The General Data Protection Regulation (GDPR) will come into full effect on 25 May 2018, introducing a single set of rules relating to the collection, storage and processing of personal data across the European Union (EU). Applying equally across all member states, the GDPR repeals the Data Protection Directive 95/46/EC (Directive). The Directive was implemented into member state laws by domestic legislation and thus perceived not to be consistent across the EU.
Along with significantly increased penalties, the EU GDPR introduces more onerous compliance obligations. For instance, local regulators must be informed of personal data breaches without undue delay and where feasible, within 72 hours. Where the personal data breach poses a high risk to the rights and freedoms of individuals, the data subject must also be informed without undue delay. Additionally, the definition of personal data is wider than that under the Directive (and as transposed into UK law by the Data Protection Act 1998).
The GDPR not only applies to organisations based in the EU but may also apply to any organisation, within or outside the EU, which processes the personal data of EU subjects in the course of targeting them with offers of goods or services or where its processing their personal data consists of monitoring their behaviour. The GDPR also introduces greater penalties for non-compliance than those currently in force. For example, failure to comply with GDPR provisions relating to the rights of the data subject, those relating to transfer of personal data to third countries (those outside the EU) or international organisations may attract penalties of up to €20m or 4 percent of the non-complying organisation’s total worldwide annual turnover.
Organisations must comply with the new legal framework
Given the massive ongoing changes in all things digital, there is clearly a technical and organisational challenge in complying with the legal framework on data protection in Europe. At the same time, millions of records of personal data are lost or stolen every year. Indeed, a UK government report found that two-thirds of large businesses experienced a cyber breach or attack in the last year. The GDPR provides an impetus for businesses to tackle these issues head-on.
Compliance with the GDPR poses a challenge to organisations
Regulatory compliance comes with a range of challenges. One of these is the necessity to report a personal data breach to a supervisory authority and the short timeframe allowed to do so. Additionally, there is the requirement to inform the data subject of the breach. This is a significant new requirement.
Three easy steps for a proactive approach
As the introduction of the GDPR draws steadily closer, organisations will need to consider the steps they must take to comply with it. For those only now addressing the challenge, there are some clear initial steps to take. Thinking about the implementation of these steps now can help avoid financial pitfalls in the future.
Understand your organisation’s personal data universe
Organisations should take steps to gain a clear understanding of their personal data universe. For example, the categories of personal data it collects, how and from whom it collects it, where the data is stored, what it does with it, who does it, the reasons for doing it, how long it keeps it and the reasons for keeping it or discarding it and, critically, how far these practices meet the organisation’s forthcoming regulatory obligations under the GDPR and other legal requirements.
Planning and communication
Planning and communication is the essence of a successful information governance strategy. Getting the key players – typically IT, legal, compliance, business, sales and HR departments who deal with personal data – talking to each other and investing the time to build a data map (essentially a description of the organisation’s data types, technical infrastructure and storage solutions) is an essential second step.
It is not enough to adopt an irregular pattern of personal data monitoring. As an organisation’s personal data landscape is continually shifting, mapping that landscape is an ongoing requirement rather than a one-off exercise. A proactive and ongoing approach to information governance will ensure that corporations are ready to deal with future developments and shifts.
Privacy must become a core business programme
The introduction of the GDPR is expected to bring a significant increase in data protection enforcement across the EU. Privacy must now become a core business programme for organisations conducting business in the EU and planning for the challenges posed by the GDPR should start now. With the right preparation, an organisation will be able to reap the benefits of a strong regulatory framework which provides the incentive to develop technology and processes. Failure to plan heightens the risk of the organisation breaching the GDPR and suffering the consequences: substantial damage to finances and reputation.
Martin Bonney is director of international consulting services at Epiq Systems. He can be contacted on +44 (0) 20 7367 9148 or by email: firstname.lastname@example.org.
© Financier Worldwide