Thursday, 5 May 2016

750 days to go before the new data protection rules bite

How often do organisations get 750 days’ notice of new rules that may require them to make huge changes to comply?

Well, it’s happened. The European Commission has just announced that the General Data Protection Regulation, a mighty piece of legislation that took over 4 years to negotiate, will come into force on 25 May 2918.

What will it mean to most organisations?

Potentially, lots.  Unlike Y2K, which passed  (mercifully, on 1 January 2000) without a hitch, the new rules are potentially pretty disruptive. After all, from May 2018, organisations will be under greater obligations provide assurance to their boards, customers and regulators that their data protection processes and procedures are fit for purpose.

For the most serious violations (such as ignoring data subjects' rights) privacy regulators will be able to impose penalties up to €20m or 4 percent of global revenue (whichever is higher). This is a critical change compared to current UK fines, which is a maximum of £500,000.

Other changes include

    Responsibility for data protection. Any organisation that processes or accesses personal data will also be held responsible for its protection, including third parties such as cloud providers. Data processors, (not only data controllers) will be accountable for protecting data.
    Applicability and Extraterritorially. Any organisation that processes personal data on individuals in the EU is in scope. This includes companies that are established outside the EU, even if they have no physical presence in the EU.
    Data protection officer. Many companies will need to designate a DPO.
    Data breach notification. Currently, different countries have different rules on data loss reporting. The GDPR will streamline the process, requiring regulators to be informed within 72 hours.
    Claims and damages. Individuals and some representative organisations will be able to claim damages in certain cases. Litigation can be extremely costly and invariably results in both reputational and financial losses. Reputational damage will be a key consideration in managing the data breaches that will be reported to both regulators and customers.
    Organisations will have to provide much more information to individuals about how their personal information is being processed, their rights and safeguards. These include the right to be forgotten, the right to restrict the processing of their personal data, and the right to data portability.

How can organisations prepare for these changes?

There will be no shortage of advice from the consulting firms that have been waiting a long time for the starting gun to be fired.

But how can they prevent themselves from over-engineering the solution?

As we experienced when the new cookie rules came in, some organisations tried almost too hard to implement the rules. Users were offered a bewildering array of choices about what cookies could be dropped on their device. Now, the general tendency is for organisations simply to say: “We use cookies, get over it. Click for more details.” 

I’ve prepared for these changes by changing my own job. I’m now leading the data protection offering at a major consultancy firm, and able to help clients by offering them support from a wider array of data protection specialists than was previously the case.

Wish me luck in my new role – and don’t hesitate to get in touch if you and/or your organisation need help in developing or implementing an enhanced privacy compliance programme.

Transformation and behavioural change?

Yes we can.

So let’s do it.
If your clients want to know what good data protection practices look like, you know I can help.