As we all know by now, the new General Data Protection Regulation was passed last year and will come into effect in May 2018. According to a recent Financial Times report, many EU companies are “dramatically underestimating the impact of new data protection regulation… and failing to prepare adequately for it.”
If you have not yet given the new GDPR much thought, it’s basically halftime — and it’s now more important than ever to understand what’s coming and how to prepare.
Basically, the GDPR will unite 28 different EU Member States’ laws into a single data protection law with the aim of greatly increasing private citizens’ rights over their personal data. In addition, the old directive was comprised of 34 articles and 72 background findings, while the new law is 99 articles and 173 findings. Or as Thorsten Werning, Managing Partner of CONCEPTEC, puts it: “The GDPR is a lot to read.”
For companies, this translates into much more rigid obligations and heavier non-compliance penalties. Demonstrating compliance itself will prove to be a particular challenge for most organizations. They must feel assured that not only are all rules being respected, at every stage, but that they can provide documented proof even when working with partners who also handle customer or employee data, such as SaaS providers.
First, let’s run through a general overview of how companies will be affected and what they need to do to prepare.
Learning a new language
The first thing to understand about the big change is that the new regulation will begin with much legal uncertainty — almost a complete reversal from the old directive, whose language was quite specific and clear. It speaks of “lawfulness, fairness and transparency” in regards to the processing of personal data, “appropriate measures” that companies should take for processing security, and the “legitimate interests” of a controller, etc. It will take some time for various national DPAs and the privacy community to agree on interpretations of these new laws.
In addition, the new regulations classify stakeholders, end-customers, etc., under specific terms. For example, a “Controller” is the end-user company, a “Processor” is the SaaS provider, and a “Subject” can be either a citizen or employee or a candidate.
Here are some examples on how the GDPR puts this language into use.
The GDPR in action
Controllers must be prepared to provide much more detailed information about how data is processed. Such data must be processed only for specific, explicit and legitimate purposes — limited to what is adequate, relevant and necessary. In addition, data must be corrected or deleted when inaccurate, stored for no longer than necessary, protected against unauthorized use, accidental loss, etc. Controllers must demonstrate their compliance to all basic principles through documentation and Privacy Impact Assessments.
Meanwhile, processors of personal data on behalf of the controller must maintain confidentiality, implement appropriate security measures, report data breaches to the controller, maintain a register of data processing activities, have written authorization from the controller to employ sub-processors, be directly liable to enforcement sanctions, and much, much more.
As for citizens and customers (aka “data subjects”), they have new and more enforceable rights: the right to data erasure, to be forgotten, to receive copies of data, etc. These obligations must be fulfilled free of charge within 30 days. There are also new requirements in how controllers obtain data subject consent, which must be freely given, for defined purposes in much more detail, with a clearly informed right to withdraw such consent, etc. (yes, another etcetera — we told you there is “a lot to read”).
Many of the same regulations designed to protect private citizens also expand to employees within companies. Therefore, it is also necessary for companies to be familiar with changes to how Human Resources departments must gather, store and use employee data and, as always, be prepared to prove compliance.
Failure to comply = Bad idea
Fines for failing to comply with the new GDPR aim “to be effective, proportionate and dissuasive”. Or more specifically: up to 4% of total annual turnover or €20m.
Furthermore, the new law not only affects EU-based companies. If companies are based outside the EU and offer goods or services to data subjects within the EU, they too must comply — even for monitoring behavior or with tracking tools.
If you are one of these companies mentioned in the Financial Times report, like I said before — we’re at the transition’s halfway mark with less than a year until implementation. It’s time to get rolling. Here are some immediate recommendations:
Assemble an A-Team. This should include a Chief Security Officer, Data Protection Officer, Legal Director, Chief Information Officer, and your Human Resources Director. Next, you need to collectively conduct a data audit and risk analysis, deploy an internal GDPR enablement program and draw a roadmap.
This roadmap should help you start to process activities and identify gaps in your systems. It should enable you to manage risks, and launch such actions as internal audits, risk analysis and personal data processing mapping, all while documenting compliance. In fact, partnering SaaS providers handling your data should have certification, such as the ISO 27001, which means they have the system and tools in place to demonstrate compliance to the new GDPR.
There may be less than a year to prepare for the GDPR, and the task may seem daunting, but like in any inspirational sports movie, the winning team always makes a second half comeback.