Taking stock of GDPR – 10 key changes it will bring about
When it comes to the way companies handle and protect data, things are soon going to change thanks to a new set of rules that are coming into force as of May 2018. Better known as the General Data Protection Regulation (GDPR), the new legal framework is meant to harmonise data protection standards across the 28 EU member states and is expected to ultimately reduce compliance costs, complexity, risks and uncertainty, ensuring that people’s data is adequately protected.
Here are the top ten key features that the new rules will bring about.
1. Significant penalties
The penalties for businesses or organisations that do not comply are hefty. Any company holding the personal data of EU individuals (commonly referred to as data subjects in the GDPR) will have to ensure they are compliant.
The penalties for breaching the legislation can be high, with fines of up to €20M or up to four percent of a company’s annual revenue, whichever is higher, depending on the circumstances.
2. The right to be forgotten
Thanks to very restrictive data handling guides, the GDPR puts additional emphasis on the right of an individual to request that unnecessary personal data is deleted, which necessitates that the organisation ensures it has the processes and technologies in place to tackle such requests efficiently.
Organisations are also required not to hold data for any longer than required, and not to change the use of the data from the purpose for which it was originally collected.
3. Enhanced obligations for organisations
Data subjects need to have access to more information on how their data is being processed and where requests are specifically made, these have to be fulfilled within one month of receipt of the request. Where requests to access data are manifestly unfounded or excessive, organisations will be able to charge a fee for providing access.
Subject access requests must also give all the information relating to purposes that should have been provided upon collection, such as publishing detailed fair processing notices to inform individuals of their data protection rights, the way their information is used and for how long.
4. Stringent consent requirements
For marketers in particular there has been much debate about the type of consent that might be required under this new regulation. The GDPR require that consent must be explicit, freely given for a specific purpose and easy to retract. The purpose for which the consent is obtained needs to be obvious to the data subject, including what their data is going to be used for at the point of data collection.
Furthermore, the GDPR stipulate that consent should be demonstrable – in other words organisations need to be able to show clearly how consent was obtained and when.
Consent must also be freely given; the controller cannot insist on data that is not required for the performance of a contract as a pre-requisite for that contract.
5. Stricter breach reporting
The GDPR is meant to bring into line various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data.
Significant data breaches will need to be notified to the local data protection authority within 72 hours and sometimes also to the individual. For many businesses, this may require quite a bit of training. It may require making changes to internal data security policies and how this is promoted in the organisation to ensure data breaches are properly understood and will be recognised easily.
6. Increased privacy impact assessments
The GDPR requires organisations to carry out privacy impact assessments and formally identify emerging privacy risks, particularly for new projects. This means before organisations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are in compliance as projects progress.
7. Thinking of privacy in advance
Termed as Privacy by Design, data protection safeguards must be designed into products and services from the earliest stage of development. Data controllers already need to implement appropriate technical and organisational processes to protect data against unlawful treatment. This, however, leaves room for privacy considerations to be reduced to a mere afterthought in the development process. The GDPR requires organisations to consider privacy from the very beginning of the planning process.
8. Increased record keeping
Organisations must maintain registers of the processing activities they carry out, with mandatory DPIAs for high-risk data processing. This applies to all organisations with more than 250 employees as well as smaller enterprises where the data processing is likely to result in a risk to the rights of affected employees, the processing is not occasional or the processing includes special categories of data (e.g. health data, biometric data, data related to political or philosophical beliefs) or personal data relating to criminal convictions and offences. Therefore, in practise, most small and medium size enterprises will be obliged to keep a record.
Extensive detailed information needs to be recorded covering the controller, data processes, categorisation of data and data subjects, erasure periods and data protection measurements.
9. Appointing DPOs
Any business that depends on processing personal information will have to appoint a Data Protection Officer (DPO), who will be an extension of the data protection authority to ensure personal data processes, activities and systems conform to the law by design. According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that, in Europe alone, 28,000 DPOs will have to be appointed in the next two years.
10. Wider regulatory scope
The GDPR allows any European data protection authority to take action against organisations, regardless of where in the world the company is based. In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that process personal data. What’s more, the controller processor relationships must be documented and managed with contracts that mandate privacy obligations.
Properly implementing a data security policy will help your organisation prepare for the upcoming regulation.
How can we help?
Our GDPR experts can help identify the impact of the GDPR on your organisation and shape, mobilise and assist in delivering transformation programmes to achieve compliance, embed privacy within your organisation and ultimately generate business benefits.
We boast of a multi-disciplinary team of specialists covering data protection, cyber security, regulation and compliance, risk management and business change who can help design and implement a sustainable privacy and data protection programme.
Contact us today for to find out more.