The data protection and security landscape is all set for change next year with the new EU General Data Protection Regulation (GDPR). Find out how this may affect your business and what to do next.
The data protection and security landscape is all set for change next year with the new EU General Data Protection Regulation (“GDPR”). There will be regulatory burdens, but you can also use GDPR to bring some focus on what you do and improve your security stance. Remember...
- The new rules are part revolution/part evolution - the new system builds on the current one if you already comply with EU privacy laws you can build on those foundations;
- Don’t panic, plan instead - the full impact will come in 2018 but preparation now will pay off then.
At Cordery we’ve been working on GDPR projects since the first draft came out in 2012. GDPR is a long document but here’s some highlights:
The new rules will apply to all those in the EU who control data and/or undertake data processing.
- All sectors are affected - the more robust your privacy compliance the better your market advantage;
- Non-EU businesses doing business in the EU are also affected.
Identity management has a role to play in GDPR to help you work out whether data subjects are who they say they are and whether they are in scope for different aspects of GDPR. Establishing identity is also essential when someone tries to exercise new rights which GDPR creates.
What are those new rights?
New rights are being introduced and existing ones tweaked, including.
- A new Right To Data Portability;
- An extended Right To Be Forgotten (called the Right to Erasure);
- An enhanced Subject Access Right - to be free and with a shorter time to reply.
Data Protection Impact Assessments ("DPIAs")
DPIAs will have to be undertaken for certain data processing operations.
DPIAs put the compliance assessment burden on those handling personal data - but, used as a wider tool they help you get a better handle on your data processes and reduce risk. This should help you build privacy and security into the heart of what you do. There’s no set format - the key thing is to pick a process that is simple to understand and helps you get to the real risks quickly.
Security Breach Reporting
One of the most important changes is that there will be mandatory security breach reporting.
Breaches must be reported to a regulator within 72 hours and those affected by the breach must also be informed - to do this you must have clear, practical, effective and immediate procedures. You’ll also need to get your vendors and suppliers on board - this is business critical so you can’t afford to get it wrong.
Increased enforcement will come about with the new regime, backed up by greater sanctions.
There are fines of up to €20 million or 4% of the global annual revenue of a business (whichever is the greater), with likely higher reputational damage resulting and the possibility of civil actions too. This is the big stick for data protection compliance, but, getting it right will avoid major headaches.
What you need to do now?
Start preparing now and read our FAQs at www.bit.ly/gdprfaq or watch our film on YouTube at www.bit.ly/gdprfilm. You might also be interested in our GDPR subscription service which includes films, checklists articles and a monthly call to help plan for GDPR. The details of this service are at www.bit.ly/gdprnav.
Jonathan is an experienced lawyer with Cordery in the UK with a concentration on compliance and technology. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving data breach, bribery and corruption, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies.
Jonathan is one of three co-authors of the LexisNexis definitive work on technology risk, "Managing Risk: Technology & Communications". He is a frequent broadcaster for the BBC and other channels.
Jonathan was ranked as the 14th most influential figure in global data security by Onalytica in their 2016 Data Security Top 100 Influencers and Brands Survey.
In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the U.S., Canada, China, Brazil, Singapore, Vietnam, Dubai and across Europe. Jonathan qualified as a lawyer in the UK in 1991 and has focused on compliance and technology matters for more than 20 years.