The GDPR was passed in Spring 2016 and must be fully implemented until the 25th May 2018. It is time to start that project. What are the hurdles that you’ll have to tackle?
The General Data Protection Regulation (GDPR) is the new EU-wide directive for regulating data protection. The policy replaces the existing EU regulations as well as the different national regulating laws. It is no longer necessary for the EU member states to introduce their own regulation implementation (of course they can still implement further measures in some areas).
What is the GDPR and why was it introduced?
The general idea is as follows: A unification of standards and regulations for the whole EU and correspondingly an adjustment to all the technological and economical incidents (such as Cloud technologies and a growing number of relocating data processing and data exports).
The GDPR was passed in Spring 2016 and must be implemented until the 25th May 2018. Most people surely thought that they had a lot of time for the realisation but the clock kept on ticking and now a lot of companies and organisations are getting nervous, because there is still a lot to be put in practice.
The GDPR’s significant new features
Using Google, you can find a lot of different articles about new features compared to existing EU data privacy regulation.
Those are the essential points:
- Reporting requirements for incidents and accidents
- Regulations for declarations of consent (including minors)
- Privacy Impact Assessment
- Appointing data privacy officers
- 'Right to be forgotten'
- Data processing
- Data portability
What’s interesting here is that most of the new features are not completely new regulations but could be found in the old EU directive and especially in the German Federal Data Protection Act. Then why is there so much uncertainty and the fear of repercussions?
Even though there are already existing regulations, a lot of companies seem to lack compliance and somehow scraped by, because of limited audits and manageable fines. But now there are large penalty payments looming above them, meaning a fee amounting to 2-4% of the global annual revenue. This explains the panic and fear many companies have.
Comparing other EU countries
Many countries have implemented the old EU directive 95/46/EG relatively unmodified and did a rather minimalistic approach to the implementation.
I want to focus on two main topics that have the most significant impact on the practical implementation of the EU data protection laws:
- Obligation to appoint a Data Protection Officer:
In the old EU directive this used to be optional and therefore was not adopted into a lot of national legislatives. Now it is mandatory if personal data is crucial to the business model or sensitive personal data is being processed. Just think about how many companies will need to this, because their business is built on personal data? It’s going to be interesting how they are going to get all the people with the required expert knowledge and experience to fill in all the data protection job offers?
- Contract data processing:
Even though the concept of data controllers and data processors is not new, the contracts for data processing in other countries have been handled rather lenient (like the situation before the 2009 in Germany). Combined with Privacy-by-Design, it entails more stringent requirements and therefore comes with a higher control frequency from regulators. As a result, more audits by the corresponding responsible officials in the private sector, e.g. vendor audits, should be anticipated.
What happens to England?
Last year has been eventful, especially with the UK voting for leaving the EU behind. Will the UK therefore not comply to the GDPR? According to the Brexit negotiations, the actual exit won’t take place before the 25th of May 2018, meaning the GDPR will apply in the United Kingdom as well. Additionally, there have been various statements by the UK government to keep GDPR in its current form even after Brexit , since it allows for easy data exports to and from EU countries.
Implications outside of the EU
A further change is the abandonment from the so-called principle of territoriality and the application of the market location principle, meaning that the regulations apply to companies outside of the EU, if they process data from EU citizens. This happens mainly when those companies operate directly in the EU market. However, it may also be a result of data processing contracts in the context of supplier relationships.
Expected obstacles and some practical tips
So what can be done in order to prepare for the GDPR? What should be mentioned is that we are in a sort of unfortunate interim phase that might lead to uncertainties. Formally, the old rules apply until the 25th May 2018 but no regulatory authority will make any clear statements concerning vague or uncertain topics that may change until the transition date (e.g. data processing contracts with non-EU service providers, applicability of EU Model Clause Contracts or EU-US privacy shield constellations, etc.) Some of the regulations also need further structuring and shaping, for instance the accreditation for GDPR compliant certifications or Code-of-conducts.
For a first overview of your degree of maturity, it is useful to conduct an analysis of your own processes and IT systems as well as an analysis on relevant data processing service providers you might employ. Such an analysis can be done via specialised consulting companies or by conducting your own GDPR maturity self-assessment. With the results, you will be able to prioritize compliant risk measures and quantify their effectiveness subsequently.
All in all, a Plan-Do-Check-Act cycle should be a regularly executed process for continuous improvement. Thus, the audits done by regulatory authorities or your own clients can be conducted efficiently.