The aim of the new European Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for nationally implemented legislation.
GDPR replaces and supersedes the existing Directive 95/46/EC of the European Parliament, enhancing the level of data protection for individuals whose personal data is processed, and increasing business opportunities in the digital single market including through reduced administrative burden by restoring consumer confidence in online services and harmonising the fragmented laws and regulation in the EU today.
The regulation is likely to enter into force in spring 2018 following an endorsement of the texts in the trilogies on 17 December 2015, which, after a legal-linguistic review of the texts, will be submitted for adoption by the Council and, subsequently, by the European Parliament.
As with current data protection law, the GDPR will be regulated and enforced by national data protection authorities, for example the ICO in UK or DPA in Sweden.
GDPR will likely affect any business operating within the EU, especially data intensive business
The regulation will be directly effective without the need for any action on the part of the 27 member states, and it will be enforceable by law. In effect, the GDPR is likely to affect any business that operates from within the EU, does business with organisations within the EU, or stores its data in EU member countries.
However, despite this huge impact to almost all European enterprises, according to a 2015 Ipswitch survey of 316 European organisations, more than half (56%) of respondents could not accurately identify what ‘GDPR’ stands for. Over half (52%) admitted they were not ready for GDPR, and over a third (35%) acknowledged they were not confident their IT policies and process would be compliant.
Even with the lack of awareness of regulatory change, when asked about priorities for 2015, only 13% said they planned to spend more time understanding and preparing for the regulation. A quarter (26%) said they wanted to spend more time reviewing and tightening security policies and a further quarter (26%) said they wanted to be able to spend less time on manual reporting and auditing.
In addition to testing the readiness of IT professionals, the survey also revealed that very little thought has been given to whether an organisation’s cloud service provider (CSP) is ready for the change. Although 79% of those surveyed retained the services of a CSP, only 6% of them said that they had thought to ask them whether they were ready for the GDPR.
Non-compliance with the GDPR will have severe consequences. It is currently cited that there will be penalties of up to €20 million or 4% of worldwide turnover for organisations in breach of its rules. This far exceeds most local data protection penalties in member countries currently and could be the difference between make and break for many organisations in the EU.
GDPR will impact organisation, processes and technology and force companies to revisit their approach to personal data
Below is a summary of the key changes proposed by the General Data Privacy Regulation:
- Personal data
The definition of personal data will become broader than the existing Directive 95/46/EC. Bringing more data into the regulated perimeter, this can now include genetic, medical, economic, cultural or social data. Organisations must identify which data held by them qualifies as personal, where this is physically stored and in what state i.e. is it encrypted or anonymised.
Rules for obtaining valid consent to use personal data will change, in particular the personal data of a minor. Consent forms should be available and easily accessible, and the document should be laid out in simple terms. There is also a proposal that the consent have an expiry date. Silence or inactivity should not constitute consent.
- Data protection officer
The appointment of a data protection officer (DPO) will be mandatory for companies with more than 250 employees, or, if they process over 5,000 personal data records in any given year.
- Privacy Impact Assessments
The introduction of mandatory privacy risk impact assessments, data controllers are likely to have to conduct annual privacy risk assessments to analyse and minimise the risks to their data subjects. A risk-based approach must be adopted before undertaking higher-risk data processing activities.
- Data Breach Notification
The introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chain, i.e. Processors will be required to alert and inform controllers immediately (or without undue delay) after a data breach. These changes place a greater emphasis on supply chain data security and regular supply chain reviews, and audits will be required to ensure they are fit for purpose under the new regulation. Another impact of this new regulation is that contracts being negotiated with suppliers will need to be future-proofed for the Regulation.
- The right to be forgotten
This enables, for example, data subjects to request the removal, without delay, of personal data collected or shared by service providers.
- An obligation to protect personal data across borders.
Organisations should be aware of and take steps to mitigate the risk of transferring data to countries that are not part of the EU, or storing data on cloud platforms hosted in non-EU countries.
- Data portability
Requiring the ability to transfer personal data from one service provider, such as a supermarket loyalty card or social network, to another, via a copy of personal data in a format usable by the data subject and electronically transmissible to another processing system. This is intended to not only increase consumer data protection rights but also enhance competition among service providers.
- Privacy by design
The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. This means that every new IT project should be taking GDPR into consideration now to avoid costly rework.
Compliance is mandated by law and companies can apply for an EU seal of approval
Organisations will need to analyse how they collect, process and store data. However they will first need to consider who within the organisation is responsible for ensuring compliance.
- Appoint a data protection officer
The regulation will require a data protection officer to be appointed within most organisations. While some larger corporations already have someone appointed to this role, small and medium enterprises generally don’t. For many businesses, it may well make sense to outsource this to consultants.
- Research how the GDPR applies to your business
There are resources available to help a data protection officer understand and plan for the GDPR. For example, the ICO website details data protection and privacy and electronic communications guidance for organisations.
- Benchmark compliance
There are practical steps that can be taken before the legislation is passed to ensure that policies, procedures and technologies run by organisations are up to the job of complying with the GDPR. However, first the DPO will need a good understanding of how their organisation would rate for compliance. Conducting a Privacy Impact Assessment is a good method of gathering the information needed to understand the current privacy risk exposure, and steps required for implementing sound privacy policies and practices, managing privacy risk, and obtaining privacy assurance. The PIA document should act as a Terms of Reference to outline the strategy, approach and recommend policy for privacy compliance.
Existing contracts with data processors and CSPs need reviewing also. Organisations need to know exactly where their cloud data is hosted and understand how it is backed up and encrypted.
- Make policies and embark on change
Once a clear perspective of the implications of the GDPR is achieved, the next step towards compliance is through policy. Buy-in must come from the very top of an organisation. All current policies that touch data will need to be updated, and the necessary changes made within the business to ensure compliance. This is likely to impact every department from IT, operations and HR through to finance and sales.
- Get the EU seal of approval and constantly review
Once confident in their systems and procedures, organisations will be able to apply for an audit which if successful will lead to the issuing of an EU Data Protection Seal, which will be a five-year certification of their processes. The GDPR will be regulated and enforced by national data protection authorities, for example the ICO in UK.
While there is still much uncertainty around the detail of certain proposals, and how they will be implemented in practice, businesses able to adopt the GDPR regulations quickly will avoid the costly fines and reputational risk, and ultimately reap the benefits. Companies need to assess their GDPR compliance early and take urgent steps to rectify any shortfalls, as the actions required may be extensive and wide ranging, depending on the nature of the business. The specialist skills required to manage the compliance and conduct mandatory privacy risk impact assessments are currently in high demand, and will become more scarce and expensive as the deadline looms.
For more info on the topic, please contact: