The upcoming General Data Protection Regulation will be the largest change to European privacy laws in 25 years and will come into force across all EU member states from 25th May 2018. For many companies, significant changes will be needed to comply with the regulation, and we are already halfway through the implementation period. Much of the attention around the GDPR has focused on the threat of sanctions (and the sanctions are hefty, at 4% of worldwide turnover or €20million).
Instead of seeing the GDPR as a threat, companies should see the GDPR as an opportunity. The GDPR implementation period gives companies the chance to take a step back and think about how they handle personal information, and how they can do it better in the future. In a post-GDPR world, consumers are likely to be much more privacy-aware than today, and their expectations will be higher.
This post sets out the key changes in the Regulation and answers many of the questions businesses have around GDPR.
Why the GDPR, and why now?
The GDPR is being brought in as a replacement for the 1995 Data Protection Directive, and refreshes it to keep pace with the way data is used today. Its aim is to protect the privacy and security of data collected by organizations across the European Union. This is important because as consumers we hand over sensitive information as part of our daily lives: whether we’re booking a flight, accessing online banking, or buying some clothes. The GDPR is intended to give customers more transparency and control over how their data is used.
GDPR is not impacted by Brexit
Let’s make one thing clear, Brexit isn’t going to be a factor in GDPR compliance. Although Britain has voted to leave the EU, the GDPR rules will still apply. Any business that holds identifiable information on any EU citizen will need to be aware of their obligations under GDPR.
Personally Identifiable Information (PII) is changing
Or rather, the term PII does not appear in the GDPR at all. Instead, the GDPR makes reference to “personal data.” This is significant for North American companies in particular, as PII refers to a narrow range of data such as name, address, birth date, social security number and financial information such as credit card numbers or bank accounts.
Personal data, on the other hand, as defined by the EU, refers to a much wider range of information, as seen in Recital 26 of the GDPR. This could include social media posts, photographs, lifestyle preferences, and, thanks to a recent landmark ruling in the European Court of Justice, IP addresses. Rather than selecting on a set of pre-defined attributes, the GDPR is concerned with whether an individual is in principle identifiable by a set of data.
The onus is on data controllers to define potential re-identification paths, and working with suppliers and processors to ensure that the services they provide help you meet your obligations under the GDPR.
Data Breach notifications
As Troy Hunt of breach database HaveIBeenPwned has pointed out, some companies, when faced with data breaches, have been less than timely in acknowledging and notifying customers about data breaches. GDPR ensures that in most cases where there has been a data breach, the company affected will need to notify both the Information Commissioner and the affected customers.
In theory, this should make us all a lot safer. Many data losses happen as a result of human error, so the threat of sanctions is likely to mean that instead of risk it, companies instantiate a much more formal internal review process.
Chief Privacy Officer
Under Article 37 of the GDPR, companies must appoint a Chief Privacy Officer if they are a public authority, where the core activities of the authority involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as revealing racial or ethnic origin, political opinions, religious or philosophical beliefs).
Although Article 37 does not specify any precise credentials, it says this official should have “expert knowledge of data protection law and practices.” It would be a good idea to get a head start on appointing one, as individuals with the required expertise will command a premium as the deadline approaches.
The GDPR will apply to any companies (including US ones) who have European customers, so it’s not going to be feasible for anyone to ignore the GDPR. The penalties (both financial, and to corporate reputation), are too great.
For smaller businesses in particular, the penalties even for a “less serious” breach of the regulations (€10 million or 2% of turnover) could be enough to force a company out of business. However, because fines are set by the Information Commissioner’s Office, businesses can reduce their exposure to the GDPR by following existing best practices such as ISO 27001.
Smaller organizations will also need to bring themselves into compliance, as well as implementing more general best practices around information security. Over the coming weeks, months and years we are likely to see plenty of guidance from the Information Commissioner’s Office on how businesses can prepare for and implement the GDPR. However, with the deadline for implementation coming up fast, it’s never too early to begin preparations.