The EU’s GDPR has attracted a lot of attention recently, because so many organisations will be subject to the regulation. Coming into effect on the 25th of May 2018, GDPR is intended to protect the privacy of people in the EU and change the way in which companies approach privacy. Crucially, its introduction will impact not only organisations within EU member states, but also those beyond the borders of the EU. Any company that processes personal data on an individual in the EU may need to comply with the regulation, irrespective of its geographical location.
The punishment for organisations that breach GDPR is severe. They can be fined up to €20million or 4 per cent of annual global turnover, which is obviously a significant financial deterrent, not to mention the effect on how an organisation is perceived by its customers and other stakeholders. With less than a year before GDPR comes into force, organisations must evaluate their current procedures for processing and protecting personal or sensitive data against the GDPR, and urgently make changes if needed.
Despite this urgency, a large majority of organisations are not yet suitably prepared. Indeed, Gartner predicts that on the date GDPR comes into force, more than half of companies affected will not comply fully with its requirements.
Organisations must focus now on five high priority areas to ensure they are GDPR ready.
Determining exactly how GDPR affects them
Any organisation that decides on what personal data is processed, for what reason and by what means, is essentially a “data controller.” The GDPR applies not only to businesses in the EU, but also to all organisations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behaviour of data subjects within the EU.
If any of these criteria are met, then these organisations should appoint a representative to act as a point of contact for the data protection authority (DPA) and data subjects. This leads onto the next priority for companies impacted by GDPR.
Appoint a data protection officer
When GDPR is introduced, a number of companies will have to employ a data protection officer. The role of a data protection officer is to oversee data protection strategy. They must also educate those within the company on what they must do in order to comply with requirements, provide staff involved in data processing with the necessary training, and perform privacy audits.
Appointing a data protection officer is particularly important for organisations that are public bodies, have operations that require regular and methodical monitoring, or process personal data on a large scale. It is important to note that the term “large scale” does not have to refer to data subjects in the hundreds of thousands. In fact, when the GDPR was in the initial stages of being drafted a data protection officer was required for organisations involved in the processing of data on more than 5,000 subjects in any 12 month period.
As an additional action, companies can create a task force to address the challenges the organisation faces under the GDPR.
Operate transparently and demonstrate accountability
To comply with the rules and regulations around personal data processing activities, companies should decide on purpose limitation, data quality, and data relevance when beginning a new processing activity. These principles must also be applied to existing processing activities.
When processing data, companies should operate transparently and illustrate that they are accountable for their actions. An organisation cannot demonstrate accountability without proper data subject consent acquisition and registration. In the past, companies might have been able to get away with implied consent and pre-checked boxes, but this will no longer be the case. They will now have to introduce - if not in place already - measures that enable them to both obtain and record consent and the withdrawal of consent.
People must know exactly what they are agreeing to, so companies should be clear on what the data is and how and why it is processed.
Manage cross-border data flows correctly
Following residency requirements, data can be transferred to any of the 28 EU member states, along with EEA members Norway, Liechtenstein and Iceland. Data transfers can also be made to any of the 11 jurisdictions considered to have an adequate level of protection by the European Commissions. This is judged through an adequacy decision, which is a decision taken by the Commission establishing that a third country provides a proportional level of protection of personal data to that in the European Union, through its domestic law or its international commitments. When it comes to transfers that do not fall within these set areas, companies should ensure that they are using the appropriate precautions. Examples of such measures include Binding Corporate Rules (BCRs) and standard contractual clauses, i.e., “EU Model Contracts”.
Anticipating data subjects exercising their rights
The introduction of the GDPR creates new rights for individuals and also strengthens some of the existing rights. Some of the rights provided by the GDPR include the right to data portability, the right to be forgotten, and the right to be informed. The latter concerns incidents such as a data breach, or if data subjects wish to receive an explanation around machine learning systems’ automated decision making, for instance.
Ideally, businesses should already have measures and plans in place to deal with the European GDPR coming into effect. However, if a business is not prepared to suitably address data breaches and people exercising their rights, then it is imperative that they start implementing additional controls as soon as possible.
Bart Willemsen, Research Director, Gartner
Image Credit: Wright Studio / Shutterstock