UK Braces for Changes to Data Privacy Laws

6 Ways GDPR Changes Data Priacy and Security for Your Business

In May 2018, European Union authorities will begin enforcing strict new standards for handling the personal data of EU residents. Outlined in the new General Data Protection Regulation (GDPR), these standards will apply to businesses that handle personal data of individuals in the EU — even when no transaction takes place and regardless of whether a business is physically located in Europe.

What is GDPR and What Does it Mean to You?

According to the European Commission, GDPR is “the most important change in data privacy regulation in 20 years.” The Commission believes that the new law, which will replace the EU’s 1995 Data Protection Directive, will reshape the way organizations across the region approach data privacy. It’s important to note that GDPR rules apply to both controllers and processors. All downstream parties handling data must also follow GDPR if it applies to the original data-handling organization. Significantly, the concept of “processing” personal information includes a litany of actions, spanning from initially obtaining the personal data through internal storage and transfer and ultimately to any external transfer and deletion. GDPR enforcement will extend into all aspects of organizations, including cloud computing, social media, and the internet of things.

The six key features of GDPR:

  1. Breach Notification: GDPR required organizations to notify the supervising authority of any data breach likely to "result in a risk for the rights and freedoms of individuals" in all member states. When feasible, organizations must notify authorities within 72 hours of becoming aware of the breach and provide sufficient rationale for their reasons if they do not. Similarly, they must also notify customers "without undue delay" after first becoming aware of a breach.
  2. Consent Requests:  The new rules strengthen consent conditions and require that individual consent requests are presented in plain language . They stipulate that all business partners must have easy access to the consent requests. In addition, when consent is obtained directly from the data subject, withdrawing it must be as easy as providing it.
  3. Data Subject Rights: GDPR also expands rights for data subjects to obtain their personal information held by a company, request details on how that data is being used, and exercise the "right to be forgotten," among others. Data controllers face the obligation to erase all of the subject's personal data at his or her request.
  4. Privacy by Design: The new rules call for "privacy by design" - the inclusion of data protection in the design of systems rather than as an afterthought.
  5. Data Protection Officers: Organizations that handle large amounts of data or certain types of data as a significant element of theri business will now be required to hire a data protection officer (DPO). Among other rules, the DPO must report to the highest level of management and be provided sufficient resources to carry out the job and "maintain their expert knowledge".
  6. Data Protection Impact Assessments: Where a type of data processing, especially one using technology, is likely to pose a high risk to data subjects, GDPR requires that an organization ust carry out a detailed assessment of the impact of the anticipated operation on the protection of personal data before initiating the processing operation.

DPR is designed to apply to all industries. GDPR’s expansive scope of compliance requirements go beyond what many companies are required to adhere to today. For organizations that have inadequate or untested privacy and information security protocols in place, compliance may prove difficult and complex. While the road to being GDPR-ready may look formidable for many organizations, the business and financial efforts required to comply are far outweighed by the risks and associated financial harms that could result.

Responding to GDPR

While some organizations are already preparing to comply, others are unaware that GDPR exists. Still other companies are familiar with the new rules, but have decided to hold off on preparations while waiting for clarification on certain provisions and confirmation that the new rules will indeed apply to them.

Despite this uncertainty, a wait-and-see approach is ill-advised. GDPR will require any company that targets EU consumers to conform to a unified privacy regime. For those without a current model, the process of building, testing, and deploying the sophisticated data infrastructures and security systems that GDPR demands — plus instituting new policies and procedures — will be a significant undertaking. Preparing internal processes and controls can take a significant amount of time for any company — and there will be no additional grace period once the law goes into effect.

Potential fines are severe for companies that violate GDPR, particularly if regulators find evidence of negligence, wilful disregard for known compliance shortcomings, or harm to a large number of EU residents through, for example, a security breach. Companies that are found to have willfully violated the new rules could face fines of up to 4 percent of their prior year’s global net revenue, or €20 million - whichever is higher.

Advantages of GDPR

The cost to comply with GDPR may represent a significant investment, but companies can realize broad operational benefits from GDPR-related exercises such as creating data inventories, conducting security assessments, and building privacy protocols. At a base level, companies should be aware of the data they collect and its movement across the enterprise. A common issue uncovered by data inventories, for example, is the discovery of data that is not being actively utilised for any purpose. By ceasing to collect unnecessary personal data, companies can potentially mitigate risk and save resources. This consideration is important because, under GDPR, personal data can be collected only for a specific purpose, and further permission from the consumer is required to use data in ways that fall outside the original intention of the data collection.

Implementing policies and practices to address the challenges posed by GDPR provides tangible and long-lasting benefits that extend well beyond regulatory compliance. Clear classification of data enables better disaster recovery and business continuity planning. By keeping up-to-date records on privacy policies, data, risks, and IT controls, organizations will likely see improvements in storage management, business continuity planning, and risk mitigation, as well as an overall reduction in their information security threat profile. With so many recent security breaches happening at large, global organizations, the general public is far more aware and concerned about the protection of their personal information and should welcome the heightened protections.

Leading an effective GDPR compliance and control effort will require cooperation between companies and their vendors, as well as among different business units within the enterprise. As with any change, companies must establish new governance structures — including program management infrastructure, organisational oversight, and reporting and communications — to steer and guide their initiative. The next steps are to build data inventories and conduct an information security assessment that includes a review of networks, devices, and IT infrastructure to reveal potential vulnerabilities. To meet GDPR criteria, companies must then take a close look at their privacy governance and policies, improve their consent protocols, and create channels to address requests from individuals regarding their data. Organisations should perform testing to ensure that all identified gaps are closed — including documentation and process gaps.

Post-Brexit Data Protection

For firms that trade across borders, adhering to GDPR standards for data protection is an inevitability. It’s worth noting that Brexit changes nothing in terms of personal data relating to EU data subjects. Even after Britain leaves the EU, GDPR will still apply to organizations in the UK holding personal data. Could the UK downgrade its data protection standards post-Brexit? It seems unlikely given that many UK firms will want to continue transferring data seamlessly across borders.

Start now on the Path to GDPR Readiness

Compliance with GDPR will require much more than the flick of a switch. Full compliance will be required by May 2018, and the technology, corporate policy changes, and professional resources necessary to meet this standard could take a considerable amount of time, financial investment, and technical expertise not currently present in the business plan or related budget. The trend towards more privacy protection and global regulation around data collection will continue for the foreseeable future. Companies that embrace this process now may very well find that they have a broader global advantage in the not-too-distant future.

Download UK Braced for Changes to Data Privacy

About the Experts

Back to top