The term “GDPR” probably isn’t new to you. A quick browse of your LinkedIn newsfeed will likely throw up any number of articles warning of the quickly approaching 5月 25 deadline for compliance with the new General Data Protection Regulation.
But what is the GDPR, and how will it affect you and your business?
In the simplest terms, the GDPR is an attempt to standardize data laws across European Union countries, to give greater transparency, control, and power to individuals whose data is being held by companies.
As it stands today, each EU member state implements its own set of laws based on the European Union’s 1995 Data Protection Directive. Just like the new GDPR, this directive was introduced to protect the personal data of EU citizens. However, the crucial difference between the two is the GDPR is a ‘regulation’, whereas the 1995 Data Protection Directive is a ‘directive’. The latter has no legal enforcement, which leaves member states free to decide how to transpose directives into national laws.
Consequently, different interpretations of this directive has resulted in divergences in laws across EU countries, which creates legal uncertainty, not only for companies holding personal data but also for individuals, in terms of understanding what their level of protection is in each state. Furthermore, basing data protection standards in 2018 on a directive from 1995 is not considered best practice in the digital age.
Before you lose interest as a non-EU citizen, please note that any company that offers goods or services to individuals in the EU will be required to comply with the GDPR, regardless of whether the company itself was established in the EU. With the EU being one of the largest trading blocs in the world, the second largest if counted as a single country, it’s likely that the GDPR will affect you.
Giving power back to individuals
So what is it? GDPR legislation itself is concerned with personal data, essentially any information that can be used to identify you as a person. This can be a name, address, IP address… or anything of the like. Importantly, the GDPR makes no distinction between B2B and B2C data; both are covered under its auspices. Your company will be holding personal data somewhere about its customers and/or prospects and will therefore need to comply with these new laws.
At a fundamental level, the GDPR should make companies question whether they should even be holding an individual’s personal data. Unless required for legal or contractual reasons, or justifiable as being in the public interest, the processing of personal data – up to and including simply storing it – necessitates clear consent. And there must be a mechanism for consent to be withdrawn just as easily as it was first given.
Not only this, individuals will have new rights to access and even request the removal of data relating to themselves, this is the so-called right to be forgotten. Post-5月 2018, companies may be contacted by an EU citizen, who wants to know exactly what categories of personal data are being held, the purpose(s) of processing that data, and with whom that data is being shared. The company is obligated to reply in full within a month. If there’s no justification for their personal data to be held, data subjects can exercise their right to be forgotten – meaning it must be deleted.
Ensuring transparency and forcing accountability
For businesses to be able to adhere to these requirements, documentation is needed concerning how data is collected and processed, exactly what data is being held, for what reason, and for how long. The processes also need to be in place to ensure a subject’s data access request can be managed and responded to.
Under the GDPR, there’s also added accountability when it comes to the security of personal data. Certain technical and organizational measures must be implemented and documented. If data is shared with a third party, such as an agency, all processing activities must be clearly defined and contractually agreed upon, even for something as simple as processing data on another company’s behalf.
There’re plenty more rules too. To name just one: if a data breach is encountered, it must be reported within 72 hours, to the local independent supervisory authority, which is appointed by the member state and tasked with monitoring the application of the GDPR.
The big GDPR headlines focus on regulators’ powers to impose big fines for failure to comply. Depending on the severity of the breach, it could cost a company up to €20 million or four per cent of a firm’s global turnover – whichever is greater. We don’t yet know the precedent that will be set in enforcing this new legislation. But it’s a clear instruction for companies to take note.
The countdown to May
If your company hasn’t already, it’s time to get prepared for the GDPR. The reality is that it is a steep change for data protection – it’s an evolution, not a revolution. Provided organisations are complying with existing data protection laws, it’s simply a case of ensuring the documentation and processes are in place to comply with the specifics of the GDPR.
Internal awareness is the priority to ensure all key internal stakeholders are aware (heck, send this blog to your whole company). Then, you’ll need a GDPR taskforce to pull a plan together. Start by identifying where personal data is held, ensure you’re clear as a company on where consent is required, and make it as easy as possible to give and withdraw consent, and so on.
There’s a lot to think about, so it’s time to get going!