New data protection laws will come into force across the EU on 25 May 2018. That might sound like a long time to get ready but – as our research here shows - it can take years to implement a full data strategy. And the risks of being unprepared could be costly: the new rules include fines of up to 4% of worldwide annual turnover. Here are ten points you should be thinking about now:
- the extent to which you’ll be able to use personal data to develop new products and services – eg there will be stricter rules on getting consent to use data, and on automated profiling;
- how to incorporate privacy issues into your business processes – eg you might need to carry out ‘data protection impact assessments’;
- how you’ll meet the new obligations to quickly notify regulators and individuals if you suffer a data loss, like a hack;
- whether to change your employment contracts or handbooks, and what data privacy training your staff will need to deal with the new rules;
- how to anticipate and deal with requests from regulators for data about your employees, customers or others;
- whether to change your management and governance structure to deal with the new rules: eg companies that process large amounts of data will have to appoint a data protection officer;
- how to manage international data flows, both within your group and to third parties;
- how to structure relationships with third parties, including data processors, to reallocate responsibilities and liability risks;
- if your business is outside the EU, whether you’ll be caught by the new rules: certain non-EU businesses will – for the first time – be covered; and
- how to structure M+A transactions involving data-rich targets – eg there are new rules on promptly giving notice to people if you buy their data from a third party.
The UK regulator has a useful guide to preparing for the new law: here. And we can expect to see more guidance from national regulators in the run-up to the new rules. This might be a good time to engage with regulators and legislators on areas that have been left to member state discretion – so you might want to get involved with lobbying groups within your industry.