How will GDPR affect my business?
In the previous entry, we talked about how General Data Protection Regulation, or “GDPR” from now on, enables ordinary citizens to control their data profiles, or “digital footprint”. In essence, the many rights and options provided by the GDPR mean that the subject becomes the owner of any data collected about him. Should the subject then choose to exercise those rights and ownership, the data collector or processor must be able to comply. The sanctions for failing to do so are severe and personally, I think that come 2018, the extent of those rights and obligations will be further established with a number of precedent-setting court cases. As helpful as that might be, your business should not end up as the test case.
The best ways to avoid trouble and embrace opportunities with GDPR are awareness, vigilance and pre-planning. Since that goes for practically everything, why are we even writing about this? Because Privago conducted a study and found that 62% of the companies surveyed did not comply even with the basic requirements. The figure is staggering and it came from a region generally considered a well-behaved adherent of the European Union legislation. At the time of writing, we can only speculate what these numbers might be for other, traditionally less conforming regions. Remember that businesses do not actually have to be from the European Union to fall under GDPR. If they conduct data collecting and/or run data-based services within the EU, they are and will be subject to EU regulations. The most recent wrench in the works, Brexit, changed nothing. British companies wishing to operate within EU are under the same obligations as everybody else.
On the ground level, GDPR is implemented by imposing a number of obligations on organisations dealing with data. These obligations are in turn enforced by authorities that we will discuss shortly. Let’s look at the obligations first. To begin with, GDPR makes Privacy Impact Assessments compulsory and the organization must be able to prove that its high-risk and high-volume data processing activities have had one. Privacy Impact Assessments include but are not limited to providing detailed descriptions of the data processing activities and their purpose, as well as assessments of their necessity, risk factors and whatever safeguards and security measures are or can be used to mitigate those risks. If the assessment reveals significant and unmitigated risks the relevant authorities must be consulted. Finally, subjects of the data should also be included in the process, if possible. This is going to affect pretty much everybody in the company: marketing, human resources, business development, you name it. Also the methods of sharing and storing collected data even within the organization need to be revised and proofed against leakage. The staff will have to be trained to implement these changes and understand to the policies governing them.
Then there needs to be someone who is in charge of all this, complete with a reasonable budget and a plan of action. All organisations can, and those involved in “regular and systematic monitoring on a large scale” must, appoint a Data Protection Officer, or a DPO. There are exemptions and special cases that vary from country to country. If a DPO is chosen, she must have both the resources and the managerial independence to do her work: i.e. monitoring policy compliance, arranging training, running audits and co-operating with the relevant authorities. The DPO is also responsible for keeping both herself and the organisation up-to-date about the latest legislative changes and developments. Depending on location and the nature of business, appointing a DPO may or may not be compulsory but it would appear to be the sensible thing to do. The buck must stop somewhere and the relevant authorities need reliable contact within the organisation.
What the exact effects of GDPR will be on contracts between third-party data providers and their client organisations is still being defined. What is already clear is that both parties will be held responsible for each other’s compliance with these regulations and must keep sufficient records to guarantee the right of an individual to her own data.
The task of enforcing GDPR will fall mainly on data protection authorities in each European country and to the new European Data Protection Board (EDPB, just to add more acronyms). The penalties for non-compliance can reach 20M euros in fines, or 4% of annual revenue, whichever is deemed higher. On top of that, failing to protect the citizens’ digital rights and privacy may expose an organization to a variety of civil suits and very bad press.
While the obligations imposed by GDPR may seem heavy and the penalties for non-compliance harsh, remember that the objective of GDPR was nothing less than a revolution in digital citizenship. It is meant to reverse the current trends of privacy erosion and the dilution of digital rights for the individual as the digitalization of the society continues. By 2018, our whole approach to understanding and managing data-driven businesses and services should be fundamentally different from what it is now.
And that is something that Privago can help you with.