How can your business prepare for changes to GDPR? Liz Fitzsimons, Partner, Privacy and Information Law, Eversheds Sutherland (International) explains
The General Data Protection Regulation (GDPR) comes into force across the EU member states from 25 May 2018. Notwithstanding Brexit, GDPR will still apply to the UK.
The GDPR is updated and upgraded data protection legislation to replace current 20-year-old EU data protection laws. It aims to future-proof laws against technological developments and new uses of personal data and hopes to help harmonise data privacy laws across the EU. A key goal is to rebalance the relationship between bodies using personal details and affected individuals, to be achieved through greater transparency and accountability obligations, supported by enhanced individual rights. Compliance will be backed by EU data protection regulators, like the UK’s current Information Commissioner’s Office, each having a powerful new range of enforcement powers. These include the ability to fine those in breach up to the higher of €20m, or 4% annual global turnover.
What effect will it have on organisations?
Regulators are adopting an enforcement regime similar to the competition law model and in many countries, including the UK, GDPR triggers a substantial increase in potential risk from non-compliance with data protection legislation. Many clients are addressing the issue at board level and including GDPR compliance on group risk registers.
The GDPR net is also spread more widely than under current laws, imposing direct compliance obligations and liabilities on service providers as well as their customers when handling personal information. In addition, its impact is not limited to those operating within the member states in the EU but has certain extra-territorial reach. This will be particularly important for providers servicing customers and end users in the EU, or organisations offering goods and services to individuals in the EU, or monitoring their behaviour in the EU, by on-line tracking or profiling for example. Risk assessment and compliance planning should factor in that fines may be calculated at total group turnover level and could be triggered by a range of breaches, such as failing to provide an individual with a copy of their personal data when required, so fines are not restricted to security breach scenarios. There is no materiality threshold for breaches and the highest level of fines are reserved for breaches of individual rights. In addition, each affected individual can sue for compensation for breach – even if there is no financial loss. More practically, regulators can block the flow of data from Europe to other countries or prevent the ongoing use of an IT system, such as a CRM database.
GDPR will introduce new mandatory security breach reporting obligations and even if organisations and businesses do not report, they may be mentioned in third party reports. Regulators will make proactive spot checks (which may start remotely online) and there is also the risk of individual, union or works council complaints and whistleblowing, which should not be underestimated. Class actions are starting to be seen and media and privacy campaign groups are very active.
For the first time, organisations will be expected to know what personal data they are collecting and using, why it is needed, what it is used for, why that is lawful, how long it will be kept for and where it goes around the world. There will be a new legal obligation to have appropriate policies and to keep records to evidence how use of personal data by the organisation complies with GDPR requirements. Use of personal data will need to comply with mandatory privacy by design and default obligations and the outcome is that privacy compliance will need to be front of mind, rather than an afterthought, with an appropriate privacy compliance culture embedded in your organisation.
How should organisations ensure they prepare for GDPR?
What you need to do will depend on the complexity of your organisation and use of personal details, as well as how compliant you are currently. The key thing is to start now. The following plan should help.
Reconsider what you use personal details for and whether you use more details than you really need, or keep them for longer than needed. Challenge yourself. Securely delete or destroy unnecessary details as soon as possible.
Find out where you interact with people, how you collect their personal details and what you tell them when you do. Make sure you can deal with all these interfaces and update your privacy notices and consents, unbundling them from contract terms.
Make sure that you are aware of individuals’ rights, that your staff are aware of them and that they and your systems are able to recognise and properly deal with such requests within the set deadlines.
Ensure when entering contracts now for systems and services which you will use after May 2018, you have made sure they comply with new GDPR rules on privacy by design and default and new obligations when using service providers (on both parties).
We are supporting many clients with their GDPR compliance strategies and implementation. Do get in touch if you have queries or need help.
Partner, Privacy and Information Law
Eversheds Sutherland (International) LLP