27 June 2017 by Simon Osborne
GDPR is an opportunity to regain public confidence, says Simon Osborne
With less than a year to go until the General Data Protection Regulation (GDPR) comes into effect, all companies should have assessed what they need to do and should already be working on it. If not, now is the time to get started as hefty fines loom for non-compliance. More importantly perhaps, the most significant change in data privacy regulation in 20 years offers organisations an unparalleled opportunity to regain confidence and trust.
At the heart of the EU’s attempt to harmonise data privacy laws across Europe is the desire to protect and empower EU citizens’ data privacy and to reshape the way organisations approach data privacy. With the corporate world suffering from a tarnished image in many other respects, putting data governance front and centre in terms of ensuring good data-protection practice may be one way in which companies can regain a measure of trust from the people whose data they hold.
In today’s interconnected world, there is no such thing as an ivory tower and GDPR’s increased territorial scope makes this abundantly clear. Every time someone shops online, opens a bank account, or sets up a social networking profile, personal information is handed over that requires protection.
Even when countries sit outside the EU, GDPR’s jurisdictional rules will apply when goods or services are offered to people in the EU. This means that any country wishing to share data with EU member states or wishing to handle EU citizens’ data, will need to demonstrate an adequate level of data protection when GDPR takes effect on 25 May 2018. Also, non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
Major changes are required to the way companies treat people’s personal data. First and foremost, there will be tighter rules for consent. Companies will need to gain explicit consent from customers before processing their personal data. Consent can be withdrawn at any time and companies must inform customers that they have the right to be forgotten or to restrict their data. Users have the right to access their data within one month, which is expected to lead to complex system changes.
Fines will be tiered − for example, a company can be fined €10 million or 2% of global annual turnover for not having its records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. With fines
of up to €20 million or 4% of global annual turnover for infringements such as not having sufficient customer consent to process data, or violating privacy by design concepts, businesses must be ready for the impact of the changes.
The regulation of the relationship between controller and processor is likely to pose a significant challenge, especially with regard to the allocation of liability in the case of data breaches. Organisations need adequate systems in place for identifying breaches and a clear policy and procedure of what to do in the case of a data breach. This will be of particular relevance to controllers using third parties for cleaning, copying and storage where the likelihood of a breach may be increased. ‘Clouds’ are not exempt so there can be no passing the buck between controllers and processors.
Businesses should start thinking now about whether or not they need to hire a data protection officer (DPO) before they become a rare commodity. Just as chief information officer salaries jumped in anticipation of the Millennium bug, having an adequate supply of DPOs with sufficient expert knowledge of data protection law to advise on and monitor compliance with GDPR might become an issue.
Preparations for GDPR might seem like a bit of a headache, but upholding higher standards is essential for building and maintaining trust. As Andrus Ansip, Vice-President for the Digital Single Market, noted in December 2015: ‘The digital future of Europe can only be built on trust.’ In an age where the misuse of personal data has led to a high degree of cynicism, effective data governance, and the trust it engenders, might emerge as a valuable economic asset.