How
often do organisations get 750 days’ notice of new rules that may require them
to make huge changes to comply?
Well,
it’s happened. The European Commission has just announced that the General Data
Protection Regulation, a mighty piece of legislation that took over 4 years to
negotiate, will come into force on 25 May 2918.
What
will it mean to most organisations?
Potentially,
lots. Unlike Y2K, which passed (mercifully, on 1 January 2000)
without a hitch, the new rules are potentially pretty disruptive. After all,
from May 2018, organisations will be under greater obligations provide
assurance to their boards, customers and regulators that their data protection
processes and procedures are fit for purpose.
For
the most serious violations (such as ignoring data subjects' rights) privacy
regulators will be able to impose penalties up to €20m or 4 percent of
global revenue (whichever is higher). This is a critical change compared to
current UK fines, which is a maximum of £500,000.
Other
changes include
• Responsibility for data
protection.
Any organisation that processes or accesses personal data will also be held
responsible for its protection, including third parties such as cloud
providers. Data processors, (not only data controllers) will be accountable for
protecting data.
• Applicability and
Extraterritorially. Any organisation that processes personal data on individuals in
the EU is in scope. This includes companies that are established outside the
EU, even if they have no physical presence in the EU.
• Data protection officer. Many companies will
need to designate a DPO.
• Data breach notification. Currently, different
countries have different rules on data loss reporting. The GDPR will streamline
the process, requiring regulators to be informed within 72 hours.
• Claims and damages. Individuals and some
representative organisations will be able to claim damages in certain cases.
Litigation can be extremely costly and invariably results in both reputational
and financial losses. Reputational damage will be a key consideration in
managing the data breaches that will be reported to both regulators and
customers.
• Organisations will have to
provide much more information to individuals about how their personal
information is being processed, their rights and safeguards. These include the right
to be forgotten, the right to restrict the processing of
their personal data, and the right to data portability.
How can organisations
prepare for these changes?
There will be no shortage of
advice from the consulting firms that have been waiting a long time for the
starting gun to be fired.
But how can they prevent
themselves from over-engineering the solution?
As we experienced when the
new cookie rules came in, some organisations tried almost too hard to implement
the rules. Users were offered a bewildering array of choices about what cookies
could be dropped on their device. Now, the general tendency is for
organisations simply to say: “We use cookies, get over it. Click for more
details.”
I’ve prepared for these
changes by changing my own job. I’m now leading the data protection offering at
a major consultancy firm, and able to help clients by offering them support
from a wider array of data protection specialists than was previously the case.
Wish me luck in my new role
– and don’t hesitate to get in touch if you and/or your organisation need help
in developing or implementing an enhanced privacy compliance programme.
Transformation and
behavioural change?
Yes we can.
So let’s do it.
If your clients want to know
what good data protection practices look like, you know I can help.
.