The new European General Data Protection Regulation (“GDPR”) will come into force throughout the European Union on 25 May 2018. The GDPR will replace existing data protection laws throughout Europe and introduce significant changes and additional requirements that will have a wide ranging impact on businesses around the world, irrespective of where they operate.
The GDPR: The Changes that Will Affect your Business
The key changes and additional requirements introduced by the GDPR are:
1. European data protection law will now apply worldwide. Both EU-established organisations and organisations that are located outside the EU that process EU personal data or monitor individuals within the EU, will now have to comply with European data protection law.
2. Tougher sanctions for non-compliance. The maximum fine for a breach will be substantially increased to 4 percent of an enterprise’s worldwide turnover or €20 million per infringement, whichever is higher.
3. A new data breach notification obligation. Organisations will now have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.
4. New data privacy governance, data mapping and impact assessment requirements. Organisations will now need to appoint a data protection officer (“DPO”) to implement and monitor compliance with the GDPR. Organisations will now also be required to map their processing of personal data and undertake privacy impact assessments for higher risk processing.
5. A requirement to implement “privacy by design”. Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed.
6. Strengthening of individuals’ rights to personal data. Individuals will have the right to have their personal data removed from systems or online content (the “right to be forgotten”), the right to avoid automated data profiling (where this would produce a legal effect), and the right to be given, or specify a recipient for, an accessible copy of their personal data (the “right to data portability“).
7. Enhanced requirements for the supply chain. Businesses must ensure that third-party data processors implement GDPR-compliant security measures. These service providers will now be held accountable for their own level of appropriate security, must document their processing and must obtain prior consent to employ sub-processors. Organisations may need to amend their contracts with these parties to address these issues.
Preparing for the GDPR: The 10 Steps Your Business Should Take to Get Ready to Comply
1. Inform your leadership and formulate a plan. Senior management should be made aware of the GDPR and how it will affect your business. Senior management should designate the individuals who will formulate a GDPR compliance and will educate others on its operational impact.
2. Appoint a DPO. Determine whether it is required under the GDPR or otherwise desirable to appoint a DPO to implement and monitor your GDPR compliance plan. This person should act as the head of your data protection governance structure and report directly to leadership.
3. Map your personal data. A detailed investigation should be conducted into and a record created of the personal data your business is collecting, the purposes for which it is being processed, how it was obtained and who it is being shared with.
4. Examine the impact. The information gathered from the personal data mapping exercise should be used to assess which of your business activities must comply with the GDPR.
5. Address the risks. Privacy impact assessments should be conducted to identify and minimise the risks associated with your processing of personal data, particularly where there are high risks to the rights of the individuals concerned.
6. Review the grounds under which personal data is being processed. The basis for collecting and processing personal data should be reviewed in light of the GDPR, particularly where “consent” and “legitimate interests” (which are more difficult to demonstrate under the GDPR) are being relied upon.
7. Update your data governance. Policies, procedures and governance controls should be updated to detail how your organisation will comply with the GDPR. Employees should receive regular training on this.
8. Implement new compliance systems. Plans must be put in place to comply with the new GDPR requirements and the additional rights that individuals can exercise in relation to their personal data.
9. Review your supply chain contracts. Contracts with third parties with whom personal data is shared should be reviewed and, where necessary, renegotiated to ensure appropriate supervision over personal data processing and compliance with the GDPR.
10. Assess your international transfers. Review your current mechanisms for cross-border transfers of personal data within your organisation or to third parties and assess whether updates are needed to comply with the GDPR.