GDPR will be a game-changer but it will also bring hefty fines and new responsibilities for businesses.
One year from now, on 25 May 2018, all businesses and organisations across Europe that handle customer data will have to comply with the General Data Protection Regulation (GDPR).
GDPR is an overhaul of European data protection laws and could impact every business, individual and member of public sector organisations across Europe.
‘Compliance and security needs to be embedded into every business as part of their digital transformation journey’
– JOHN PURDY
The law will lead the standard for data protection globally and will include new rights for users to have better control over how their personal data is used.
For organisations, it will mean establishing clear procedures around consent and having a legal basis for gathering data, especially in the digital world. Consumers will have the right to ask for access to data held on them, and have it changed or erased. Ultimately, firms will need to reinterpret how they communicate with customers, how they gather data and how they organise that data into an effective audit trail.
Some organisations – especially those in the public sector – will have to appoint data protection officers.
Failure to comply could lead to fines of up to €20m, or 4pc of turnover.
Ireland’s Data Protection Commissioner, Helen Dixon, has published a handy 12-step guide to preparing for GDPR at GDPRandyou.ie.
“GDPR represents an evolution in data protection rights and obligations, but a revolution in terms of the burden and potential sanctions for non-compliance,” said Paul Lavery, partner and head of the technology and innovation group at McCann FitzGerald.
“All companies need to start getting ready for GDPR as soon as possible, as the consequences for non-compliance will include large fines and even proposed personal liability for directors. For businesses, the potential damage to reputation may be even more dissuasive than any fine.”
But how ready is the business world for GDPR? A BT Ireland survey by Amárach Research into large domestic and multinational organisations found that 63pc of CFOs are surprisingly oblivious to GDPR and what it could mean.
However, it may not be that bleak. A study of IT professionals by services company Ergo found that 84pc of companies are taking measures to be prepared, and more than half are confident that they have a good understanding of what GDPR will mean to their businesses when it comes into force in May next year.
Around 43pc of companies believe that GDPR requires “substantial change” within their organisations, while 50pc are planning “minor change”. Around 8pc are expecting no change at all.
Ergo CEO John Purdy commented: “Compliance and security needs to be embedded into every business as part of their digital transformation journey, and success will depend on the ingenuity of in-house IT experts and their service providers. It’s increasingly something our clients are asking us to help them with.”
Here’s what you need to know to get your head around GDPR.
1. Big fines
GDPR has severe penalties for organisations that lose data – up to €20m, or 4pc of an organisation’s revenue, whichever is higher. Penalties are broken out into two main categories, with the second category attracting a smaller maximum penalty of 2pc of turnover, or €10m.
2. Consumers could sue businesses more easily
The GDPR makes it considerably easier for individuals to bring private claims against data controllers if their data privacy has been infringed. Even if they have suffered non-material damage as a result of an infringement, they can still sue for compensation.
Ireland’s Data Protection Commissioner, Helen Dixon, told Siliconrepublic.com recently: “An interesting feature of the GDPR is also the fact that it increases the rights of data subjects, in terms of their ability to take civil actions against organisations that contravene their data protection rights, and obtain compensation from those organisations, so I really think we are going to see a big increase in terms of actions taken by individuals directly against organisations.”
3. Mandatory breach notifications
GDPR will bring in mandatory breach notifications, which will be new to many organisations. In Ireland, for example, all breaches must be reported to the Data Protection Commission within 72 hours, unless the data was anonymised or encrypted. Breaches that are likely to bring harm to the individual – such as identity theft or breach of confidentiality – must also be reported to the individual.
4. Organisations need to start preparing, now
Not only do firms need to study the rules, they need to take a good hard look at how they are currently handling customer data, and identify any gaps. Current laws require businesses to tell customers why they are gathering data and what use it will be put to.
Under GDPR, information must be communicated to consumers before processing data in concise, easy-to-understand and clear language. As well as rights to access requests for the data being held about them, consumers also have a right to demand that their information be corrected or erased.
Organisations will need to have procedures and processes in place for handling these requests as well as clear refusal policies.
5. Legal basis for gathering data
Firms will have to explain the “legal basis” for processing personal data in their privacy notice.
If customer consent is the legal basis for recording and processing personal data, then high standards set out in GDPR will need to be met. Consent must be verifiable and individuals are informed of their right to withdraw consent. Controllers must utilise correct processes and procedures to demonstrate that consent was given in order to have an effective audit trail.
If organisations are gathering data from underage people, they must have systems in place to verify ages and gain consent from guardians. GDPR has special protections for children’s data, especially in the context of social media and e-commerce, and rules around how consent is communicated to underage customers.
6. Appointment of data protection officers
GDPR will require some organisations to designate a data protection officer. These organisations include public authorities, organisations that systematically monitor data subjects on a large scale, or companies that process sensitive personal material on a large scale. The data protection officer can be someone within the organisation or an external adviser, and they will take responsibility for data protection compliance.
7. Ireland to be an authority on data
The new GDPR rules will make it possible for multinationals to deal with one data protection authority as their single regulating body, or lead supervisory authority in the country where they are mainly established. This could have significant ramifications for Ireland’s Data Protection Commission, which could become one of the busiest data regulators in the world, thanks to the presence of global tech giants such as Google, Facebook, Amazon, Microsoft and many others in the country.
The Data Protection Commission has been beefed up to handle this responsibility. Since 2014, there has been a fourfold increase in the organisation’s budget to €7.5m, as well as a doubling of the staff to more than 60 people, with plans to hire up to 35 more people in the coming year.