Impacts of the General Data Protection Regulation: Why starting now is essential to reach compliance

Assurance & Compliance

The European General Data Protection Regulation (GDPR) represents the most significant change to data protection in the EU since 1995. Once adopted in 2018, it will have the force of law across all 27 EU states, giving uniformity of data protection laws across all member states and significantly increasing penalties for non-compliance. GDPR is likely to significantly affect data intensive IT organisations and force business and IT to review their current practices, ranging from governance, control, organisation, processes, sourcing and technology. The existing level of understanding and knowledge is low and to ensure compliance, it is imperative to get moving.

The aim of the new European Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for nationally implemented legislation.

GDPR replaces and supersedes the existing Directive 95/46/EC of the European Parliament, enhancing the level of data protection for individuals whose personal data is processed, and increasing business opportunities in the digital single market including through reduced administrative burden by restoring consumer confidence in online services and harmonising the fragmented laws and regulation in the EU today.

The regulation is likely to enter into force in spring 2018 following an endorsement of the texts in the trilogies on 17 December 2015, which, after a legal-linguistic review of the texts, will be submitted for adoption by the Council and, subsequently, by the European Parliament.

As with current data protection law, the GDPR will be regulated and enforced by national data protection authorities, for example the ICO in UK or DPA in Sweden.

GDPR will likely affect any business operating within the EU, especially data intensive business

The regulation will be directly effective without the need for any action on the part of the 27 member states, and it will be enforceable by law. In effect, the GDPR is likely to affect any business that operates from within the EU, does business with organisations within the EU, or stores its data in EU member countries.

However, despite this huge impact to almost all European enterprises, according to a 2015 Ipswitch survey of 316 European organisations, more than half (56%) of respondents could not accurately identify what ‘GDPR’ stands for. Over half (52%) admitted they were not ready for GDPR, and over a third (35%) acknowledged they were not confident their IT policies and process would be compliant.

Even with the lack of awareness of regulatory change, when asked about priorities for 2015, only 13% said they planned to spend more time understanding and preparing for the regulation. A quarter (26%) said they wanted to spend more time reviewing and tightening security policies and a further quarter (26%) said they wanted to be able to spend less time on manual reporting and auditing.

In addition to testing the readiness of IT professionals, the survey also revealed that very little thought has been given to whether an organisation’s cloud service provider (CSP) is ready for the change. Although 79% of those surveyed retained the services of a CSP, only 6% of them said that they had thought to ask them whether they were ready for the GDPR.

Non-compliance with the GDPR will have severe consequences. It is currently cited that there will be penalties of up to €20 million or 4% of worldwide turnover for organisations in breach of its rules. This far exceeds most local data protection penalties in member countries currently and could be the difference between make and break for many organisations in the EU.

GDPR will impact organisation, processes and technology and force companies to revisit their approach to personal data

Below is a summary of the key changes proposed by the General Data Privacy Regulation:

  • Personal data
    The definition of personal data will become broader than the existing Directive 95/46/EC. Bringing more data into the regulated perimeter, this can now include genetic, medical, economic, cultural or social data. Organisations must identify which data held by them qualifies as personal, where this is physically stored and in what state i.e. is it encrypted or anonymised.
  • Consent
    Rules for obtaining valid consent to use personal data will change, in particular the personal data of a minor. Consent forms should be available and easily accessible, and the document should be laid out in simple terms. There is also a proposal that the consent have an expiry date. Silence or inactivity should not constitute consent.
  • Data protection officer
    The appointment of a data protection officer (DPO) will be mandatory for companies with more than 250 employees, or, if they process over 5,000 personal data records in any given year.
  • Privacy Impact Assessments
    The introduction of mandatory privacy risk impact assessments, data controllers are likely to have to conduct annual privacy risk assessments to analyse and minimise the risks to their data subjects. A risk-based approach must be adopted before undertaking higher-risk data processing activities.
  • Data Breach Notification
    The introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chain, i.e. Processors will be required to alert and inform controllers immediately (or without undue delay) after a data breach. These changes place a greater emphasis on supply chain data security and regular supply chain reviews, and audits will be required to ensure they are fit for purpose under the new regulation.  Another impact of this new regulation is that contracts being negotiated with suppliers will need to be future-proofed for the Regulation.
  • The right to be forgotten
    This enables, for example, data subjects to request the removal, without delay, of personal data collected or shared by service providers.
  • An obligation to protect personal data across borders.
    Organisations should be aware of and take steps to mitigate the risk of transferring data to countries that are not part of the EU, or storing data on cloud platforms hosted in non-EU countries.
  • Data portability
    Requiring the ability to transfer personal data from one service provider, such as a supermarket loyalty card or social network, to another, via a copy of personal data in a format usable by the data subject and electronically transmissible to another processing system. This is intended to not only increase consumer data protection rights but also enhance competition among service providers.
  • Privacy by design
    The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. This means that every new IT project should be taking GDPR into consideration now to avoid costly rework.

