• Michael Neddo

General Data Protection Regulations (GDPR) were created to protect residents of the European Union (EU), but affect anyone who does business in the EU. All businesses functioning with or within the EU geographic boundaries must comply with these regulations.

The GDPR regulations are complex and comprehensive, but in their most basic form, they are a set of rules that give people more access to the personal information businesses collect from them. This can include, but not limited to, first and last name, email, phone number, demographic information, etc. The regulations protect the privacy of people in the EU, and have created a movement in the rest of the world to push businesses and governments everywhere to be more conscientious about how they use people’s personal data.

Because GDPR affects so many people, businesses may conclude they could easily slide by without becoming compliant; however, this is a big mistake! Businesses found non-compliant with GDPR can be fined. Google, for example, was fined $57 million by France's data protection agency for not being GDPR compliant. No business wants to be fined for something that is easy to fix with a proper understanding of the procedures and protocol.

Are you worried your business could be fined for being non compliant? AppGlo is here to help analyze your business’s current compliance and help build you a plan to resolve any deficiencies. You can schedule a free consultation here with an AppGlo representative.

It has now been one year since the General Data Protection Regulation (GDPR) has been in effect. Titled as a transition year, companies across the globe struggled to adjust and comply with the new law. Though companies and governments were given time to prepare for the new data assessments and procedures, there was still a level of uncertainty pertaining to the exact degree of preparation and readiness to prepare for the new law. Now, let’s step back and take a look at what has come as a result.

Based on information provided by SAs from 27 EEA countries Germany: Based on information provided by The Federal and 17 Regional SAs

In just a single year, the European Data Protection Board (EDPB) and data protection agencies have issued fines totaling €56 million from more than 280,000 cases. That is roughly fines of €4.6 million and 23,000 cases per month. GDPR did not come quietly as some might have expected.

We believe this is just the beginning of the enforcement procedures since last May. While many of the cases and fines will not be as notable as Google’s €50 million last year, the amount of cases being processed will provide more than enough justification to ensure GDPR compliancy—or even double checking. Just in case.

From day one, cross-border cases run a current total of 446 cases. According to the EDPB, 205 of those cases led to One-Stop-Shop (OSS) procedures. So far, there have been 19 final OSS outcomes.

Based on information provided by SAs from 27 EEA countries Germany: Based on information provided by The Federal and 17 Regional SAS

Though data breaches are more likely to garner all the attention, there are far more complaints about other aspects of privacy regulations. Around half of the complaints relate to the way subject access requests were handled.

The massive increase in reports of data breaches in the first year are astounding, as is the rate at which these cases are being processed. Over 60% of cases are already closed, with only 0.1% of them being appealed in national courts. That means justice is being served quickly and efficiently.

This is a quick overview of what has occurred since last May because of GDPR. Here is a report (pdf) of a more in-depth analysis of what happened in the first nine months of GDPR, which came out at the end of February.

Based on information provided by SAs from 27 EEA countries (Case status information provided for 164633 cases) Germany: Based on information provided by The Federal and 11 Regional SAs

With time and experience with GDPR now under our belts, it is an excellent opportunity to review company procedures of handling private data.

There are many different characteristics regarding GDPR, it is better to be safe than sorry. Now is a favorable time to inspect, test, and assure the adjustments and changes to meet compliancy are in full effect. At Appglo, we make sure companies are compliant with every aspect of GDPR so there are no surprises later on.

Call us today for a free demo to ensure GDPR compliancy, or simply to learn more about how GDPR affects your company.

Data Subject Access Requests. While working with various companies on their GDPR compliance, one thing that has become clear to me is that while many people realize that there are significant security and legal concerns, an oft-forgotten aspect of their preparations is making sure that their people understand Data Subject Access Requests and know how to appropriately deal with them.

Just what exactly are these Data Subject Access Requests?

The definition of valid access requests is quite broad under the GDPR and, in fact, is expanded over what was previously required by the Data Protection Directive. The GDPR, as opposed to the Directive, does not specifically require that an access request be made in written form, or contain any specific 'formal access request' language. Also, when a request is received in electronic form, it should be responded to in a "commonly used electronic format" (think email). Companies no longer have the ability to fine (at least the initial) requests, and need to comply with the request within just 30 days. The implications of this are that these requests might be made to any employee at your organization via any means. That can be daunting to try and control such a wide cast net, but with some training for your customer-facing personnel, can be overcome.

