The proposed General Data Protection Regulation (GDPR) has been a subject of discussion for so long that the only people maintaining an interest in it are the lawyers. But where does it leave the companies who will be impacted by this legislation?
It is likely that any given company’s approach to the new rulings will be determined by some form of risk based assessment – and the level of risk taken will be directly determined by the firm’s size.
Large organisations may try to pre-empt the consequences of the legislation. They may therefore seek to put measures in place in order to make the transition to the new legal status smooth over the two year period that they have to comply.
Smaller organisations are more likely to play a game of wait and see, as they may be in two minds over how big a deal this new regulation will be. The cost of assessing their needs may be too high or they may simply take the view that due to the fact that no negative incidents have happened to date, they may as well carry on as they are.
The fact is, businesses will have to spend more money on compliance and governance to ensure their internal processes work like well-oiled machines if they want to avoid any intrusive “looking in” and inspection by the data protection authorities.
Businesses have some areas to consider when deciding how best to tackle the new EU protection law:
- Consent – Businesses will need to ensure that they rely on unambiguous consent when processing personal data, whether this belongs to their customers or employees. Businesses in the consumer sector may be most impacted by this factor and companies will need to scrub their customer databases so that they aren’t holding data without consent. For example, holding onto Mrs. Jones’ data from ten years ago when she bought a pair of socks for Mr. Jones is no longer permissible. Companies’ marketing operational strategies will need to be able to handle requests from customers to purge personal data or even to stop using their data altogether.
- Erasing data (Right to be forgotten) – Businesses are pretty good at personal data collection but how many of them are able to completely erase specific data from their systems? This is going to be a challenge for many organisations as the reality of the Google ‘Right to be forgotten’ case comes to bear on the small business. Perhaps truly anonymising data may be considered by businesses that can afford this.
- Technical and Organisational Measures – The concern here surrounds the security of business systems from uninvited intrusions. Do you have the right controls (whether IT or otherwise) in place to ensure that your customers’ and personnel data records are kept secure? And can you do this for as long as is needed and without the risk of accidental loss? Do you even know why you keep such data – is it simply to comply with the legitimate purpose of processing? Knowing the answer to these questions is one way for businesses to fully prepare their technical and organisational processes for the implementation of the new data protection law.
- Data breach notification – Companies which are also data controllers will be obliged to notify data security breaches to the relevant data protection authority and to the data subject(s) within 72 hours where the breach may result in a high risk to the individual(s). This means companies must ensure they have a robust incident management response procedure in place to ensure they can manage these obligations.
- Enforcement and Fines – If, for any reason, a company breaches the GDPR, the relevant data protection authority may enforce a fine up to €1m or up to 2% of your organisation’s annual turnover.
Businesses should start the process of putting in place compliance and governance teams that can begin looking into the processes and procedures that are likely to be impacted by the introduction of the new GDPR. Regardless of data breaches it is good practice for companies to uphold good governance as this minimises the risk of unexpected breaches.