The new General Data Protection Regulation (GDPR) brings the biggest shake up to EU data protection laws for 20 years. Being a Regulation (rather than a Directive), the majority of its provisions are directly applicable and, therefore, will be the same in all member states. The GDPR allows very limited and minor variations that member states can implement to address specific national requirements.
The GDPR builds on the 1995 European Data Protection Directive (The Directive). Member states implemented The Directive in their data protection laws in their own ways. This approach gave rise to multiple different and complex data protection practices in the EU.
Therefore, the GDPR seeks to enhance the harmonisation of data protection laws across the continent and reduce complexities when transferring data within the EU, which is fundamental for businesses to operate. EU based multinationals will benefit from a uniform set of rules, no matter where they operate. The GDPR is also designed to address the challenges of the modern digital era in which we live. With an ever increasing amount of data being processed, the GDPR empowers data subjects to take control of their data.
With the GDPR set to come into effect in less than 12 months, Gemserv undertook a research exercise to gauge perceptions of the GDPR, as well as organisational readiness. Gemserv surveyed representatives from industry leading organisations across Europe.
The research conducted provided us with an eye opening view of what organisations are truly doing (or not doing in a lot of cases) in the build up to May 2018 and this executive summary serves to highlight some of our key findings.
What is immediately apparent is that many organisations are at risk of non-compliance by deciding not to act until the GDPR comes into effect on 25 May 2018.
Respondents seem to be at varying stages in terms of readiness, with 63% still working on an implementation plan and 34% having decided not to commit any headcount, budget or external counsel spend to the implementation of the GDPR until it comes into effect. 49% of the respondents had already appointed a data protection officer at the time of the response, 30% have not assessed the requirement of an appointment and 15% have planned to outsource this role to external service providers.
The findings show that the following aspects of the GDPR tend to be the main areas of focus for respondents; some of these areas require considerable changes to their operations:
- Security – The GDPR requires data controllers and data processors to implement technical and organisational measures to ensure an adequate level of security when processing personal data. In terms of technical measures, two thirds of respondents have confirmed that they have implemented the following: firewalls, endpoint security and encryption. However, 45% are yet to implement anonymisation. Less than 15% have conducted dry runs, which could put them in a very challenging position to comply with and demonstrate the privacy by design requirement.In terms of organisational measures, only half of the respondents have provided regular staff training on the identification of breaches and implemented an information security programme. A lack of organisational measures shows a lack of accountability and organisational gaps tend to be one of the most commonly cited reasons for financial penalties.
- Breach reporting – Two thirds of respondents already have internal breach reporting procedures or an incident report plan in place. Such results are not surprising, given that respondents are already subject to a certain level of data breach reporting, either voluntary or mandatory, under other laws.
- Data processor obligations – Although a data processor is still bound by a data controller’s instructions, the GDPR allocates the following key legal responsibilities to a data processor:- Appointment of a representative in the EU, where applicable;
- Support to the data controller with Data Protection Impact Assessments (DPIAs);
- Notification of any data breaches to the data controller, without undue delay after becoming aware of a personal data breach;
- Showing increased accountability by keeping records of data processing activities; and
- Direct cooperation with supervisory authorities and data subjects (for instance, enforcement of damage claims).Also, data controller/data processor agreements have gained more importance, with more details to be taken into account by both parties. The GDPR requires prescriptive processor obligations under Article 28.30% of respondents have confirmed that cooperating with supervisory authorities, complying with data breach reporting obligations and implementing a process for reviewing the terms of the data controller/data processor agreements will require most internal consideration and change.Almost a quarter simply did not know at the time of the response, whether their organisations had initiated any review of the data controller/processor agreements.Organisations acting as data processors should assess their new role under the GDPR now so that they can implement new standards in a timely manner.
- Records of personal data processing activities – Article 30 of the GDPR introduces a major change. Both the data controller and data processor are required to maintain records of their data processing activities. While 56% of respondents have confirmed that they hold an inventory for their data processing activities, 43% do not hold any such inventory and 1% did not answer the question, probably because of a lack of awareness of this obligation.
Getting the right processes in place to ensure the necessary records are filed and easily retrievable, as well as exploring and implementing the technical measures, will put significant pressure on organisations. Not only do organisations need to keep track of their existing processing activities, but also, those that have been taking place for many years.
Another prominent aspect of the GDPR is the two-tiered sanction regime. 88% of respondents correctly stated that the higher tier of fines will be 20 million Euros or 4% of an organisation’s worldwide annual turnover, whichever is greater, for serious breaches such as a breach of data subject rights. Equally important to note is the fact that an organisation’s failure to comply with data processing principles like accountability, would lead to the highest tier of fines being imposed.
Waiting to develop a GDPR compliance roadmap until the GDPR comes into effect on 25 May 2018, or not taking any actions at all, are risky approaches and put an organisation in an unfavourable position to demonstrate accountability in the event of an investigation by a supervisory authority.
The financial implications of non-compliance are readily apparent and to a wide extent ignored and we suspect this will be the case until organisations start to be fined by the ICO. But fines are not the only consequence. Organisations need to look at the wider implications, such as reputational damage, a decrease in brand value, the inability to grow business, and potential law suits, to name just a few.
There isn’t a one solution fits all answer to GDPR readiness, but what we have tried to highlight in the full insight paper are some of the key steps that organisations can take and what factors might need to be considered.
If you would like to find out more or talk to us about aspects of our implementation programme please contact us +44 (0)20 7090 1091. You can also visit the Information Commissioners Office to find out more about the upcoming legislation.