Compliance is mandated by law and companies can apply for an EU seal of approval

Organisations will need to analyse how they collect, process and store data. However they will first need to consider who within the organisation is responsible for ensuring compliance.

  1. Appoint a data protection officer
    The regulation will require a data protection officer to be appointed within most organisations. While some larger corporations already have someone appointed to this role, small and medium enterprises generally don’t. For many businesses, it may well make sense to outsource this to consultants.
  2. Research how the GDPR applies to your business
    There are resources available to help a data protection officer understand and plan for the GDPR. For example, the ICO website details data protection and privacy and electronic communications guidance for organisations.
  3. Benchmark compliance
    There are practical steps that can be taken before the legislation is passed to ensure that policies, procedures and technologies run by organisations are up to the job of complying with the GDPR. However, first the DPO will need a good understanding of how their organisation would rate for compliance. Conducting a Privacy Impact Assessment is a good method of gathering the information needed to understand the current privacy risk exposure, and steps required for implementing sound privacy policies and practices, managing privacy risk, and obtaining privacy assurance. The PIA document should act as a Terms of Reference to outline the strategy, approach and recommend policy for privacy compliance.
    Existing contracts with data processors and CSPs need reviewing also. Organisations need to know exactly where their cloud data is hosted and understand how it is backed up and encrypted.
  4. Make policies and embark on change
    Once a clear perspective of the implications of the GDPR is achieved, the next step towards compliance is through policy. Buy-in must come from the very top of an organisation. All current policies that touch data will need to be updated, and the necessary changes made within the business to ensure compliance. This is likely to impact every department from IT, operations and HR through to finance and sales.
    For instance, not only do organisations need to put in place a clear privacy policy to be provided to anyone it holds data on, but they also need to be able to provide them with a copy of their personal data in a format that can be easily electronically transmitted. Organisations will also need the capability to delete all customer data on request under the ‘right to be forgotten’.
  5. Get the EU seal of approval and constantly review
    Once confident in their systems and procedures, organisations will be able to apply for an audit which if successful will lead to the issuing of an EU Data Protection Seal, which will be a five-year certification of their processes. The GDPR will be regulated and enforced by national data protection authorities, for example the ICO in UK.

While there is still much uncertainty around the detail of certain proposals, and how they will be implemented in practice, businesses able to adopt the GDPR regulations quickly will avoid the costly fines and reputational risk, and ultimately reap the benefits. Companies need to assess their GDPR compliance early and take urgent steps to rectify any shortfalls, as the actions required may be extensive and wide ranging, depending on the nature of the business. The specialist skills required to manage the compliance and conduct mandatory privacy risk impact assessments are currently in high demand, and will become more scarce and expensive as the deadline looms.

For more info on the topic, please contact:

About the author

Guy Cullom is a project consultant at 3gamma with 20 years project management experience in the airline and IT industries. His passion and commitment to project excellence combined with a flair for communication have established him as a key mentor of project best practice, helping to deliver 3gamma’s ‘Great Business Deserves Great IT’.


Related Articles


The platformification of banking

Strategy & Architecture

Fintech firms will soon have considerable impact on the banking landscape, which is good news for customers. It’s no longer a matter of if, but when, banking will be reinvented as major shifts in competition, technology, customer behaviours and regulations are going to shake up the industry.


The future will be automated: How a new generation of intelligent software and hardware robots are redefining the way business is being done

Technology

Threatened by fierce competition from every direction, more and more companies across industries are investing in technology initiatives that automate and simplify every viable process to sustain their competitive advantage.


Interview with risk and assurance expert Guy Cullom on the General Data Protection Regulation and what it means for organisations

Assurance & Compliance

The new GDPR is only two years away, and the implications for businesses, especially those who operate multi-nationally could be immense. The organisations that get out in front are likely to gain the advantage and avoid the last minute panic that will surely engulf some industries in late 2017.


Driving business value through IT innovation

Innovation is top of mind these days for most business executives and IT managers who feel pressured to stay competitive. 3gamma is deeply engaged in several initiatives related to the topic.


IT needs to move from passive procurement to active service integration

Sourcing, Strategy & Architecture

3gamma is witnessing a shift from cost focused outsourcing to value creation and capability acquisition. Companies are now looking for partners that can contribute with a piece of the innovation puzzle and has a unique competitive capability.