In April 2016, the European Parliament adopted changes to data protection regulation as a major step towards the implementation of a digital single market strategy across the EU.
The General Data Protection Regulation (GDPR) is intended to consolidate, simplify and strengthen the rules around the collection, processing and use of data across the EU. The regulation came into force in May 2016 and will apply from May 2018.
For businesses the move will present immediate challenges; research from the UK Ministry of Justice suggests that it will cost close to £320m for UK business to meet the obligations, but in the longer term a simplified regulatory environment and more modern data protection framework will be established.
Here we take a look at the GDPR and how it might affect digital enterprises that want to do business in the EU.
What exactly is the GDPR?
Essentially, data protection is getting an upgrade. The GDPR is an EU Regulation. Currently there is an EU Directive in place – the catchily entitled Data Protection Directive 94/46/EC. Whereas directives need to be transposed into Member States’ national law, which can sometimes lead to a patchwork of different rules, regulations take immediate effect across the EU just as they are.
What’s the timeline?
The European Commission proposes EU Data Protection Reform.
European Parliament, Commission and Council reach agreement on new data protection rules.
European Council and European Parliament formally adopt the new regulation.
Text of the regulation published in the Official Journal of the EU. Regulation enters into force.
New regulation will ‘apply’ from the 25 May 2018.
Key GDPR Impacts on Business
The new regulation will have an impact on a wide range of areas and looks likely to lead to a big shift in the way user data is approached and handled. As always, the devil is in the details, but we have identified some key areas to be aware of and start planning for.
Data processors will be required to implement security measures and notify users/controllers of any breach. ‘Processors’ means a company, individual or organisation that handles data by which an individual can be identified.
- Data Protection Officers
Any data controller or processor is required to appoint a Data Protection Officer wherever their activities “require regular and systematic monitoring of data subjects”. DPOs can be employees or third-party consultants, but must have authority to act independently and report to senior management.
- Privacy by Default
The GDPR seeks to enshrine accountability and privacy for users by design. In practice, this means data minimisation, maintenance of detailed records and impact assessments being carried out for any risky processing of data.
The GDPR greatly increases the level of transparency that data processors need to operate under. More comprehensive information must be provided to users when collecting their data and the purpose for collecting data will have to be fully explained.
Failure to comply with the GDPR could lead to some pretty eye-watering fines - €20m or 4% of global revenue, whichever is the higher being the maximum level. The level of fine depends on factors such as intention, cooperation and quality of data practices.
- Individual Rights
Individual rights are at the centre of the GDPR. Users will gain certain rights relevant to data processors such as: the right to require information on what data is being processed about them; the right to restrict certain processing; the right to object to data being used for direct marketing. Another highly controversial element is the 'right of erasure' (i.e. the right to have data about yourself removed in certain circumstances).
Any staff involved in processing operations and controlling data will need to be given relevant training on the regulation and best practices.
Wait, what about Brexit?
Brexit may give UK-based businesses some flexibility, but another key aspect of GDPR is an expanded territorial reach. So GDPR will also apply to data controllers and processors not established in the EU, if they process personal data in relation to the offering of goods and services, and if they monitor behaviour of individuals in the EU. So even after the Brexit process is undertaken, any business anywhere in the world that has data centres in the EU or that wishes to sell to or track EU users will, in practice, need to comply.
Start preparing now
As we can see just from these main areas, the changes from the current regime are considerable and could have onerous implications for digital enterprises.
Online retailers, B2B suppliers, financial tech companies and anyone that wants to use personal data for personalisation will be affected. Practically any company that sells or engages online (and collects identifying data about it), and/or their data centres/cloud partners, will be subject to this legislation.
The new regulation will not apply until 2018 so there is time to get ready. If you have customers or users in the EU and have begun not already, you need to start preparing your organisation for compliance.
Six questions you should be asking to get you started are:
- Do we have procedures and security in place for data breaches?
- Are we a ‘privacy by design’ organisation?
- Do we have a review of policies, contracts, procedures and notices for all data-related practices underway?
- Do we require/have a qualified Data Protection Officer?
- Have we reviewed the legal basis on which we process and use data?
- Are we prepared for the budgetary and personnel changes that may be required for compliance?
Digital Single Market
The broad aim of this new data protection framework is modernisation. Giving more control over their data to users, simplifying the regulatory environment, and ensuring greater oversight of how personal information is used are all goals we should expect from a 21st Century data regulation. Furthermore, the move towards one set of rules also represents a big step for the EU in its Digital Single Market initiative.
Nonetheless, there will still be the Member States’ Data Protection Authorities and different interpretations and applications of the law. There are also costs and challenges that organisations and enterprises will encounter in meeting the new obligations.
Make sure you consider whether you may need technical and legal assistance to help you comply and avoid unnecessary costs and fines.