The European Parliament passed the General Data Protection Regulation ('GDPR') on 14 April 2016. The vote closed a long legislative process that had been underway since 2012 when the European Commission published its EU Data Protection Reform as a part of its digital age package.
The GDPR will be directly applicable in all EU member states, and it will replace the previous EU Data Protection Directive (95/46/EC) in its entirety. The Regulation concerns all processing of personal data, which means it encompasses practically every company in one way or another. The GDPR enforces individuals' rights to their own data, increases companies' accountability regarding data processing and provides for strict sanction and enforcement mechanisms.
We have covered the new obligations in more detail in our previous briefing notes How to prepare for the EU General Data Protection Regulation? and A Christmas Package from the EU Legislator: Agreement Reached on EU Data Protection Regulation.
The two-year transition period begins 20 days after publication of the Regulation in the Official Journal of the EU, meaning that the companies need to comply by early May 2018.
Two years may sound long, but if data protection has not been a particular concern in your company so far, the time will fly fast. So where to start?
- The first step in the compliance project should be a data protection audit to help you understand your data processing. Do you know what data your systems contain? Besides the types of data, make sure to understand the whole life cycle of the personal data: Where does the data come from? Why do you need it? Who has access to the databases? What do you do with the data? How the data is transferred between systems? When will the data be deleted?
- Very likely the audit will reveal several areas for improvement. Each company has their own priorities depending on their field of business and starting level, but identifying these priorities is an important step for everyone. A good starting point is to examine matters where risks to data subjects' privacy is highest and the issues that are subject to the highest fines. Tackle those first.
- The Regulation gives data subjects' rights to access their data, have it transferred to another service provider and also have the data corrected or erased in certain situations. Your processing systems and databases should thus be designed to enable these operations. If, for example, finding certain data or deleting it in the data system is currently difficult, or if different databases do not communicate at all, this must be remedied. There is no need to renew everything at once, but it's good to be aware of the technical limitations and keep the GDPR in mind when planning new purchases.
- The GDPR enhances the controller's accountability and responsibility. Besides being compliant with the Regulation, companies should also be able to prove their compliance. Here, documentation is key. Make sure you have records of all decisions on data protection issues, keep your privacy policies up to date, and you'll already be on the safe side. It's also worth training employees who process data on the company's data protection policies and principles.
The GDPR poses high non-compliance risks in the form of administrative sanctions of up to 20 MEUR or 4% of the company's total yearly worldwide turnover. The two-year transition period will go quickly, but there will be enough time to adapt if compliance projects begin now. Besides risk management, complying with the GDPR at an early stage is a clear business advantage in increasingly privacy-sensitive markets.