After four years of negotiations, General Data Protection Regulation (GDPR) was finally adopted by the European Parliament in April last year (2016). Since then we have been saturated with facts, figures and opinions on every aspect of privacy, protection and data regulation imaginable. If we were picking a legal ‘buzzword’ for the year, GDPR has to be it.
Turning a blind eye to GDPR is simply not an option. There are substantially higher non-compliance risks invovled than already in place with the existing Data Protection Act 1998 (DPA). The potential financial sanction is either €20 million, or up to 4% of a company's annual global revenue - whichever is highest. Yet, the greatest risk is for businesses is the potential prevention against conducting certain business activity in the EU in future.
While the premise of GDPR is broad, as it aims to bring data protection into to the digital age, the regulation will present different challenges for different organisations. Global corporates will face the complexities of implementation across international operations, while smaller companies are likely to find a lack of legal or compliance resource to be a significant strain. For companies with data-driven business models, the challenges are likely to be extensive.
Every organisation may be exposed to the new regulation in some way. Even if you’re thinking “GDPR doesn’t apply to me” or “I’ve definitely got the basics covered”, making assumptions can result in costly repercussions for your business. In order to ensure you are prepared, here are the top issues businesses should address to stress test their preparations:
1. GDPR does not apply to my organisation
Although GDPR is an EU regulation, it is not just applicable to businesses based in, or with operations in the EU. In fact, the regulation also applies to companies located outside the EU that offer goods and services which target EU residents via the web.
For instance, a US company which operates in the US but sells its products to EU residents via an ecommerce site, would be impacted by the regulation. Equally, cloud based service providers with no physical presence will be caught out if they are hosting data received via their EU customers.
The scope of the GDPR is widespread. Whenever an organisation touches the data of EU residents, it would be best to assume that the GDPR will impact them in some way, or, at the very least, result in an assessment to determine the implications.
2. Organisations hold all the power
Under GDPR, the rights of data subjects - such as users, individual business partners or employees - have increased significantly. Organisations will have to inform anyone about the type of data they collect on them, and how it is used, and they, in turn, will have stronger rights to manage, control and object to that data being used. Both these measures will require many organisations to review and adapt their operations.
When it comes to profiling, which is the act of automatically processing someone’s personal information to evaluate their character, individuals will have far more control. GDPR is enabling individuals to have the right to not be automatically profiled in cases that impact them, such as the refusal of credit or service.
If they no longer want their information to be held by a particular organisation, individuals will have the right to ask for it to be deleted - if the retention of such data can no longer be legally justified the organisation has a legal obligation to maintain the data as is the case with tax records or where the information is needed to defend a legal claim. What’s more, if individuals want details of their data, then companies will be legally obliged to provide it in a format commonly used for porting data (e.g. a CSV file).
3. ‘Legal’ will handle our compliance
A common misconception is that an organisation’s legal team will handle everything to do with GDPR, but this is not the case. The nature of the regulation means that a number of internal parties are likely to be involved from the outset in undertaking the initial assessment, deciding on the necessary actions and implementing the changes as appropriate.
While the legal team will play a key role, organisations will also need to ensure their HR, operations, customer accounts and IT departments comply, and are on board to ensure the company has all the information needed to make informed decisions.
Crucially, GDPR is likely to require significant changes to company-wide business processes. Having the full engagement and support from the senior team will be vital in ensuring businesses can make the changes needed from the outset.
Companies will need to ensure they implement and design their IT systems to process personal data with close consideration to the privacy rights and obligations under GDPR. Conducting a privacy impact assessment is a good starting point for accessing where operations may present a particularly high risk.
4. No one will know if I breach GDPR
If and when personal data is ever compromised, companies will be obligated to notify the regulators and individuals affected. What’s more, notifications will need to be made within 72 hours after becoming aware of the incident.
With the increase in privacy class actions and regulatory enforcement action, there will be a greater risk of data privacy related litigation and companies will need to improve their security measures to better safeguard data and practices around responding to security incidents.
When it comes to a potential breach of GDPR, businesses will not be able to bury their heads in the sand. With less than six months and counting until the regulation comes into play, organisations need to ensure they’re ready, having fully assessed the potential implications of GDPR for their business and what changes may be required to ensure compliance.
If you are unsure whether, and how, GDPR will impact your organisation, you can assess your GDPR readiness here. Best to be safe than sorry.
Kolvin Stone, Partner and Global Co-Chair of Orrick’s Cybersecurity & Data Privacy practice
Image Credit: Harakir / Pixabay