A radical overhauls is coming in May 25, 2018 of the data protection laws in the European Union and companies set in or working within the EU’s borders should be preparing for these changes and the compliance problems that it will bring.
Smartphones, the Internet and new digital technologies transformed the way data is collected and handled and the current legislation is out of date. The sheer volume of personal data online is unfathomable. The General Data Protection Regulation (GDPR) is the EU’s attempt to harmonize data protection laws across Europe and it will be a radical change as it will affect all businesses processing (collect, record, use, or disclose) data relating to an identified or identifiable natural person (personal data). The legislation was voted in April, 2016 and will come in effect in May, 2018. (75 days to go)
The GDPR is an inescapable piece of legislation that companies will have to take into consideration going forward. The need for compliance cannot be escaped since they frequently process personal data as part of their business activities, hold personal data of their employees and possibly use that date for marketing purposes. Any company that holds and processes data about citizens of the EU will have to comply - no matter if they aren’t based in the Union.
If companies don’t comply with the GDPR there are severe fines in place. The maximum penalty for noncompliance reach €20 million or 4% of annual turnover - whichever is higher. So no room for complacency. Then what are the necessary preparations they need to make in order to assimilate the new rules and minimize the risk of incurring such fines and possible damage to their reputation?
Under the new regulation companies will be required to comply with the law and have records to demonstrate it. As such they should introduce a compliance programme that will put in place a set of policies, procedures and audit controls with which to monitor and ensure compliance. For such a programme to be successful it may require all areas of the business to work together in order to raise awareness of the new regime and its possible impact on daily business, and to aid risk assessments and record keeping. The new regulation prescribes the way data is captured and used, meaning that companies should undergo a detailed review of their personal data processing activities.
A vital step that companies will need to undertake is to assess the legal basis for processing personal data - consent, legitimate interest, compliance with law, perform a contract etc. Once the basis is there, companies should keep a record of it. If companies are relying on consent from individuals to process their personal data, they will need to meet a higher standard than previously. The consent should be informed, specific, freely given, clear and revocable. Under GDPR there are no more pre-ticked boxes, silence or inactivity. These norms that exist now won’t meet the new standard.
The regulation introduces a new requirement for transparency, meaning that companies will have to be open about the way they process personal data. All individuals that companies process information about will have to be informed about what information is held about them, how it is used and who it is shared with. Privacy notices, under the GDPR, will be required to provide a greater level of information and will have to be far more specific and granular. Companies should take note that one of the most prominent new requirements is that privacy notices have to detail the legal basis for processing the personal data. Many organizations will need to update their current privacy notices.
Companies will have to abide by the “right to be forgotten” provision in the GDPR. Individuals will have a right to require firms to erase their personal data. This can happen if the data is no longer necessary for the purpose it was collected for or if the individual withdraws consent. It is possible for companies to reject a request to be forgotten if the data is necessary in establishing, exercising or defending a legal claim, or where it is required by law for the data to be kept. It is important for companies to consider the circumstances of rejection such requests and working out how to give effect to any request. In practicality this will require companies to review retention practices in general as data shouldn’t be kept longer than necessary.
Many organizations store the personal data of clients and employees and under the new regulation will need to consider how consent was given for processing purposes and recognize that silence or tick boxes aren’t going to be considered as consent after May 25. New standard templates for obtaining consent for marketing purposes will need to be established, clearly explaining how the data will be used and for how long it will be stored. For employee data, organizations should find the most appropriate legal basis for processing personal data and carry out periodic reviews to remove data that isn’t required on former or prospective employees.
The GDPR introduces new rules on data security and potential breaches that require them to be reported within 72 hours to the local data governing body. In some cases it is required to inform the individuals that have been affected by it. Companies should also inform and educate its employees on the new regulation and regular training on the GDPR should be given to all staff so they know the implications of noncompliance. Smaller companies may not have the resources that Facebook and Google have in being able to hire a whole team to deal with the GDPR and that is where certified training comes in. Companies like Sensei Club that offer professional accredited training courses can help organization build capabilities, educate staff and equip them with the tools needed to tackle this transformation effectively, reducing the risk of data breach and data leaks, build cost-effective privacy policies, demonstrate accountability and due diligence. Regulators will insist organizations to demonstrate significant efforts and resources have been put in place, compliance structures and adequate staff training are a significant part of it. Then there is also the fact that organisations need to remain compliant, monitoring their systems and hopefully improve over time.
At times, when dealing with third-parties, companies will have to make sure that the third-party complies with the GDPR before sending personal data to them.
With just a few months left before the GDPR comes into force, companies should be actively preparing to ensure that they comply with the new regulation. For some it will be a matter of identifying what measures already exist, what steps need to be taken to comply with the new regulation and to fill the gaps. The legislation has already been approved and is coming to fruition on May 25, 2018 and companies shouldn’t be complacent. The fines can be crippling to a business and there is a serious risk of damage to a company’s reputation if they don’t comply.
Preparation is key if companies want to avoid losing clients, but it can also be a source of competitive advantage. Clients and users are, for obvious reasons, already preferring providers and suppliers that show efforts to comply.
Looking of ways to grab some extra market share - well, here you go.
What's your move?
Author: Teodor Teofilov