General Data Protection Regulation – how to prepare your business
February 2017 | PROFESSIONAL INSIGHT | DATA PRIVACY
Financier Worldwide Magazine
The new General Data Protection Regulation (GDPR), adopted in April 2016, will unify the different European data protection laws into one single law.
This means that businesses will benefit from the consistency of one law across the European Union (EU) and the United Kingdom. The UK has recently announced that it will enforce the GDPR in May 2018, regardless of Brexit.
This triggers the need for significant work by UK businesses ahead of implementation. They will need to build new measures around the way they collect, store and handle data.
In terms of relevance, the GDPR will apply to both data controllers and processors. The data controller determines the reason for the use of data and the data processor handles the actual processing of data. The new regulation will also apply to any organisation in the world that handles the personal data of EU citizens.
Many businesses will require logistical restructuring and internal tweaks. However, the regulation will also introduce some additional benefits. For starters, it will put EU businesses on a level playing field with the rest of the world. Also, businesses will only have to deal with a single supervisory authority, rather than a different one in each member state. This makes the regulatory process simpler and less expensive to implement.
So how are businesses preparing for the new regulation? According to the 2016 State of the European Data Privacy Survey from Symantec, 96 percent of businesses in the UK, Germany and France are underprepared for the GDPR, even with the regulation not coming into effect until May 2018.
The need for compliance should not be undermined, however, with new fines ranging from €20m or up to 4 percent of global annual turnover, whichever is greatest.
In fact, according to a KPMG Global privacy advisory lead, the GDPR is a revolution which will transform the scale, scope and complexity of personal information processed, with personal information being a core component of everything we do. Given the fact that breach rates continue to rise year on year, it is vital to evaluate how the GDPR will affect your business.
GDPR will bring about some fundamental changes businesses will need to consider. Firstly, any data processing conducted by a business will require a legal basis, which would need to be demonstrated to the data subject. The concept of transparency and fairness is emphasised heavily in the new regulation. A data processor will also need to ensure that their data subjects have access to the data being used and that it is deleted once the purpose of processing comes to an end. There should be a clear procedure that allows erasure where the individual withdraws consent, for example.
Also, any business that suffers a data breach is under an obligation to notify persons affected as soon as feasible and the data protection authority in that country within 72 hours of becoming aware of it. Failure to meet the deadline will result in a possible fine of up to €10m or 2 percent of annual turnover, whichever is greater.
For larger organisations it may be necessary to appoint a data protection officer to handle the increase in governance and execute compliance, particularly if the data being processed is sensitive information, as defined by the GDPR.
In addition to these considerations, businesses should seek the opinion of a specialised data protection lawyer to ascertain whether they are susceptible to undesired breaches.
A legal expert can assist with carrying out a full data protection audit, which will highlight any gaps under the GDPR. This can act as safety net against a loss of customers, due to an exhausted sense of trust in a business’ security over personal data.
Even though the GDPR serves as a positive development in how an individual’s data is handled, organisations need to act, and should allocate time and a budget toward compliance.
Richard Penfold is a partner and Tuli Torn-Hibler is a trainee solicitor at JAG Shaw Baker. Mr Penfold can be contacted on +44 (0)20 3598 3070 or by email: firstname.lastname@example.org. Ms Torn-Hibler can be contacted on +44 (0)20 3598 3070 or by email: email@example.com.
© Financier Worldwide
Richard Penfold and Tuli Torn-Hibler
JAG Shaw Baker