Ever heard of European Union General Data Protection Regulation (EU GDPR)? It may be quite the mouthful, but it’s one that will soon be rolling off the tongue – because you have less than two years to ensure you’re compliant with it.
Wait… what is EU GDPR?
In short, GDPR is regulation being introduced by the EC, European Commission, with the intention of strengthening data protection in relation to people who are part of the European Union while also addressing the export of data outside the EU. When it is introduced, it will take the place of the existing data protection directive of 1995.
This new regulation was officially adopted on April 27, 2016 with a two-year transition period. It will officially enter into application on May 25, 2018.
So what does EU GDPR change?
EU GDPR includes a host of changes to existing regulation. The main changes are:
The legislation insists that valid consent must be collected and that it must be explicit. In the case of children under the age of 13, consent must be given by a parent or valid custodian.
Data Protection Officer
When processing is carried out by a public authority, or in private sector situations where regular monitoring of data subjects is necessary, a person with expert knowledge should be in place to process the regulation. This data protection officer is different from a compliance officer in that they would also need to be proficient in the handling of data security, such as dealing with potential cyber attacks; be able to address critical continuity issues; and manage IT processes.
It would be necessary for the data protection officer to inform a supervisory authority immediately if a data breach takes place with individuals also needing to be notified if there was a risk of an adverse impact.
Notice requirements have been expanded and now include retention time for contact information and personal data. Some of the features include article 22, which outlines that profiling must be contestable with citizens having the right to question decisions that affect them; while article 25 insists that data protection automatically be part of services and products.
All of the regulation takes effect if the organisation or the person him/herself is based within the EU but, unlike existing regulation, will also apply to organisations based beyond the EU’s borders if they are processing any data relating to EU residents. Personal information can include anything from names to email addresses, photos, bank details, medical information, social networks and more.
Single set of rules
There will now be a single set of rules throughout the member states of the European Union rather than different rules in different areas. Each state will establish an independent supervisory authority that will be responsible for investigating complaints and sanctioning offences. If a business has several establishments across the EU then it will need to have a single “lead authority” based on the place where the bulk of its processing activities take place – this will then supervise all processing activities throughout the area.
What happens if you don’t comply?
There are, of course, consequences for those who fail to comply with EU GDPR. The first step would be a warning in writing; following by regular audits; fines potentially as high as two per cent of annual worldwide turnover or 10,000,000 euros in the case of an enterprise; and a fine of up to 20,000,000 euros or up to four per cent of worldwide annual turnover in other cases.
Hold on… what about Brexit?
If you’re thinking that these rules needn’t apply to you because the likelihood is that the UK will exit the European Union by exercising Article 50 following the Brexit vote before May 2018, then think again.
The UK is widely predicted to exercise Article 50 “at some point” during 2017. At that point, a two-year process to complete an exit from the European Union would begin – taking until well into 2019. As such, the EU GDPR rules will certainly apply upon their enforcement in May 2018 – and possibly much longer if the UK decides to retain these rules as part of its exit negotiations. Preparations for EU GDPR can’t wait – meeting the budgetary and governance implications will take time and there is no guarantee that they will be diminished even when the exit is complete.
What impact will this have on companies?
Speaking to The Register, Gavin Siggers, of data storage firm Iron Mountain, outlined that companies will struggle to keep up with the new legislation outlining the obstacles of “knowing what data they hold, why they hold it, where it’s kept and how long it should be kept for.” However, he does believe that over time it should help to reduce risk exposure.
Companies now have an obligation to protect personal information no matter how it is processed. This will mean a complete re-examination of the way they store data – including focusing on any cloud apps that may be used across an organisation. With GDPR there are specific provisions for unstructured data and organisations will need to manage how their employees interact with the cloud to ensure they remain compliant. In addition, companies must look beyond simple data residence and consider the paths data travels.
What’s clear is that there is no time like the present. There is no excuse to wait for the implication of Article 50 – EU GDPR will affect businesses even if only for a short period, by which time so much money and time will have been spent on the transition that it only makes sense to maintain its structure. As such, it is vital companies take measures now to complete what will be a difficult and comprehensive transition.