May 2018 will witness the most significant reform of Europe’s data protection laws over two decades. The new General Data Protection Regulation will be enforced and it will certainly change the way businesses and organizations handle personal information. Due to the rapid pace of technological changes, digital information is being created, used, stored and distributed M on a very large scale. The old structure of data handling, therefore, is no longer adequate to meet the challenges arising from globalization and technological advancements. The new General Data Protection Regulation is fit for the digital age, and is a precondition for realizing the benefits of the economic activity that is not bound by national borders.
Given that today’s economic activities often require the transfer of data from one location to the other, within the EU territory or in non-EU countries, it has become particularly challenging for enforcement bodies to apply the regulations coherently. In light of these developments, and due to the increased amount of data processing currently taking place, the new EU General Data Protection Regulation and its rules and principles are well suited to deal with the technological realities of today. As long as such principles and rules are applied consistently, GDPR will set a new standard for personal information.
What is GDPR?
It took four years of discussion and negotiation for GDPR to be finally approved and processed by the European Parliament and the European Council at the end of April 2016. Ever since, businesses and citizens are grappling with the challenging task of developing the legal regime which will be followed once the GDPR is enforced in May 2018. To ensure the protection of personal data and privacy of EU citizens in this fast-paced information society, companies will need to follow the provisions of this regulation. Organizations will have to also adapt to GDPR data transfer rules when transferring personal data outside the EU.
Provided that in the eyes of many, the shortcomings of the existing data protection laws are found in the lack of consistent and diligent enforcement of rules, rather than the insufficient legal protection, GDPR has been designed to create consistency and harmonization across the EU Member States in terms of data protection.
Nevertheless, in addition to the opportunities and benefits it generates, GDPR also increases the organization’s obligations and investments made to be GDPR compliant.
The Emergence of GDPR
Members of the EU operate under the current Data Protection Regulation (1995) which has its own national laws. In the UK for instance, you have the Data Protection Act (1995), which regulates the usage of your personal information by the government, companies and other institutions. The original directive of 1995 was formulated in a time period where only 1% of people used the internet and there was no social media. The majority of people today uses social media and constantly produces and consumes information electronically.
The GDPR has emerged because of two main reasons. Primarily, the EU wants to provide people with more control over their personal information and how that information is used, considering the cases of Facebook and Google which have access to the personal information of their users. The current legislation was enforced in what now appears to be a different technological era.
The second reason for GDPR emergence is that the EU wants to provide a simpler regulation which eases the legal operational environment for businesses by having the same data protection law throughout the EU market. The EU estimates that the new regulation will save companies up to € 2.3 billion per year.
The importance of GDPR
The basic objective of the GDPR is the stronger enforcement of data protection among organizations. Being able to build comprehensive reports about the usage of personal data is not simply a GDPR requirement, it is also a means through which data security and privacy risks are reduced. This will contribute in creating deeper bonds with the customers and at the same time, it will strengthen the organizations’ position. GDPR will make a difference in the way organizations communicate with customers in terms of their personal data processing.
General Data Protection Regulation Requirements
In order to be compliant with GDPR, Information Commissioner’s Office (ICO) provided twelve steps that serve as a guide to successfully fulfill the regulation requirements:
- Understand the Regulation: The first important step is to understand your obligations related to the processing and storing of data.
- Identification of personal data: Every organization (subject to GDPR) should identify and record all the personal data that currently holds and plans to obtain in the future, including the source of the data and the individual(s) granted access to such data.
- Communication of privacy information: Organizations should review the existing privacy notices and set up a plan to make the necessary changes required by GDPR.
- Individual’s rights: Check all the procedures that cover individual’s rights, including the procedures for the deletion of personal data and provision of electronic data, and evaluate whether a standardized format is being used.
- Subject access requests: Procedures should be reviewed and updated, and a plan on how requests will be handled (without delays) should be set up.
