UK organisations and the EU General Data Protection Regulation - risks, costs and rewards
After three years of arduous discussion, it now certain that the EU's long-awaited General Data Protection Regulation (GDPR) will finally become law sometime in 2016. Although it is not the first piece of legislation to affect EU member states - the Data Protection Directive (95/46/EC) has been in place since 1995 and will be supplanted by the GDPR - the majority of businesses have grasped that it is without doubt the most far reaching.
From the outside, the GDPR can look complex and inscrutable of the sort that can only be understood by legal experts. Here we try and reduce it to its bare essentials, the parts that organisations must know about and, after a bedding-in period that might stretch to two years, comply with.
The GDPR represents a huge change in the way organisations must approach data but it also offers opportunity. Businesses able to adapt to the GDPR quickly will reap the benefits down the line.
It sounds like an obvious point but it is worth re-stating that the GDPR is a set of rules governing the security and management of personal data, both of customers and employees. Until recently, this would have covered only records held on or about individuals but in an age of big data it should be defined as any data that could be used to identify someone.
Inevitably, some argument has surrounded how one can separate and define non-personal (i.e. anonymous) data that is not covered from data that could, in some circumstances, make someone identifiable. What is clear is that the data organisations (called 'data controllers') hold and gather on people is now an issue of business risk.
The GDPR has taken over three years from its earliest drafts in 2012 to reach the stage where agreement is in sight, now expected by the end of 2015 or very early 2016. After that, full enforcement should commence two years later, in late 2017 or early 2018.
The EU issues directives as general provisions that can be enacted on any timescale a country wishes. By contrast, a regulation has the force of law, is immediate across all states within a defined timescale), and does not require legislation in each country. That is the point of regulations - everyone has to comply.
Initially only those with more than 250 employees processing over 5,000 records per annum although in time small enterprises of all sizes and record throughput will come within its scope. The timetable for this extension is not yet clear. Importantly, business based outside the EU will also be affected by the GDPR is they do business inside the EU, extending its reach to a global level.
Organisations must identify which data held by them qualifies as personal, where this is physically stored and in what state. Because this introduces a management overhead, it will be in the interest of businesses to minimise the data they collect in future, ensuring its accuracy
The GDPR has fuelled a small industry of legal and compliance practitioners who will help organisations through the pitfalls of compliance. However, organisations must always set up their own internal structures to cope with something as complex as the GDPR (see below).
Because the GDPR underlines the privacy of personal data, this must from now on be built into the way data is collected and managed, so-called 'privacy by design'. All data must be gathered with explicit rather than assumed consent and the right for data subjects to withdraw that communicated and explained as part of its lifecycle. In future there it won't be possible simply to accumulate and hold on to data because there is no policy for disposing of it.
Probably the most contentious data protection ruling for years, in May 2014 the European Court of Justice ruled that search engines such as Google were data processors and that citizens had the right to ask that content referring to them be 'forgotten'. Although the case was part of the current data protection setup, the GDPR would define a more limited 'right to erasure'. Exactly what this will mean is still unclear and could depend on future rulings.
Under the GDPR, organisations that believe they have suffered a breach with data protection implications will have 72 hours to report it to the local information commissioner from the point at which it is discovered (this might be reduced to 24 hours in future). Breaches of data protection (of which a full breach is only the most serious example) will result in fines of at least two percent of global turnover or 1 million Euros, whichever is greater. Exactly how compliance failures will be tired within these numbers has yet to be spelled out.
One defence against mandatory breach notification will be where the data is unreadable or in an inaccessible state, which today means that it was encrypted. Where this is the case, notification will not be necessary. However, the sting in the tail is that this means encrypting all personal data not - as today- selected parts of it such as credit cards or social security numbers. The keys will also need to be protected.
On the other hand, reporting will be simpler in that organisations will only have to report a breach once, rather than face multiple investigations across EU states. This will save time and cost even if the fines will now be far greater than under any national data protection regime.
The appointment of a Data Protection Officer (DPO) will be mandatory for all organisation with more than 250 employees, who will have the job of independently assessing that organisation's data governance stance.
Data processors will have to ensure that personal data moved or processed outside the EU (e.g. in US datacentres or the cloud) complies with the GDPR. If this turns out not to be the case, this will represent another area of hidden risk.
Despite the way it raises the bar for compliance and punishment, the pay-off for multi-national businesses in particular is that the GDPR reduces 28 sets of different data protection laws to a single regulation, hugely reducing compliance costs, complexity, risk and uncertainty over reporting. This benefit also applies to firms based outside the EU which operate in its markets. By boosting the rights of citizens to control their personal data the hope is that it will also make the EU a haven for personal data and directly influence the data governance regimes in other parts of the world.