What do I mean by 'Biggest Concern'?

Access request complaints currently top the list with EU Data Protection Authorities.

According to the UK's independent Information Commissioner's Office (ICO) official statistics, the number one complaint received by their offices is the mishandling of data subject access requests. Several DPA offices are indicating that there has been a significant increase in data subject access

Charts of access request complaints rising in coming months.
Data Subject Access Requests Trending Up

request complaints submitted in the years leading up to GDPR and many are predicting

a massive jump after the May 25th deadline. According to the Irish access request concerns currently account for over 50% of all complaints and, by just August 2017 the total number had already eclipsed the amount from all of 2016. Lack of preparation in organizations ability to properly handle requests has been cited as a primary point of concern.

Data Subject complaints bring the wrong sort of attention.

A likely way for your company to get on the radar of a Data Protection Authority would be to mishandle an access request. Unless you're Google or Facebook, it's not very likely that you are necessarily going to immediately find yourself at the center of any bullseye when it comes to regulators looking to impose fines, but the more alarm bells you set off by having complaints broght against you, the closer to the center of that target you're likely to move.

The massive 4% of global revenue fines are getting a lot of attention, but there is just not going to be the capacity for EU Member authorities to scan every company for non-compliance without some help from the general population. Much like Mark Zuckerburg explained in his testimony regarding flagging inappropriate user content for further investigation, fumbling an access request and causing a complaint is probably a sure way to get some unwanted attention from Data Protection Authorities.

There is strong advocacy for EU data subjects.

If you are just hoping for ignorance on the part of protected Data Subjects, you should know that there are many groups out there to help data subjects understand and exercise their rights and it's important to realize that under the GDPR an individual can actually transfer their rights to a separate party to request access and exercise rights on their behalf.

People will become more familiar with their rights and the process of pulling that lever to protect their data as needed. Also, with each request your company receives, you are required by GDPR to inform Data Subjects of their rights just in case they aren't already fully aware. Data Subject Access Requests or DSARs might possibly be the most important aspect of GDPR preparations if you consider the exposure to risk that they actually represent in terms of numbers of opportunities for problems to arise regarding your compliance.

EU individuals actually have more than one avenue for recourse under the GDPR. Shown here from the European Commission website is a very simple flowchart showing two paths, neither of which would be one that you never want a Data Subject to take in regards to your company.

What do I mean by 'not enough people talking about this'?

Two thoughts: There are not enough industry experts weighing in and not enough customer-facing employees (the ones who will actually get these requests) who fully understand the exposure of GDPR Access Requests and what should be done to prepare for compliance.

Industry professionals in executive, legal, security, or IT roles have had to be living under a rock to not hear at least the cry of alarm regarding the massive GDPR compliance penalties. While there has been plenty of hand wringing about the fines and the increased workload in security and legal paperwork. In many cases, not much of that concern is spilling over to other parts of the company to groups that should also be involved. These are your sales, customer success, support and even HR teams. I'd not be surprised many of the people who will likely be the ones receiving access requests could not even venture a guess at what the GDPR acronym might stand for, let alone what it means for them in their role. This is a problem you don't want your organization to have.

While the new regulation certainly should concern the obvious parties, thinking through the logistics of a Data Subject Access Request should lead one to realize that there may be some not so obvious parties to involve, inform and instruct. If you aren't fully confident that every front-lines employee (think anybody talking to customers) could recognize a DSAR when they saw one and be able to respond appropriately, you may have yet another thing to keep you up at nights, and if left unresolved could be the first step in raising the suspicions of a Data Protection Authority.

What is the best course of action for GDPR Access Requests?

A disciplined regimen of personnel training and process testing, then train and test again.

In regards to Security of Processing Article 32 of the GDPR section 1-d recommends:

'...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.'

This same approach can be used for strengthening your communications process and ensuring that no alarm bells ever go off along your longest exposed border with your data subjects (aka customers, partners, and employees). Straight from the UK Information Commisioner's Office:

'User testing is a good way to get feedback on how effective the delivery of your privacy information is.'

AppGlo can help you with your GDPR Compliance Assurance, process testing, and continuous improvement. Get in touch to find out how this will best fit the needs of your company.