EU Data Protection Legislation – EU GDPR

Is your organisation ready for the new EU Data Protection Legislation?

The European Union’s General Data Protection Regulation (EU GDPR) is a very important piece of legislation that will come into effect 25th May 2018. Currently, each European country has their own Data Protection laws, but this will be replaced by the new GDPR legislation that will standardise compliance, with one set of rules applying across all 28 member states.

The GDPR will introduce tougher fines for non-compliance and breaches (up to €20 million or four percent of worldwide revenue, whichever is higher), and gives individuals more control over what companies can do with their data.

This regulation impacts both businesses in the European Union, as well as any organization that markets to, and processes information of, EU data subjects.

How GDPR will impact your business

Below is a summary of the key changes proposed by the General Data Privacy Regulation:

  • Personal data – The definition of personal data will become broader than the existing Directive 95/46/EC. Bringing more data into the regulated perimeter, this can now include genetic, medical, economic, cultural or social data. Organisations must identify which data held by them qualifies as personal, where this is physically stored and in what state i.e. is it encrypted or anonymised.
  • Consent – Rules for obtaining valid consent to use personal data will change, in particular the personal data of a minor. Consent forms should be available and easily accessible, and the document should be laid out in simple terms. There is also a proposal that the consent have an expiry date. Silence or inactivity should not constitute consent.
  • Data protection officer – The appointment of a data protection officer (DPO) will be mandatory for companies with more than 250 employees, or, if they process over 5,000 personal data records in any given year.
  • Privacy Impact Assessments – The introduction of mandatory privacy risk impact assessments, data controllers are likely to have to conduct annual privacy risk assessments to analyse and minimise the risks to their data subjects. A risk-based approach must be adopted before undertaking higher-risk data processing activities.
  • Data Breach Notification – The introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chain, i.e. Processors will be required to alert and inform controllers immediately (or without undue delay) after a data breach. These changes place a greater emphasis on supply chain data security and regular supply chain reviews, and audits will be required to ensure they are fit for purpose under the new regulation.  Another impact of this new regulation is that contracts being negotiated with suppliers will need to be future-proofed for the Regulation.
  • The right to be forgotten – This enables, for example, data subjects to request the removal, without delay, of personal data collected or shared by service providers.
  • An obligation to protect personal data across borders – Organisations should be aware of and take steps to mitigate the risk of transferring data to countries that are not part of the EU, or storing data on cloud platforms hosted in non-EU countries.
  • Data portability – Requiring the ability to transfer personal data from one service provider, such as a supermarket loyalty card or social network, to another, via a copy of personal data in a format usable by the data subject and electronically transmissible to another processing system. This is intended to not only increase consumer data protection rights but also enhance competition among service providers.
  • Privacy by design – The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. This means that every new IT project should be taking GDPR into consideration now to avoid costly rework.

Read our Insights article for more information on the Impacts of the GDPR.

Using GDPR to gain a competitive advantage

Although GDPR is a mandatory government requirement, executed properly, it is a great opportunity to give your business a competitive advantage.

  • High quality data – In a world that revolves around data, the tighter controls you have on data gathering and easier opt-out processes for customers will help ensure that your data is of high quality, resulting in better informed decisions and higher conversion rates.
  • Engage the right audience – Sending endless marketing communications to an infinite database of customers only results in a small conversion rate but a high annoyance rating. Instead, it is better to send customised marketing messaging to individual customers based on their particular needs, resulted in a more engaged and receptive audience. Remember, targeting marketing is only as good as the data that you hold.
  • Trust and privacy – Trust builds reputation and can be easily lost when consumers discover you haven’t been completely honest about how you are using their information. Be transparent, give them confidence that you are looking after their financial and sensitive detail, meaning a higher customer retention rate and increased customer satisfaction.

How to prepare for GDPR

Many organisations still remain entirely unprepared. The legislation presents a range of compliance and operational challenges for businesses that require thorough planning and additional resources. As every organisation handles data differently, there is not a “one size fits all” GDPR project plan.

3gamma’s three step approach

Step 1: Raise Awareness – Inform the board and key stakeholders of how it will impact the business, highlight the significant fines for non-compliance, and that companies may be required to delete valuable data collected in breach of the GDPR. The board should assign an executive sponsor and establish a GDPR working group with the business function leads (HR, Marketing, Legal, Compliance, Sales…), gain their co-operation towards reaching GDPR compliance.

Step 2: Conduct a readiness assessment for your organisation – There are a number of factors that will determine the amount of work required. A few areas to consider are:

  • Are you compliant with the existing data protection laws?
  • How much personal data does your organisation process and for what purpose?
  • Does any data fall into special categories? i.e. “sensitive personal data”
  • Are you a data processor or a data controller?
  • What policies and procedures do you already have in place?
  • How well documented are your existing data processing practices?
  • How straight forward are your data processing activities? For example, do you export personal data outside of the EU?

Step 3: Identify the next steps and areas requiring immediate attention – Your priorities will depend on the nature of your business and how you process personal data. For example, you should consider implementing “privacy by design” if you are developing a new product or service that processes personal data; or ensure that any third party data processors are GDPR compliant if the contracts extend beyond the 25th May 2018.

3gamma can help your organisation understand what is required to comply with the GDPR and deliver the support to manage the transition.

We recommend engaging skilled resources who can navigate the current minefield and steer the enterprise through this extensive piece of new legislation.

At 3gamma we have a strong data protection and ISMS expertise that can help organisations effectively prepare for the EU GDPR, without recruiting extra headcount or appointing someone in-house who may not be sufficiently trained and skilled.

What Brexit means for data protection laws in the UK

Now that the Brexit dust has settled, it is clear GDPR will still come in to force as planned while the country remains in the EU, therefore UK businesses will still need to comply with the legislation. The British government has confirmed that long-term the UK will adopt GDPR or maintain a similar legislation so that it can continue to trade with countries within the EU. Therefore, UK organisations ignore GDPR compliance at their peril.