Insight
GDPR – what businesses need to know
April 2018
The EU’s General Data Protection Regulation (GDPR) becomes law on 25 May 2018. Until now, each member state had its own data protection laws; GDPR creates one set of rules for data protection across the EU, making it easier for businesses to trade across the EU. Even though the UK has voted to leave the EU, it will adopt GDPR in its entirety post-Brexit.
The need for data protection
GDPR recognises that, where personal data is concerned, the world has changed. Businesses now collect and monetise all kinds of data, and the risks of personal data leaking into the public domain are great. Businesses recognise that the more they know about their customers, the better they can tailor their offering to them. The flipside is that if customers are not fully aware, or have not given their consent, the use of personal data is tantamount to a breach of personal privacy with potentially harmful results.
GDPR makes it incumbent on businesses to prove a data-subject’s consent and raises the bar on what constitutes valid consent. GDPR also requires businesses to give data-subjects more information about how their information is used and introduces new rights such as the right to be forgotten and the right to data portability.
A further danger that has evolved in recent years is the growing threat of data theft through hacking. Unfortunately, the intrinsic value held in personal data makes it worth stealing. Data theft can also be used to hold businesses to ransom and threaten their ability to trade. This backdrop will continue to evolve and one of the aims of GDPR is to keep up with an ever-changing data environment.
Demonstrating compliance
Businesses must demonstrate how they comply with GDPR; this will mean making compliance part of someone’s role in the business. Businesses that process personal data on a grand scale as part of their core operations may need to appoint a Data Protection Officer (DPO) to monitor internal compliance. Most businesses won’t need a DPO but will need to make it the responsibility of someone in senior management to demonstrate compliance through an understanding of the GDPR requirements.
Non-compliance doesn’t bear thinking about
Businesses that choose to disregard their GDPR responsibilities, or don’t take them seriously enough, face fines of up to €20 million or 4% of global revenue if that’s greater. This makes GDPR compliance a boardroom responsibility.
The regulators expect businesses to start by conducting a thorough audit of personal data. This makes sense: once a business understands what data it processes, with whom it shares data, and the legal basis on which it processes data, it is in a much better position to comply with GDPR. Businesses need to build GDPR into the way they do business and make it part of all future initiatives, carrying out impact assessments to consider data protection risks and any impact on personal data and data-subjects. This is not a requirement of GDPR but a sensible way for businesses to conduct themselves and comply with the regulations. Businesses must decide for themselves how much or how little governance is appropriate but the potential penalties for non-compliance should help to focus the mind.
GDPR beyond the EU
GDPR doesn’t apply only to businesses established in the EU, it extends to businesses outside the EU that process data:
- inside the EU
- outside the EU that concerns EU data-subjects
- that is directed at EU data-subjects.
GPDR also provides specific rules about transferring personal data to countries outside the EU. This is relevant to many UK and European businesses that contract with third-party data processors in the United States, or transfer EU personal data outside Europe. These businesses need to examine their contracts with third-party data processors to ensure they have adequate contractual clauses in place to meet the GDPR requirements.
GDPR is approaching rapidly – be prepared
Although the GDPR builds on the principals of current EU data protection laws, it expands significantly the obligations companies need to meet to comply. As we approach 25 May 2018 when GDPR becomes law, businesses must understand what personal data they are holding and processing, and work towards a position of GDPR compliance with which they are comfortable.