Next year on 25 May the EU’s General Data Protection Regulation (GDPR) comes into force. GDPR will replace the existing “EC Data Protection Directive” and is intended to harmonise personal data protection across the EU. Below I describe my understanding of GDPR and its likely impact. Before you read on though here’s my disclaimer … I’m not a lawyer and this is not legal advice!
A significant change in the potential fines for a breach
Someone commented to me that this new law differs significantly in the scale of its fines. The top tier of fines will allow regulatory bodies to levy 4% of an entity’s global (no hiding behind a small subsidiary) turnover or 20m euros, whichever is the greater. Additionally individuals will be able to claim compensation for damages and EU member states will be able to create local laws to bring criminal proceedings.
Only this month the BBC reported that The University of East Anglia mistakenly emailed sensitive personal information about students to nearly 300 undergraduates. A “back of the fag packet” calculation indicates the GDPR the fine could have been £8.8m based on the UEA’s 2013 published income of £221m. Ouch. So it seems the EU is getting serious about personal data protection.
Any organisation handling the personal data of EU citizens is in scope
The law will be in force in all EU member states for all EU-based entities. It will also apply to entities which are based outside the EU but which offer goods or services within it. I interpret this to mean a post-Brexit UK will have to comply if it wants to do business in the EU.
GDPR places responsibility on Data Controllers and Data Processors to look after the personal data of all of us … the Data Subjects. They will pick up the fines from the regulators. Data Controllers are entities which determine how and for what purpose the personal data is processed. Data Processors are the entities actually processing the personal data on behalf of the Data Controller. Controller and Processor maybe within the same entity, separate entities within the same group or completely unrelated entities.
Amongst the GDPR’s core requirement is that entities are able to disclose what personal data is processed, how and for what reasons. They must do this clearly using plain language, in detail, promptly and without cost to the requester. Controllers and processors will require personal data registers and an efficient means to update and access them.
The practicalities of this disclosure are bound to be challenging. The use of data and algorithms to automate decisions based on a person’s “profile” has become the norm, particularly in financial services e.g. when we buy insurance or apply for a bank loan. Putting aside the commercial sensitivity of an entity disclosing its rules, I’d guess that many do not fully understand how their data is processed. Rules which have been iterated over many years, gradually increasing in complexity may be buried deep in computer code or in the heads of long-since departed employees.
GDPR requires that data processing is done for legitimate reasons only and always using the minimum amount of data required. Entities may – but are not required to – obtain the express consent from Data Subjects to process their personal data. Consent must be freely given and not linked to a contract (HR take note!). Whether or not consent is obtained, entities must be certain they are processing personal data only for legitimate and justifiable reasons.
Outsourcing or relocating of data processing activities to lower cost locations and / or to third-party specialists is common-place. Under GDPR these arrangements will have to be expressly approved by the Data Controller. Breaches of data privacy will have to be disclosed normally within 72 hours, both to the Regulator and to the Data Subjects affected. Requests to withdraw previously granted consent, to delete personal data or to provide it in a format which can be ported electronically to another Data Controller will have to be responded to quickly, normally within 30 days.
So what should entities do now?
The quick answer is don’t wait … as I write there is less than 1 year to become compliant. At a high level, here’s a list of activities:
- Recruit a Data Protection Officer … in some cases this may be required by GDPR.
- Establish a GDPR project to make sure it gets the right level of focus and attention.
- Examine what personal data is currently processed across the organisation touching the EU … employees, customers and suppliers. Establish where there is highest risk.
- Test the lawfulness of current personal data processing against GDPR and create an action list to address gaps. Engage and include any third parties where there is a Data Controller or Data Processor relationship.
- Make GDPR compliance sustainable. Create policies and procedures. Assign compliance responsibilities to management and staff.
- Ensure the staff understands GDPR, how to be compliant and why. Put in place effective processes to report data protection breaches.
Julian Rains is an experienced consultant specialising in business improvement. Recently he has helped a company to reduce the number of locations at which it stored and processed data. Much of his time was spent with lawyers and compliance experts to establish clearly the legal requirements. He became adept at expressing data protection laws concisely and using normal language to bring shared understanding to those beyond the legal and compliance communities.