European Union (EU) data protection rules that are expected to become law in 2018 affect every business and organisation and cannot be ignored, according to legal experts.
The final text of the General Data Protection Regulation (GDPR) was agreed in December 2015 after four years of political negotiations and lobbying.
The GDPR, which is aimed at reforming the out-dated EU Data Protection Directive, is expected to be approved by the EU parliament when it meets in January 2016.
When approved, the GDPR will become law in 2018 across all 28 EU member states and will replace the inconsistent laws the EU member states implemented to comply with the 1995 directive.
“This will impact every entity that holds or uses European personal data both inside and outside of Europe,” said Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC).
For this reason, it would be a huge mistake to ignore the GDPR until it becomes enforceable in 2018, according to Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells.
“Whether we see the GDPR as a blessing or a threat – or something in between – it is not only wise, but a necessity to pay attention to what this ambitious framework is trying to achieve and has delivered,” he said in a blog post.
Because the digital economy is at the core of what the GDPR is all about, Ustaran believes it will affect all businesses, not only in Europe. “One of the most carefully thought-out aspects of the GDPR is its extra-territoriality,” he said.
A change in data regulation
The final text of the GDPR replaces references to EU-based data processing equipment with the concept of “monitoring the behaviour” of EU residents by tracking their digital activities.
“This is as wide as it gets when it comes to the applicability of the GDPR, given that pretty much every website and app in the world does that,” said Ustaran.
A key element of the GDPR is that it not only gives rise to increased compliance requirements, but these are backed by heavy financial penalties, which in the final text turned out to be up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.
The fines apply to infringement’s of the basic principles for processing, including conditions for consent, data subjects’ rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the GDPR, and orders by data protection authorities including suspension of data flows.
Although the fines are not as high as the proposed extremes of €100m or 5% of global turnover, is is higher than the expected 2% or 2.5%, and most organisations are likely to take these fines seriously, especially large tech firms such as Google, Facebook, Apple and Microsoft because non-compliance could potentially result in fines of billions of dollars.
Organisations that have failed to heed advice not to wait until the publication of the final text of the GDPR before taking action will face the challenge of having only two years to implement all the necessary changes to their systems and operations to meet the new compliance requirements.
“GDPR is a paradigm change in the way that data collection and use is regulated. We have moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world,” said Ross McKean, partner at law firm Olswang.
Although two years may seem like a reasonably long time to prepare for the regime, he said that in that time organisations will need to completely transform the way they collect and use personal information.
“This is not a compliance or legal challenge; it is much more profound than that. Organisations will need to adopt entirely new behaviours in the way they collect and use personal information,” he said.
Vinod Bange, partner and head of the UK data protection/privacy practice at law firm Taylor Wessing, said one of the fundamental changes is that companies that provide services to other companies – known under the legal term of “data processors” – will also be subject to the GDPR, and therefore face the same hefty fines for breaching the GDPR, which will affect technology service providers in particular.
“The GDPR looks to adopt prescriptive rules around how organisations will need to demonstrate that they comply with the GDPR. Businesses will have to genuinely adopt governance and accountability standards and not pay lip service to data privacy obligations otherwise they could be in for a surprise as the stiff new fines will apply to that requirement too,” he said.
The journey to compliance
According to PwC’s Stewart Room, organisations’ strategy and approach to comply with the GDPR will need to encompass the three key components reflected in the regulation, namely a new compliance journey, a new transparency framework and a new enforcement, sanctions and remedies framework.
The new compliance journey will require entities to map and classify all their personal data; perform risk assessments; design privacy protections into all new business operations and practices; employ dedicated data protection officers; monitor and audit compliance; and document everything they do with data and everything they do to achieve legal compliance.
The new transparency framework will require entities to re-think how they engage with people, including their contracting and permissions processes and how they give clear and full information on what is happening to personal data.
When a breach of security or confidentiality arises, entities will have to notify the incident to the regulators. In serious cases, they will have to notify the people affected.
The new enforcement, sanctions and remedies framework will give regulators unprecedented powers to intervene in business and shape how entities conduct their operations, including the power to impose heavy fines.
Individuals will be able to exercise a “right to be forgotten”, a “right of data portability”, enhanced rights of access to their data and enhanced rights to demand the end of use of their data.
They will also be able to sue entities for compensation, if they are distressed by acts of non-compliance.
GDPR a substantial learning curve
Ustaran notes that the GDPR is loaded with requirements to make businesses more accountable for their data practices. “This is the area where the heavy weight of the GDPR will be most felt in practice. New responsibilities such as data protection by design, data protection by default, record keeping obligations, data protection impact assessments and prior consultation with data protection authorities in high-risk cases will require managerial effort and investment,” he said.
Many of these obligations are entirely new, so for the majority of businesses this will involve a substantial learning curve. “Knowing how much – or how little – effort will need to be devoted to getting this right will be a considerable task in itself,” said Ustaran.
The GDPR makes clear that legalising data flows to non-EU jurisdictions will continue to be a priority from a compliance perspective.
For this reason, Ustaran said another key challenge facing organisations is finding a practical way of overcoming the legal limitations affecting data transfers.
“At least the menu of options available is becoming broader, so the excuses for non-compliance will become harder to justify,” he said.
With the safe harbour agreement invalidated in 2015, it should come as a relief to some companies that the GDPR does recognise standard contractual clauses and binding corporate rules as legitimate frameworks for transferring EU citizen data out of the EU.
However, EU negotiations with the US to establish a framework to replace the safe harbor agreement are expected to be finalised by the end of January 2016.
Now that the text is finalised and the two-year implementation period is set to begin shortly, Ustaran predicts that privacy will become a regular feature on the agenda of many boards.