GDPR, IBM Notes and Me

Much ado about nothing?

You’ve probably heard a lot in the press recently about GDPR, and you may well have dismissed it as irrelevant, especially if you are based outside the EU. If your organization does not hold information on residents of EU countries, then you are probably right, but if there’s a chance that you do, then it’s worth giving this issue a few minutes of your time.

So what’s all the fuss about? Data protection legislation has been in effect in Europe for years, in fact the so-called Data Protection Directive was adopted in 1995. But it’s the adoption of the General Data Protection Regulation (aka GDPR) that’s caused this most recent stir.

Should you be concerned about it? This article attempts to break down in simple terms the key changes and how they may impact on you as an IBM Notes professional. GDPR is a bandwagon that a lot of consultants have jumped on, but the general principles are not that hard to understand.

Key changes

There are 8 key areas in the legislation where changes are being made:

  1. Increased geographical scope
    • Previously, territorial applicability of the directive was ambiguous - now it has been made clear that the legislation applies to all companies, regardless of location, that process the personal data of data subjects (i.e. people) residing in the EU.
  2. Penalities
    • Organizations in breach of GDPR can now be fined up to 4% of global turnover or 20m euros, whichever is greater
  3. Consent
    • Consent to hold and process personal data must be clear and must be recorded. The onus is now on the company to prove consent has been given by the individual.
  4. Right to access
    • People will now have the right to obtain confirmation as to whether their information is being processed, where and for what purpose.
  5. Right to be forgotten
    • Related to the right to access, people will have the right to have their personal data erased.
  6. Privacy by design
    • This is the concept that data protection is built into a system from the beginning, rather than being added on later. It also includes the requirement to hold the minimum necessary personal data, as well as restricting data access to just those people who need it.
  7. Data Protection Officers
    • There are new rules surrounding who is appointed as data protection officer, their knowledge and background and the fact that they must report to the highest level of management.
  8. Breach notification
    • Any data breach must be notified to data subjects with 72 hours.

To be clear, “personal data” means any piece of data that could identify a data subject. It could be as simple as a name or email address. The GDPR was approved and adopted by the EU parliament in April 2016, and will come into force on 25th May, 2018.

If you’re wondering how Brexit will impact on all this, then you’re in good company. If the data subjects whose data you hold are only in the UK, then the position post-Brexit (like many aspects of Brexit) is currently unclear. However, GDPR will be in force for UK data subjects between May 2018 and whenever Brexit happens, which is currently scheduled for 29th March 2019. After that date, the expectation is that Britain’s data protection laws will be similar, if not identical to the GDPR - in fact, in the Queen’s speech in June 2017, the UK government confirmed its intention to bring the GDPR into UK law.

How does this impact me?

As an IBM Notes/Domino professional, if you are outside the EU and your company stores or processes the personal data of EU citizens, then even although you may not have paid much attention to EU data protection law, you need to now.

The nature of Notes/Domino applications is that data can be shotgunned across the organization with very little corporate knowledge of what databases are out there, who has access to them, and what data they contain. If that sounds like you, it would be a good idea to start auditing your environment so that you understand:

  • What databases are on your servers
  • What data is held in them
  • Who has access to what data

Keep in mind that EU citizens will have the right to

  • know whether you hold their personal data
  • demand that you prove you have their consent to hold that personal data
  • know what information you hold on them, who has access to it, and what you use it for
  • demand that you erase all their personal data

It might be worth thinking through whether you could comply with all of those rights, if needed.

Where should I start?

Getting a clear picture of your Notes/Domino application landscape can be quite a challenge, but is a great place to start to understand how this legislation might impact on you. Teamstudio Adviser can help you get a much better handle on what applications you have, what data is in them and who has access to what.

If you know where your personal data lives and just need to get it out of Notes into a format that's easier to manipulate (XML, for example), then you should take a look at Teamstudio Export.

If you just want to chat with us about this or, well, anything really, click below.