GDPR: One Year Later
Jeanette Gass and Sean Bagshaw, OSA Staff
On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. Through this path-breaking legislation, the EU sought to add a layer of privacy and data protection to a wide range of internet users. And OSA—along with a wide range of other organizations—faced a scramble to meet the demands of the sweeping new GDPR rules.
So how has the effort gone—and where do things stand now? To find out, OSA’s Jeanette Gass talked with Sean Bagshaw, the society’s Chief Operating Officer/Chief Information Officer, who leads the team charged with GDPR compliance.
Sean, why is this such an important thing for OSA?
Bagshaw: Well, OSA is a global organization. We have a large number of members and customers in the EU, and that gives us a responsibility to follow EU regulations, including GDPR. And we were committed to do that.
The rules themselves—what are they about?
Basically, these rules require businesses to protect the personal data and privacy of individuals located in the EU when collecting, processing and storing their personal information.
That sounds like a heavy lift for any organization that has a big, diverse customer list in Europe—as I know OSA does. What changes has OSA made to comply?
We actually started assessing and planning to implement GDPR years ahead of the deadline, in 2015. OSA conducted an audit of all of its systems, with a focus on the collection, processing and storage of personal data. We also worked with an outside law firm that specialized in GDPR to nail down the requirements.
And we took action—to minimize the collection and use of personal data; to change our systems to record consent where appropriate; to update and communicate new privacy policies across our digital properties; and to begin the process of updating our vendor contracts to including GDPR-compliant “Data Processing Addendums.” It was indeed a heavy lift!
That’s all about the mechanics. What about the corporate culture?
That’s key too, of course. OSA started by educating all staff on what GDPR is, why it’s important for our members and customers, and the changes our organization needed make to be compliant. As part of the process, we implemented new processes and systems for collecting and using data, consent tracking and compliance.
As I understand it, GDPR gives organizations certain privileges for processing data if there’s a “legitimate business interest.” How does one even define that? And how does OSA make sure its practices are aligned with GDPR standards?
The GDPR actually provides for six legal bases for processing personal data: if the individual has given consent; to fulfill contractual obligations with the individual; to comply with legal obligations; to protect the individual’s vital interests; to perform a public task or act of official authority; and for the “legitimate interests of the data controller.” Most of OSA’s use of personal data would, in reality, fall under the first of those legal bases—that is, the user has provided consent to OSA for the use of the personal data or contractual obligations to fulfil products or services (membership, meetings, publishing activities, etc.).
At a high level, the “legitimate business interest” basis is the least defined, as you suggest—and so it offers the most flexibility. From the GDPR’s point of view, legitimate business interest must be defined as providing a clear benefit, must have limited privacy impact to the individual, and the individual must have reasonably expected OSA to use the data in the way defined.
So it’s very important that we don’t treat this as a catch-all—it has to be carefully considered for each activity.
[Image: Getty Images]
We’ve talked a lot about setting up the system. But monitoring compliance must be a challenge, especially as new processes or ventures are developed.
Yes—to handle that, OSA’s legal and IT departments review all contracts as appropriate to ensure that vendors processing personal data on behalf of OSA maintain adequate system protections, and are in full compliance with GDPR regulations. Our legal department also monitors developments related to the GDPR itself, other regulations or laws introduced globally, and related regulations such as the EU’s Directive on Privacy and Electronic Communications, or “ePrivacy Directive.”
OSA is clearly doing a lot here. But any shortfalls in compliance, even by third parties, would seem to pose risks to the society’s reputation. How does OSA mitigate that risk?
By holding tight to the spirit of the rules—that is, by truly respecting the privacy of our members and community, and honoring individual directives as defined by GDPR or other similar regulations. This happens through staff awareness, training, enforcement of OSA’s internal policies for data use, and requiring all vendors who process personal data on OSA’s behalf to maintain adequate system protections and fully comply with GDPR regulations.
Looking ahead, what’s the future for the GDPR, and for data privacy more generally?
The EU set a high bar for data privacy with the GDPR. Many countries around the world are modeling their own privacy standards at least in part around GDPR. With data breaches and inappropriate use of personal data in new cycles over the last few years, we’ve all become a lot more aware of data privacy, and of the need to take steps to protect our data. So in the long term, I’d expect to see more regulations globally to protect personally identifiable data.