Next year’s enforcing of the EU’s new General Data Protection Regulation (GDPR), will place concerns for data privacy and IT security firmly at the top of the board and management’s agenda. The board and executive management will be held responsible and regulatory breaches and non-compliance may cost the company dear.
If you are sitting there thinking ‘GDPR what?’ and wondering what it means for your organisation, then you are not alone. A survey by Symantec revealed that as many as 96 per cent of the respondents, all decision-makers from France, Germany and the UK, did not fully understand what the GDPR is and what it will entail.[1]
In this case, there’s not necessarily any consolation in being in the same boat as most European decision-makers. The legislation comes into force in May next year, so it’s important to be prepared in order to avoid the risk of huge fines – up to four per cent of gross turnover. GDPR will place concerns for data privacy and IT security firmly at the top of the board and management’s agenda. Is your board properly prepared?
So, where to start? A good place to begin is by getting an overview of the issue – of what the EU’s new data privacy regulation involves and what is new in the GDPR. Here are a couple of things everyone should know:
What is the GDPR?
The General Data Protection Regulation is the new data privacy regulation for EU and EEA member states. The GDPR replaces the EU Data Protection Directive from 1995 and comes into force on 25 May 2018.
The existing legislation (the Data Protection Directive) is outdated in a number of areas and does not adequately cover how data is collected, stored and processed in our digital age. The GDPR is designed to close these gaps and strengthen the individual’s data privacy and control over the use of their data.
Unlike its predecessor, the GDPR is a regulation, not a directive, which means that the EU will now have a single common law and there will no longer be supplementary laws and special schemes in the individual countries. It will apply to any company, inside or outside the EU, handling EU citizen data.
What is changing with the GDPR?
The GDPR will lead to:
- An increased focus on data privacy – concern for data protection must be a built-in ‘default setting’ in systems and services
- A requirement for documented and intelligible consent and accompanying privacy policy – there must be no doubt about what is being consented to and its presentation must be appropriate for the target group: for example, if the service is aimed at children and young people, the provisions must be easily intelligible and accessible to this group
- An increased focus on risk and more stringent consequences for infringements of data privacy – including notification (within 72 hours) of a breach – to both supervising authorities and data subjects who have been, or are believed to be, affected
- Many enterprises will need to have a dedicated data protection officer
- Regulatory breaches can lead to huge fines
A breach of the GDPR could cost your company dear: fines of up to four per cent of gross turnover or €20million. There are various factors that contribute to the level of fines, including the degree of liability and repeated infringements. Which rules have been transgressed will also affect the level of fines.
Board members risk being held personally responsible if they have not ensured that the enterprise has adequate measures and routines in place (and the measures must also be documentable).
What is personal data?
The GDPR defines policies for how to collect, store and process personal data. What does the term ‘personal data’ cover? The EU’s definition is: ‘Personal Data is ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly…’. [2]
Article 25 of the GDPR talks about ‘data protection by design and by default’ and establishes that data protection must be built in to the functionality of systems. This has major implications for the entire business process, from planning and product development to actual business operations.
The GDPR requires that you have a privacy policy that is easy to understand and readily accessible. Among other things, this means that enterprises must:
- Have an overview of all personal data processing in their organisation
- Be able to document that they have obtained consent from their users
- Provide users with a list of their data and privacy settings
- Give users the right to be forgotten/deleted and to have their data transferred to other entities on request
- Assess the risk and privacy consequences of processing personal data
How to start the conversion to built-in privacy?
Step one is that all companies must obtain an overview of how they use personal data today, and how they plan to use it in the future. It is also important to be aware that this is not a one-off exercise, but a permanent, long-term commitment. So, it’s important to instil good routines right from the start.
New role: data protection officer (DPO)
As a result of the GDPR, many enterprises will now need to appoint a data protection officer (DPO). These include:
- Public-sector organisations (with a few exceptions, such as the courts)
- Enterprises whose core activities involve regular and systematic monitoring of people on a large scale
- Enterprises whose core activities consist of processing sensitive personal data on a large scale, or personal data relating to criminal convictions and offences
Core activities can be defined as key functions for achieving the organisation’s objectives. These also include all activities where data processing is a central aspect of the data processor’s or the data controller’s work. For example, processing of health data, such as medical records, will be considered a core activity of a health enterprise and a DPO will therefore be required. Support services, such as IT support and a payroll register, are necessary for a company, but are normally considered supplementary functions and not core activities.
The GDPR does not define what ‘large scale’ entails, but Working Party 29, which acts as the EU’s advisory body for data protection, has issued guidelines showing what constitutes ‘large scale’. It includes the following factors:
- Number of persons registered either as an exact number or as a proportion of a population
- The volume of data and/or the range of different data items being processed
- The duration or permanence of the processing
- The geographical extent of the processing
The DPO can be an employee of the organisation or an external resource employed under a service agreement. The GDPR requires that the DPO must be located within the EU, but in other respects the organisation itself may assess where best to locate the role. It is, however, important that the resource has comprehensive knowledge of privacy and applicable legislation. A law firm might, for example, act as a DPO for several companies under agreements with each individual company.
The DPO must have an independent role, with the primary remit of monitoring compliance with the GDPR. The DPO will advise and inform employees and management and be a point of contact between the data protection authorities and the enterprise. The DPO will report directly to executive management (and/or the board).
Some final advice for you
- Be sure to have good documentation of the considerations that have been made
- Conduct regular reviews based on technological and regulatory developments
- Choose appropriate suppliers and partners, and make sure that adequate deals are in place. When using suppliers outside of the EU, model clause agreements are recommended
- It is important to have good control of customer data: access control, routines, suppliers, etc
- For organisations with offices in more than one EU/EEA country, determine which office will serve as the leading computer authority
- Have a plan for how to handle data requests and how to deliver data back to the owner in an available format