- Legal basis: Based on the different types of data processing you perform, the organization should identify the legal basis for holding data and documenting it.
- Consent: Obtaining consent involves an affirmative indication of agreement. The consent should be reviewed, and evaluated how it is sought, obtained, recorded and whether any changes are applicable.
- Children’s Data: If your organization processes data of underage subjects, you should consider setting up systems for verifying the age of the individuals and gathering consent from parents or legal guardians, if necessary.
- Data Breaches: Organizations should develop the proper procedures and policies which enable them to detect, report, and investigate a potential personal data breach.
- Data Protection Officers: Some organizations are required to appoint a Data Protection Officer (DPO) to evaluate whether the organization is compliant with GDPR requirements. The organization can choose to assign someone within the organization, or outsource the role to someone who can fulfill the DPO requirements. It can be someone in your organization or an external data protection advisor.
- Data Protection by Design and Data Protection Impact Assessments: A DPIA will enable the organizations to identify and mitigate potential privacy issues, whereas the DPD promotes data protection and privacy throughout the projects’ lifecycle.
- International: Organizations working in more than one EU country and that perform cross-border processing, should define their lead data protection supervisory authority.
Penalties of Non-compliance with GDPR:
In case of non-compliance, the fines that can be imposed to organizations depend on several factors such as:
- Whether the breach was intentional or due to negligence
- Whether the controller or processor took any actions to mitigate the damage
- The nature and duration of the breach
- The means through which the regulator became aware about the breach
- Technical and organizational measures that had been applied by the controller or processor
- The categories of personal data that were affected
- Lack of cooperation with competent authorities
In case organizations fail to comply with the GDPR requirements, the penalties can reach up to € 10 million or 2% of an organization’s annual turnover, whichever is greater. Also, in case of more serious infringements, the penalties can amount to € 20 million or 4% of an organization’s annual revenue, whichever is greater.
How will GDPR Impact Your Business Operations?
The Impact of GDPR on customer engagement: Under the GDPR, the rules pertaining to consent obtainment are highly rigorous. Individuals have the right to withdraw consent at any time, and organizations have to prove that the individual agreed to a certain action, such as receiving a newsletter.
This will directly influence the way sales and marketing activities are managed and conducted. Organizations have to review all the existing forms, applications and their processes to be compliant with email marketing practices and opt-in rules. For example, individuals have to fill out forms or provide their consent by ticking a box that confirms their willingness to receive marketing materials. Individuals should also have the option of opting out of direct marketing.
In addition, under the GDPR, potential customers in B2B markets cannot exchange business cards at trade show fairs and save the information received in the mailing lists.
Preparing to Comply with GDPR
The EU General Data Protection and Regulation (GDPR) will be enacted on May 25, 2018, and it will create extra security and privacy obligations which EU member states will need to comply with. Company executives, therefore, should properly prepare for the new regulation, prior to its enforcement. The preparation phase is critical as it includes training employees and adopting new technologies and processes to facilitate compliance. It may be quite challenging for companies to deploy and implement new security and compliance processes of GDPR on their own, particularly those who face shortages of IT personnel and skills. Hence, companies should contact organizations that provide security strategies and solutions to protect personal information and business processes as to ease their compliance burden.
GDPR: An Opportunity for Information Security and Data Professionals
The upcoming regulation will open the doors to new career opportunities for Information Security and data professionals, by enabling them to engage in activities that protect the organization’s reputation and prevent potential financial penalties.
Provided that the GDPR will change the way organizations process and store data, organizations will face the unavoidable need to hire new professionals to take the reins.
Even though the role in each organization will vary based on the size and existing procedures and controls, the GDPR professionals will be responsible for defining and building comprehensive solutions for data protection. Also, they should be able to support the organization in determining and implementing the most suitable technologies to achieve compliance with the new EU Regulation. GDPR professionals will assist in prioritizing data information, advancing data quality, and building greater customer trust.