The arrival of the new General Data Protection Regulation (GDPR), recently approved by MEPs, will have a wide-ranging impact on all businesses processing personal data and is currently a hot topic. As the countdown begins for the two-year lead-in, what we do know is that there will be a huge amount of speculation, misunderstanding, confusing interpretations and probably denial at large.
Already, myths are starting to emerge as businesses seek to digest the announcement and consider the impact on their organisations,
This article seeks to clarify the situation regarding the impact the new legislation will have for businesses and dispels some of the myths currently circulating.
Myth 1 - I have to appoint a qualified, independent Data Protection Officer (DPO)
Previous proposals that the GDPR would force every organisation with over 250 employees, or processing more than 5,000 personal data records, would need to formally appoint a DPO were amended during the draft stages. GDPR Section 4, states that Data Protection Officers are to be appointed if:
The DPO, where appointed, must be independent. This doesn’t mean you have to appoint an external person - they can be an employee. The post can be a part-time role or combined with other duties, but, in performing the role, the DPO must have an independent reporting line (like most compliance officers), be empowered and report directly to the Board without interference. What is important is that the appointed person must be a data protection professional with “expert” knowledge of data protection law and practices to perform their duties and ensure your organisation achieves and maintains compliance
Myth 2 - I am considered to be a small to medium-sized enterprise (SME), so the GDPR doesn’t apply to me
While there are some concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations “engaged in economic activities” involving the processing of personal data. It depends upon the nature of the processing you perform, not the quantity of records or size of the organisation. You will also need to recognise that your customers may be larger enterprises and you may need to prepare for the obligations placed on data processors.
Myth 3 - I’m only acting as a data processor, so I don’t have to worry about the GDPR - my customers, as the data controllers, deal with all that
Data controllers will, over the next two years, need to review all of their supplier (controller-to-processor) contracts to ensure they are compliant with the new regulations. But data processors will also, for the first time, have direct responsibilities under GDPR, one of which is a requirement that they (or their representatives) must maintain a record of processing activities that includes:
Myth 4 - My personal data is all encrypted, so I don’t need to worry about fines
Security measures are vital, but fines can be levied for an infringement of the data controller or data processor obligations under the GDPR, not just for data security breaches. The level of potential fines is extensive and hitting the headlines, as the supervisory authorities will have the power to impose fines of between 2 to 4 per cent of global annual turnover (in the previous financial year), depending upon the seriousness of the infringement and the circumstances of the case, including:
Encryption is not a panacea. You will still need to consider the “organisational and technical” measures in place, not just in relation to security risk assessment, security management and the implementation of controls to ensure personal data is protected, but potentially in terms of documented privacy impact assessments.
These are now mandatory where new processing operations are likely to result in a high risk to the rights and freedoms of data subjects and the specification of measures required to reduce that risk, (including the potential need to seek prior approval from a supervisory authority in some cases) is vital. Organisational measures include the overall governance and compliance regime in order to demonstrate compliance and ensure your obligations for “accountability” are met and maintained.
GDPR has a potentially significant impact upon IT, with data controllers and data processors needing to be thinking ahead. For example, does your organisation have the knowledge, capability and technology in place to:
Myth 5 - If we leave the EU, the GDPR will not be relevant, so it is better to wait and see
That would not be an advisable approach. Either way, UK businesses will still have to meet the rights and freedoms of citizens of EU member states when GDPR comes into effect, once the final release date has been announced (this is to be confirmed but you can keep a close eye on announcements on the PCI website, more detail can be found here).
If the UK stays in Europe, GDPR will automatically supersede the UK Data Protection Act. If we leave, due to complex withdrawal agreements, it will potentially be after the GDPR is already in effect and the UK Government would need to consider harmonisation and legislate accordingly. As such, it is highly unlikely that the GDPR requirements will be changed. However, there is a period of up to two years in which the UK has to ratify the Regulation before full adoption. Given the continuing need to ensure the free flow of information and remove barriers to trade across international boundaries, the UK is more likely to phase in the GDPR soon after the EU Parliament has announced the final date.
The ICO has published a useful 12-step guide on what organisations should do now and launched a new micro-site where it will publish future guidance.
One thing we can be sure of, there will be a mass of information to digest over the next two years and you need to use information sources and specialist partners you can trust.