Europe’s privacy protection rules to kick in on Friday
New directives enshrined in the General Data Protection Regulation aim to strengthen individual rights, will affect companies globally
Shoshanna Solomon was The Times of Israel's Startups and Business reporter
A New European Union regulation meant to ensure stronger privacy protection for its citizens will take effect on Friday, and will affect companies worldwide, including Israel, that are collecting, storing and analyzing data on web users.
The aim of the new rules, enshrined in the General Data Protection Regulation (GDPR), which were adopted by the EU in April 2016 and will go into force on May 25, 2018, is to strengthen and protect individual fundamental rights in data protection. The regulation was designed to put people in control of their personal data by allowing them greater rights, including the right to access the data and the right to delete it.
In addition, organizations will not be able to collect data without good reason, and they must also prove that they are doing their utmost to protect the data they have collected.
Personal data is any information pertaining to an individual, whether it relates their private, professional or public life. It can be a name, photo, email address, bank details, posts on social networking websites, medical information, or even a computer’s IP address.
This data is often transferred and exchanged across companies and nations globally, with citizens often not having control over their data or knowledge regarding their rights.
As the world becomes more digitalized and the use of internet, social media and online transactions mount, websites are increasingly using information about users’ online activity — what they buy, what they eat and where they travel.
The recent Cambridge Analytica scandal over the mishandled Facebook user data has further underlined the need for governments to protect the data of citizens globally.
The new EU rules will affect all organizations, regardless of what country they are based in, that store or process personal data of European citizens.
“The GDPR is the most comprehensive privacy framework regulation that we’ve seen to date, with the highest statutory fines/penalties that a regulator is authorized to assess,” said attorney Adam Snukal of the technology and IP practice Greenberg Traurig in Israel, in an email interview. “The GDPR seeks to empower EU residents in the commercialization and use of their personal data by third parties, by requiring those companies seeking to process such personal data to not only be transparent in how such data will be used, but in seeking the unambiguous and affirmative consent of the EU-residents for such use.”
The breadth of the GDPR extends far beyond just the European Economic Area (EEA), to any company worldwide, including Israel, that is collecting, storing, analyzing data, Snukal said.
Companies that do not align with the new rules can be fined up to 20 million euros ($23 million) or 4% of global annual turnover for the preceding financial year, whichever is greater.
The companies affected could be online stores that allow customers to pay in euros, ad campaigns that target Europeans, or companies that use cookies to track individuals online to create behavior profiles, including for the purpose of predicting the preferences of users. All these can potentially subject an organization to the GDPR.
The rules also give subjects the “right to be forgotten” — which entitles people to ask that their data be deleted if there are no legitimate grounds for retaining it. In the case of data breaches, such as a cyberattack, companies that have consumers’ data must notify the national supervisory authority as soon as possible, the new rules say.
Data controllers need to make sure they have technical and organizational measures in place to protect the rights of data subjects and the rules require controllers to hold and process only the data absolutely necessary for the completion of their duties as well as limiting access to to to only those people who need to access it.
So, are Israeli companies GDPR-ready?
In terms of analyzing the GDPR readiness of the Israeli market, Snukal believes that “most of the large Israeli hi-tech multi-nationals (particularly, those that are public) took the GDPR mandate very seriously several months back and have been tirelessly working to be GDPR-ready by the 25th of May. That same trend, however, is noticeably different/absent among the small to medium size businesses (even those doing business in the EU) where the compliance numbers seem to be in the 30% range.”
How will GDPR influence Israeli companies?
GDPR classifies businesses into data controllers and data processors.
GDPR “most certainly” affects each Israeli company doing business in the EEA, Snukal said. “To the extent Israeli companies are collecting, storing, processing, the personal data of EU residents directly, they will be classified as ‘data controllers’ under the GDPR, and will be required to comply with those requirements.”
“Similarly, those Israeli companies that process EU-resident personal data on behalf of others will need to comply with the GDPR requirements for data processors.”
By way of example, he explained, an Israeli software company that sells or supports software products to EU customers will likely be characterized as a processor, to the extent that it is providing maintenance or support services. But it could also be labeled as a controller, if it has a satellite office with employees somewhere in Europe, including the UK.
“Bottom line, Israeli companies doing business in the EU and processing data from EU residents will almost certainly fall within the web of the GDPR on some level,” Snukal said. “Accordingly, they must be sure to comply with the GDPR or potentially face the significant consequences of not doing so.”
For those that are not GDPR-ready, what should they do?
“This is not a simple question to answer considering companies had two years to get GDPR-ready,” Snukal said. “If a company is starting from square one, a day before the GDPR goes into effect, it should first focus on those elements of its business which are public-facing. Those include — mapping all of the different forms of personal data that was collected in the past and will be in the future, and understanding how the company processes such data; and mapping the various third parties (such as vendors, affiliates, etc.) that have or may have access to the personal data.”
These third parties should be locked up under data processing agreements, he said.
“Lastly, if a company is sitting on potentially tens of thousands (or more) of profiles of EU residents comprised of all different forms of personal data, the company must carefully analyze its options under the GDPR as to whether that data may be retained after May 25th or what steps the company will need to take in order to retain this data,” he said.
Israeli startup says it can help
MinerEye is an Israeli startup that uses artificial intelligence to essentially “babysit” all types of files and data in an organization. Employing advanced computer vision and machine learning technologies, the software tracks and protects the organization’s sensitive data, the company says on its website.
Using the software, enterprises can identify and track sensitive data anywhere within the organization or the cloud; it can continuously scan vast volumes of data, and is able to send out alerts when it identifies suspicious data behavior.
This kind of software is “critical” for compliance to GDPR and for companies that move data onto the cloud platforms of giants like Microsoft, Amazon, Google or IBM, the company said in an email.
MinerEye’s clients include financial services companies, software and cloud companies, government agencies and systems integrators worldwide. The firm recently raised $3 million in seed capital and is seeking additional investors.