What do the EU’s new privacy rules mean for business?

At long last, a new Data Protection Regulation is upon us in Europe. After years of amendments and debate, a final compromised text has been agreed and passed by the European Parliament. It is fair to say that herding a thousand cats would have been simpler than getting this regulation through the necessary process. However, it has been achieved at last, sending a clear message to businesses that privacy is at the forefront of the EU’s mind.

As has already been widely publicised, the main change introduced by the General Data Protection Regulation (GDPR) is the significant increase in sanctioning power available to regulators - €20M or 4 per cent of global annual turnover – whichever is higher. This represents a forty-fold increase on the current UK regime which is one of the highest in Europe. With a stick of this magnitude, businesses are going to be forced to take this regulation seriously.

The GDPR will make privacy a big issue

Based on the sanctioning power alone, privacy is likely to be catapulted to a top 5 issue for most organisations. But outside of large fines, what else is new under the GDPR? A lot! For the first time, we will have a common set of privacy rules across Europe. There has also been a huge focus on 'risk', with the recognition that the size of the business and the volume and types of data processed means that different organisations inherently have different risk profiles. As such, it isn’t going to be the case that all organisations have to embed the same level of controls.

In terms of the requirements themselves, there is an increased focus on 'Privacy by Design', enhanced obligations around obtaining consent, mandatory breach reporting to regulators and customers, increased transparency obligations, enhanced rights for individuals (including the right to data portability and erasure), clearer and stronger security requirements and increased obligations when engaging with appointing third parties. It is also worth noting that for the first time that 'Data Processors' (third parties who process data on behalf of an organisation) will be directly liable under Data Protection law, meaning they need to comply with certain elements of the Regulation and can be fined if they don’t.

While fundamentally the core principles remain the same, the new requirements of the GDPR has the potential to be onerous for an ill-prepared organisation and represent a significant step change in the way organisations collect and process personal information. Getting ready is not a simple case of updating a few forms on a website – it is going to need fundamental and radical changes to organisations processes and controls. Such changes will take time to implement properly.

Given this, it is imperative that organisations start to take action now. As a first step, organisations need to understand what their current gaps are against the GDPR. Performing a comprehensive gap analysis therefore needs to be the immediate priority. Following the conclusion of this, a formal plan should be developed to address the identified gaps.

Fundamentally, organisations must ensure they have the right roles and responsibilities in place to design, develop and implement the required changes in a pragmatic and sustainable manner. Then to manage and oversee the privacy control environment once embedded.

Even with a two year implementation period, most organisations will struggle to be ready in time. Failure to take action now will drastically increase the risk of being on the receiving end of an eye-watering business crippling sanction, along with the adverse publicity that being required to notify affected clients may bring.

Ewan Donald, privacy advisor and Mark Thompson, privacy lead at KPMG UK

Image Credit: Flickr/Sébastien Bertrand