WE LIVE IN an increasingly data-driven world – one that’s vastly more complex than in the mid-90s when the current European data protection directive was established.
Although the main principles of the current directive still hold true, the General Data Protection Regulation (GDPR) introduces important changes for the capture, storage and processing of personal data.
Whilst the GDPR carries a heavy compliance burden, it’s a welcome piece of legislation for EU data subjects. The new regulations, which will be enforced from 25 May 2018, aim to provide a standard set of protections for citizens in a single European digital market.
The GDPR carries stiff financial penalties for non-compliance and, in an age where media stories of data security issues are almost a daily occurrence, the fallout from a personal data breach could result in serious reputational damage for an organisation.
As the enforcement date draws ever closer, it’s now essential to have a GDPR compliance plan in place and be able to demonstrate that it’s progressing.
At its heart, the GDPR applies to the processing of personal data. However, the regulation applies broad definitions to both ‘personal data’ and ‘processing’.
Personal data is that of an identified or identifiable natural person. If it’s possible to identify a data subject, directly or indirectly from the data, then it is likely to be personal data.
Examples include names, identification numbers, location data and online identifiers such as email address.
Additionally, factors specific to the physical, genetic, mental, economic, cultural or social identity of the natural person and items like photographs, fingerprints, bank details, ethnicity, sexual orientation and religious beliefs are also considered to be personal data.
Processing activities are defined as operations performed on sets of personal data, whether or not that is through automated means.
Collection, recording, organising, structuring, storing, adapting or altering, retrieving, transmitting, erasing or destroying all fall under the definition of processing.
The GDPR protects the personal data of data subjects residing in the European Union, regardless of the geographic location of the organisation processing it.
This means that even though an organisation may not be established in the EU and their processing activities may occur outside the EU, if they provide goods or services to EU citizens they must be compliant.
This applies even if no payment is required for those goods or services.
What are you doing with my data?
The GDPR creates new rules for obtaining consent to process personal data. The use of onerous terms and conditions or legal jargon which is difficult to understand is no longer acceptable.
Consent requests must now be provided using clear and plain language in an easily accessible form.
In addition, the purpose for the data processing must be attached to the request for consent and it must be as easy for the data subject to withdraw their consent as it was to give it.
Rights, rights, rights
The GDPR strengthens the rights of data subjects to control and understand what happens to their personal data. These include:
The right of access – the right to timely confirmation of how your personal data is being processed, where the processing is taking place and the purpose. Personal data must be provided, free of charge, within a maximum of 30 days, with an electronic copy.
The right to be forgotten – the right to have all your personal data erased by an organisation that guarantees any further use or dissemination of your data by the organisation and any third parties they use.
The right of portability – the right to receive your personal data, previously provided to the controller, in a commonly used machine-readable format and have it easily transferred to another controller if technically feasible.
Data protection officers
Many organisations will need to appoint a data protection officer (DPO) to help provide guidance and oversight.
Existing legislation differs across the EU on working with or notifying national supervisory authorities about personal data processing activities.
The GDPR harmonises requirements across the EU and moves to an internal record-keeping regime rather than upfront notification to the supervisory authority.
While the appointment of a DPO is only mandatory for public authorities, or organisations in the private sector whose activities consist of regular and systematic monitoring of data subjects, the compliance burden introduced by the GDPR means that every organisation must consider whether they’ll need a dedicated DPO or equivalent.
Where a DPO is appointed, even where it is not mandatory, these are the requirements:
- They must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices;
- May be either a staff member or an external service provider;
- Contact details must be provided to the relevant supervisory authority;
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge;
- Must report directly to the highest level of management;
- Must not carry out any other tasks that could result in a conflict of interest.
The GDPR provides supervisory authorities with significant new powers to enforce compliance. Regulatory fines to the tune of €20 Million, or up to 4% of an organisation’s total global annual turnover for the previous year, can be applied in certain cases.
Data subjects also have an enhanced ability to seek compensation for damages incurred for breaches of their data protection rights.
This right to seek compensation for non-financials loss (upset, stress or disruption to one’s life) could in some cases have the potential to be even more financially catastrophic to companies than the regulatory fines themselves.
Take the example of a company that unfortunately loses one million customer records and is ordered to pay a nominal €50 to each impacted data subject as part of a class-action lawsuit. Expensive business.
As the GDPR enforcement date looms and its potential impact is understood, business leaders must ask, are we compliant, and if not, how do we become compliant in time?
Considerable effort must now be made to determine where non-compliances exist and how they can be addressed.
The first steps will be to identify what personal data is being held, how and why it was obtained, how long it’s being retained and whether it’s being stored, processed and transferred securely.
The compliance journey must then begin with an objective assessment of the current state of readiness.
This must lead to the definition of a programme of improvements which can be tracked over time and used to demonstrate that the organisation has considered its position and is taking its compliance requirements seriously.
The regulation is in place, the enforcement data is set and the message from national supervisory authorities is clear. Non-compliance is simply not an option.
Ivan O’Brien is a partner in advisory services at EY Ireland.
If you want to share your opinion, advice or story, email firstname.lastname@example.org.