The EU’s General Data Protection Regulation (GDPR) becomes enforceable one year from now, on 25 May 2018. The new proposed EU e-Privacy Regulation is also intended to take effect at the same time, though the draft text remains controversial. Both pieces of legislation are in the form of a regulation, meaning they will be directly applicable across all EU Member States. In combination, they will have wide implications for businesses of all shapes and sizes.
The GDPR expands the data protection rights of individuals and imposes a wide range of additional obligations on businesses operating both in and outside the EU. In addition to companies that are established in the EU, the GDPR impacts any company, offering goods or services to individuals in the EU, that processes any EU personal data or that uses external contractors to do so.
>See also: GDPR compliance: what organisations need to know
Many will be quick to point out the very steep maximum penalties for non-compliance: up to €20 million or 4% of annual worldwide turnover, whichever is greater. There is also the possibility of class actions, for example by not-for-profit organisations on behalf of aggrieved data subjects. In addition, individuals will now have right to compensation not only from controllers (i.e. the person or business that directs the data to be processed) but also from processors (for example, the IT or payroll company that processes personal data as instructed on behalf of another company) for both financial and non-financial damages. There will indeed be heightened risks for businesses that are negligent in implementing the requirements that ensure reasonable GDPR compliance.
If businesses have not begun planning their GDPR compliance review, they should begin the process without further delay. One year is a very short timeframe in which to implement the wide range of changes that will be required in most cases. The first priority should be to carry out a gap analysis that identifies highest-risk GDPR compliance deficiencies alongside the compliance steps that are likely to require the greatest amount of time and resources to implement.
Data mapping and creating the mandatory records of processing is time-consuming and can take several months. In some cases, an experienced data protection officer (DPO) – who is either a qualified member of staff or an external provider – must be appointed, and there are advantages to making the appointment sooner rather than later so that the DPO can assist in carrying out the company’s compliance process.
>See also: One year to GDPR: guide to compliance
Because transparency and consent requirements are also more stringent under the GDPR, a review must be undertaken of existing information notices and consent documentation in order to ensure they are GDPR-compliant.
A thorough review of third-party service provider arrangements and possible renegotiation will also be necessary in order to ensure that the vendor agreements are compatible with the new GDPR requirements. Safeguards for international transfers may also need to be implemented and security measures reviewed and reinforced. Businesses are required to demonstrate compliance and to have implemented appropriate policies and procedures to ensure compliance with the GDPR and individuals’ rights.
Hence, companies will need to review and amend their existing governance framework and consider their processes, practices and policies for key data protection principles and requirements, including data minimisation, purpose specification, storage limits, privacy by design and by default.
UK-headquartered businesses should be aware that the Brexit vote changed little with regards to whether the UK would need to meet more stringent data privacy standards with the implementation of GDPR or likely with the e-Privacy Regulation. The UK will likely not leave the EU before the GDPR enters into force.
Moreover, as explained in an official statement of the UK Information Commissioner, any UK law would need to provide equivalent protection to that of the GDPR. That is because the UK should aim to meet the requirements for ‘adequacy’ so as to benefit from an official finding that any transfers of personal da from the EU to the UK are sufficiently protected, hence doing away with the need to implement additional safeguards for such transfers, like data transfer agreements.
>See also: 6 steps to GDPR compliance
Furthermore, many UK businesses will in any event be caught by the GDPR when offering goods or services to individuals in the EU. The exact way in which the GDPR will impact UK businesses is still unclear, as the Brexit vote and subsequent snap election vote has meant that consultation on derogations (where Member States may derogate in some provisions from the GDPR) has been delayed.
Companies and trade bodies are raising their voices to ask for clarification as soon as possible. The Department for Culture, Media and Sport (DCMS) has, in fact, only just last week closed their consultation on derogations.
Despite the increased regulatory burden, there is a positive note for businesses facing GDPR compliance challenges that should not be overlooked. The fact of the matter is that taking the steps necessary to be GDPR compliant can add substantial value to a business.
For example, with data mapping, companies data operations and governance can become more effective and efficient. A greater understanding at the Board level of how and where the organisation’s data systems and management are vulnerable can result in more secure systems that will mitigate cyber security risks. In addition, for manufacturers, the up-front incorporation of data privacy protections at the design stage can result in a marketing advantage and better returns on investment.
>See also: GDPR: the good, the not so bad and the opportunities
In addition, some of the required measures (such as the mandatory purging of personal data that is no longer needed for the purpose for which it was collected) may actually save money by reducing storage costs.
Increasingly, when customer confidence increases due to a business’s data privacy, so does its market edge. Viewed from this perspective, the GDPR may be the shot in the arm that businesses need to invest in cyber security and good data governance.
Sourced by Ann LaFrance, partner and co-chair of the Global Data Privacy & Cyber security Practice at Squire Patton Boggs, and Monika Kuschewsky, partner in the Global Data Privacy and Cybersecurity Practice at Squire Patton Boggs in Brussels
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here