of Data Holders (Articles 12.0 to 15.0) and the Register of Treatment Activities (Article 30). However, the complexity, effort and enormous challenge for all organizations, without exception, is in accordance with the principles and provisions set out in Articles 25 and 32 of the Regulation, aimed at promoting the accountability of organizations, respectively: the protection of data from conception and by default; treatment. Compliance with these two articles is not an action, it is a process that requires vision, resources, planning and execution time, for the reasons that I have tried to explain previously. It is an unavoidable fact that the transitional period provided for in the Regulation expires on 25 May 2018, from which it is expected that a uniform discipline will exist between the Member States of the European Union. The privacy and security of personal data information are in fact only two additional risk dimensions to be added to the global ecosystem of an organization, to be included in a “Risk Management Integrated Framework”, which requires a multidisciplinary and integral part of the disciplines internal management of an organization. This is the change in the management paradigm that is imposed on organizations in Portugal.
A practical question: how is it that a third party – without any contractual relationship with the consumer – is required to eliminate and forget personal data?
The Regulation defines two concepts, that of Data Controller, which “determines the purposes and means of processing personal data” and that of Subcontractor, which “treats personal data on behalf of the Data Controller and in accordance with his instructions “(Article 28). The Regulation introduces a new role and new added responsibilities for subcontracted entities. Subcontractors shall provide guarantees to enforce appropriate security measures to protect the rights of data subjects and may not contract subcontractors without the Data Controller’s authorization. The data subject exercises his / her rights, including the right to forgetfulness, before the entity Responsible for data processing, obviously assuming that the data processing by the Data Controller is licit under the terms provided by the RGPD. In today’s society where the data and information contained therein is transmitted voluntarily by the holders, circulating through the multiple channels and repositories of distributed data, etc., individual behaviors can lead regrettably to the abdication of rights. At this point, I believe that education is the variable that will make a difference …
What role should supervisory authorities play?
The role of supervisory authorities is key and will be a pillar of the system. The levels of experience, organization and preparation of supervisory authorities in the different EU countries is very different. The ability and effective exercise of the supervisory function depends on the adequacy of the organizational structure, the internal competencies, necessarily multidisciplinary and obviously the financial means, but in response to a strategic alignment plan with a given reference, that is, with a “model objective supervision “, technically feasible from the current starting point, and financially sustainable. In Portugal we do not need to “invent the wheel”, we have to know how to look critically at other realities, see what works and has proven to work.
What challenges does blockchain technology bring to data protection legislation?
Blockchain technology is something still very new, with a potentially vast application spectrum. Disintermediation in economic and social life may be at the total limit, with an impact on society, as we know it today, which is not yet foreseeable. I do not have a formed opinion, I have only reflections, the same ones that make me think that the internet enabled the same social networks that allowed the “Arab Spring” and Cambridge Analytics. Technological evolution will determine the need for constant revision of regulation. Faced with blockchain technology, we certainly will not be talking about the future of the RGPD, but about any other regulation.
What about artificial intelligence?
On the contrary, artificial intelligence is already a reality, but it is still a very expensive technology, hence its application being restricted for the time being. With artificial intelligence, software has the ability to learn from human behavior. The easiest and most intuitive example is autopilot cars. These cars exist because the software was programmed from reading the driving mode of humans “good drivers”, that is, mathematical algorithms in artificial intelligence are developed from the simultaneous interaction with human behavior, meaning that, with artificial intelligence software algorithms incorporate human behavior. Now the behavior is a unique code of its holder, and being a “good behavior” is an asset of its owner, because it started to have market value. I believe that in Artificial Intelligence what is in question under the law is not the protection of the personal data of the holders, but rather the “incorporation of rights” in the construction of the software by the owners of “good behavior”. If the owners of the “good behaviors” are the human beings, clearly it will have to be the specific and differentiated taxation the route of resolution of the incorporation of Human Rights in the software with artificial intelligence. For this the economy developed in the past the “Theory of Externalities”. On the other hand, economic activities with negative externalities are subject to increased taxation. On the other hand, economic activities with positive externalities must have benefits or tax reductions. Artificial intelligence applied to health has social value, in other cases it will cause negative social impacts and unemployment is at stake. Artificial intelligence will force societies to rethink taxation, which will have to fulfill its redistributive function. Economic theory exists and is old, its application will be a political issue. This is the key role of information systems: to make innovative forms of interaction and management possible, with more and more detailed information about customers, with the possibility to personalize offers at the individual level and to monitor the evolution of the business in real time. And, fundamentally, making it possible for any entrepreneur with vision and boldness, to launch their project on a global scale.