GDPR: One Year To Go
STUART CHAPPENDEN, LONDON
We’ve just passed the year mark on the countdown to the GDPR enforcement date. If the thought of less than 365 days left to ensure your company will be compliant isn’t enough to get the ball rolling, the recent WannaCry cyberattack definitely should.
The GDPR’s raison d’etre will be putting the control of personal data back into the hands of the individual. The consequences of this, from a cybersecurity perspective, will be companies taking the security, control and processing of data a lot more seriously. Those that don’t will face fines as high as €20m or 4% of global turnover (whichever is greater) for failing to adhere.
The arrival of GDPR means that organisations can’t simply gather data without good reason and proof that they are doing all they can to protect the data that they hold. If you collect data on European Citizens then you will come under the GDPR and better keep reading. 8 Individual Rights are set out in the regulation which must be ensured.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
As with all new regulation, organisations will be thumbing through the small print for the responsibilities and of course, the fines. Under the GDPR there will be two tiers of fines, the first up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. This tier is for infringements listed in Article 83(4) of the General Data Protection Regulation relating to:
- Integrating data protection ‘by design and by default’
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.
This includes infringements relating to:
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
GDPR emphases accountability and transparency. Organisations will be expected to have comprehensive governance structures in places, where privacy by design and privacy impact assessments are legally required in certain circumstances.
All breaches must be reported to regulators within 72-hours of discovery, and failure to do will result in fines of up to 10 million Euros or 2 per cent of global turnover, whichever is greater. Non-adherence to the standards of the certification scheme or the code of practice will also incur the same.
The GDPR endorses the ratification of approved codes of conduct and certification mechanisms to demonstrate compliance.
Signing up to a code of conduct or certification scheme is not mandatory, although doing so brings several benefits. Improving transparency and accountability, by enabling individuals to distinguish which organisations meet the GDPR requirements and that they can trust with their personal data; providing mitigation against enforcement action and, lastly, establishing best practice standards.
A key requirement of the new regulation is the appointment of a Data Protection Officer (DPO) if you carry out large scale data processing. The DPO will be placed not just in the IT department, but holistically to ensure GDPR compliance is in place across HR, sales, operations, etc.
Interestingly, while the potential fines are substantial, the European Parliament had originally requested for fines to reach €100 million or 5% of the company’s global annual turnover. Evidently a compromised was met. Fines for infringements will be considered on a case-by-case basis and will take several criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor. If the breach is sufficiently serious to warrant notification to affected customers, the organization responsible must do so without undue delay.
The data minimisation principle requires organisations not to hold data for any longer than necessary, and to not change the use of the data from the purpose for which it was originally collected, while at the same time they must delete any data at the request of the data subject. Consequently, organisations must obtain fresh consent if they wish to change the way they use collected data.
GDPR rolls out the regulatory rug across all companies collecting data on European citizens, no matter where the companies are based in the world. This is of significance for large corporations which would have favoured setting up headquarters in places like Ireland in the past for its favourable data protection authority. At the same time the new regulation also helps companies collecting data across borders as they will only have to deal with one data protection authority rather than one for each EU state.
The GDPR looks to be a significant transformation of the data protection landscape. With so many new areas and points of compliance the next year looks set to go very quickly. It is worth keeping an eye out for the Working Party (Article 29), which intends to publish guidance documents on administrative fines later this year (2017).