Some of those I speak to intend to carry on with their business and not worry about the new General Data Protection Regulation. After all, 2018 is a long time to plan ahead. The UK might have left the EU by then, fracturing the UK back into its constituent parts as Scotland elects to rejoin the EU. The economic problems in China might put the world back into recession. And the NSA will continue its snooping activities unabated so what’s the point?
This is a weak strategy. Even if the UK – or just England – leaves the EU, we will likely stay in the EEA and will still have to abide by the GDPR. While economic woes may affect your profitability, a fine calculated against your turnover (not your profit) could be even more damaging. And, while it’s true the NSA (and equivalents around the world) will continue snooping, that doesn’t mean you don’t need to keep abreast of the law. Just because you might be burgled one day, doesn’t mean you may as well leave your front door open.
There is lots to consider in the GDPR but here are 4 key issues to start you off:
1. Massive fines
The UK Information Commissioner can currently fine offenders a maximum of £500,000 but, so far, has not exceeded the £325,000 fine which it levied against Brighton and Sussex University Hospitals NHS Trust in 2012. The new level of fines from 2018 will be €10,000,000 / 2% of global turnover for many potential breaches or €20,000,000 / 4% global turnover for the key data obligations. While you might be able to absorb the current smaller fines, I would not want to be in your shoes when you have to explain to your CEO / CFO why you’ve received one of the new fines. Of course, the new fines have to be “effective, proportionate and dissuasive” but you know there will be at least one supervisory authority looking for an early scalp.
2. Mandatory breach notifications
At the moment, you can decide whether to notify the Information Commissioner of a breach. If notification would aversely affect your share price or reputation, maybe you can keep it quiet? Do the data subjects really need to know? The GDPR changes that. Data controllers (normally the customer) will have to notify breaches to the supervisory authority “without undue delay” and, where feasible, within 72 hours. There is also some softer wording where the processor must notify its controller without undue delay (no time period) and the controller must notify the data subject where the breach is likely to result in a “high risk” to their rights and freedoms. Much will turn on the interpretation, of course, of what is feasible, what delay is acceptable and what is a high risk, but the line in the sand has been drawn.
3. Data protection officer
For those organisations with a CISO or DPO, the GDPR provides legislative validation of their roles. For those without, they should take note that there is a need for a DPO if you are a public authority, where your core activities consist of processing operations which require “regular and systematic monitoring of data subject on a large scale” or where you process special / sensitive / criminal conviction data on an large scale. This obligation is not as broad as it could have been and, even where it bites, you can share a DPO in a group of undertakings or even buy it in as external resource. The prudent course of action is to appoint someone with overall data compliance responsibility just as you should for anti-bribery, anti-money laundering, health & safety etc.
4. Data transfers
The GDPR acknowledges that use of technology is ubiquitous and data transfers are a fact of life in the modern world and now devotes a whole chapter to this. The GDPR specifies when data can be transferred:
- Where the Commission is happy that the recipient country ensures an adequate level of protection. At present, Safe Harbour 2.0 has yet to be finalised for transfers to the USA and the clock is ticking
- Transfers within an organisation under binding corporate rules
- Using standard clauses adopted by the Commission (or by a supervisory authority and approved by the Commission)
My advice is to put in place appropriate steps now, especially if you need to plan this in your budgets. But I would say that of course. You could just wait for the first new fine and then act…
All true. But there’s so much more. I’m only half-way through my detailed reading, but I quite like Art. 20.1, which appears to make any automated profile-based insurance or credit rating illegal. No more using Facebook profiles to determine eligibility for mortgages, for instance. Or at least not without a complicated contractual dance and the right to human intervention.
Thanks for your comment. Yes, loads in there. I wonder to what extent Member States will “gold-plate” permitted provisions thus skewing the harmonised approach again.
[…] So, in 2018 the new law will take effect. If you’re a CISO or DPO or you’re thinking of engaging one or buying in the expertise, you’d best start planning now. Here are 4 issues to start you off… […]