Andrew Dyson is Partner and Co-Chair of DLA Piper’s international privacy and data protection practice. In this article, he discusses the implications of the newly approved General Data Protection Regulation.
Last week, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR), a landmark set of reforms that will significantly alter the way companies and consumers manage their data.
The regulation will significantly impact the way data is collected, used and shared by organisations, with the objective of harmonising data privacy laws across Europe and to protect the privacy rights of citizens.
Originally initiated in 2012, the GDPR is a major reform of the current European data protection regime.
It will be directly applicable in every EU Member State.
Coming into force in June of this year, companies will have a two year window to prepare themselves for compliance.
Personal privacy policies
At the heart of the regulation are a set of new rights to give individuals much greater control over how organisations collect and use their personal data.
Individuals will be entitled to know more about where and how their personal data files are being used and be able to block or erase certain types of processing.
One of the key changes is around consent, as the Regulation requires organisations using information for direct marketing and data analytics to be able to demonstrate that the individual really understands and are in agreement with how their data are being used.
We can expect to see this translate into a ‘layered’ approach to privacy policies, where users can click through to find out more about various types of processing taking place in a simpler format, and ‘preference’ centres, where users can actively choose how their personal information is used and shared.
Right to be forgotten
The regulation emphasises the “right to be forgotten,” a new right for individuals that allows them to ask that data, which is being held without legitimate grounds, is deleted.
This includes information that may have been held by previous employers, financial service providers and social media platforms.
Now the rules are set, we will start to see companies investing in technologies to allow more granular management of data sets consistent with these rights.
Companies will also need to invest more broadly in information governance to manage compliance with the Regulations.
GDPR specifies that organisations over a certain size must have a Data Privacy Office (DPO) in place.
The DPO must be given free rein to drive privacy compliance within the organisation, also advising senior management if it is not being managed effectively.
A supporting framework of practical policies and guidance notes, training and audits will ensure data are collected, used and shared consistent with the rules.
For higher risk projects, for example the development of new digital tools, Privacy Impact Assessments should be carried out as a mandatory pre-requisite.
The purpose of these is to identify and mitigate risk early in the development lifecycle.
Vendors who process data on behalf of their clients, for example by offering cloud based services, will be under particular scrutiny.
These companies will be subject to direct regulation for the first time and required to adopt effective security measures to protect the confidentiality of client data, be responsive to any data breaches affecting those data assets and carefully control where and how that data is being used and stored.
Fines and folly
Data breaches are a critical consideration for organisations of all sizes, as cyber-attacks and internal leaks have become more pervasive in recent years.
Organisations must notify any data protection breach to their supervisory authority within 72 hours, with no ‘undue delay’ if there is a particular threat to individual’s data.
Coupled with the maximum potential penalty of a fine up to 4% of group global turnover, the stakes are high for what might have been a stumble on data protection in the past.
As breach reporting will become a mandatory requirements, expect to see a lot more stories about cyber breaches going forward, as companies who previously may have tried to keep breaches quiet will be forced to report them.
The future of privacy
It has been widely acknowledged that reforms of data protection were necessary given the impact of the internet, big data, cloud, social media and ‘Internet of Things’ over the last two decades.
The enactment of GDPR provides a new dawn for data privacy, protecting rights, developing trust and hopefully mitigating data risk of data breaches.
With a two-year window in which to be GDPR compliant, now is the time for companies to take practical steps towards meeting the new standards of data protection in Europe, to ensure that GDPR enables rather than hinders digital growth.
Keep an eye out for guidance from national data protection authorities, such as the ICO, who will add helpful practical detail to the measures in the regulation.
But above all, do not ignore the changing landscape – given the very significant financial sanctions, non-compliance with GDPR is not an option.