It cannot have escaped your attention that data is hot news – and you are likely to have heard about the GDPR (General Data Protection Regulation): a new law that will revamp the way the collection and use of personal data is regulated which will come into force next May. Although emanating from the EU, it will affect companies and organisations of all shapes and sizes around the world.
From the date the final text was released last year, the majority of press and commentary on the GDPR has been, well, scaremongering to say the least. This article highlights the positives – and the potential opportunities – that this new regulation could in fact present.
Simplification – organisations will no longer be required to register with a data protection authority in each Member State in which they are established, a mere formality that has become not much more than that and simply added to the administrative burden of doing cross-border business. Instead, organisations will only have to interact with the data protection authority in the Member State they select as their state of main establishment.
>See also: GDPR: What do you need to know?
Consistency – through its very nature of being a regulation (i.e. directly applicable in all Member States) instead of a directive (i.e. Member States have flexibility when incorporating the law into their own national laws), the plan is that the principles underpinning the GDPR will be applied and enforced consistently throughout the EU.
The not so bad
Harmonisation – given that the EU consists of 28 Member States (ignoring Brexit for now), the idea of harmonisation across all Member States is clearly attractive and the level of standardisation that the GDPR is intended to provide will, in theory, allow organisations to follow one set of rules no matter where they are based.
It is, nevertheless, true that in practice there may still be a few “local differences”, such as processing in the context of employment, which will still be regulated at individual Member State level, either by local law and/or collective bargaining agreements. The extent to which this will impact businesses remains to be seen.
Cross-Border data transfers – a whole article could be written on the ups and downs of international cross-border transfer over the past 18 months. With respect to the GDPR, it is generally good news.
>See also: Change is coming: the GDPR storm
First, binding corporate rules and codes of conduct are finally expressly confirmed as valid methods of legitimising otherwise prohibited transfers of personal data outside the EEA. There is also the availability of legitimate interests as a basis for smaller, ad hoc data transfers.
Sanctions – yes, they have significantly increased, but in a glass half-full sort of way, this means (i) it is even more important to get compliance right; and (ii) their scale (the greater of up to 4% of global annual turnover or 20 million euros) means the GDPR is board-worthy material. We suggest organisations take advantage of this to get ideas in front of key decision makers as soon as possible.
Clean house – the GDPR will require a review of data handling and processing procedures; this presents a great opportunity to review and map your data flows – and restructure them not only for compliance, but also for business efficiency.
Clarification – the GDPR has gone some way to clarifying certain key concepts such as anonymisation and pseudonymisation. The GDPR confirms that the principles of data protection do not apply to anonymous information (i.e. information that does not relate to an identified or identifiable natural person or to personal data that does not identify an individual).
Pseudonymisation (which means processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information (such as a code or a token)) is encouraged by the GDPR and categorised as an “appropriate safeguard” (along with encryption) for processing personal data.
Innovation – for organisations willing to think outside the box, relatively new concepts such as privacy by design, profiling and data portability present the opportunity not only to innovate, but also to build customer trust and confidence and therefore ultimately drive sales.
Further, organisations capable of taking advantage of pseudonymisation, encryption or even better, anonymising personal data will be able to reduce their risk of non-compliance.
Today, data is often the most valuable asset that a company holds and the same is true of individuals; the GDPR recognises this and is attempting to bring the law up to date with the real world as far as possible: organisations and individuals should embrace this effort.
So, in a nutshell, the GDPR means:
• A reduced regulatory/compliance burden for companies not undertaking risky processing, companies that employ appropriate safeguards and an increased clarity of the obligations on all companies.
>See also: What are US companies’ view on GDPR?
• An opportunity for companies to take control of their own compliance, rather than register with the applicable data protection authorities.
• Hugely increased penalties BUT if you are doing it right and in accordance with the law, these won’t affect you.