According to Stewart Room, Global Head of Data Protection at PwC Legal, the GDPR represents “the biggest shake-up in data protection law in over 20 years”. But what is the GDPR exactly?
The European Union is introducing the General Data Protection Regulation, which will be active within the EU from 25 May 2018, and will replace the current data protection framework, the 1995 directive. The GDPR will aim to centralise regulation across the EU and update it for the digital age.
The three main objectives of the GDPR are:
1. Provide data subjects (individuals about which personal data is held) an increased level of control over their data
2. Improve the protection of personal data by ensuring that controllers and processors of data are secure handlers of this data
3. Ensure oversight and supervision by increasing the power of the regulators for personal data.
The scope of the GDPR is much greater than the previous 1995 directive, because it does not only apply within the European Union, but also applies to businesses outside of the EU if their goods and services are directed at the EU or if they process data of EU residents. This forces all companies within the EU and any company that does business within the EU to comply to the GDPR.
Currently, each EU member state has its own public authority responsible for monitoring and enforcing compliance with laws regarding the protection of personal data. In the Netherlands this authority is called the Autoriteit Persoonsgegevens. In order to ensure more coherence in the application of data protection law, the GDPR introduces a One-Stop-Shop supervisory and cooperation mechanism. This means that organisations that control and process data across multiple EU countries are subjected to the authority of one main Data Protection Authority (DPA). The ‘main’ DPA is the DPA of the location where the organisation has its place of central administration, and must involve and cooperate with other concerned DPAs. This One-Stop-Shop system will provide clarity for businesses as well as individual data subjects as to where they have to go regarding data protection issues.
As well as the extended scope and the One-Stop-Shop system, the GDPR brings several other major changes to data protection law. All of these concern businesses as well as individual data subjects, but will be highlighted as to which they affect the most.
The effect on data subjects
The GDPR will not only affect entities handling data, but also the data subjects themselves. The first objective of the GDPR that was mentioned, the data subject’s increased level of control over their data, is illustrated by three key changes in regulation.
The first change is the matter of consent. Wherever data is being processed on the basis of consent, the data subject’s consent now needs to be explicit, which means the processors needs given consent to process the data.
The second change is the right to be forgotten. The data subject has the right to erase personal data that is incorrect or no longer relevant and is able to withdraw the consent it has given to an entity.
The third change is data portability. The data subject has the right to request the transfer of their personal data from one organisation to another.
All of these changes add to the control that individual data subjects have over their data, and will consequently result in better protection of data by organisations.
The effect on businesses
The GDPR also empowers supervisory bodies to impose administrative sanctions on data controllers. They may give written warnings for first-time and unintentional breaches of the GDPR, conduct regular data protection audits and give sanctions to enterprises, regardless of whether they are based in or outside the EU. These sanctions can become massive, as they can issue fines of up to 4% of worldwide annual turnover of a company, or €20 million, whichever is greater. The motivation behind these heavy fines is to get data protection in the board room discussions and aim to embed privacy into business cores. Large fines may be given to companies as to set an example for other organisations.
The current 1995 directive does not require data controllers to inform the relevant data protection authority of a data breach. With the new GDPR, a requirement is introduced which forces data controller’s to inform the relevant data protection authority of a personal data breach within 72 hours of the data controller’s becoming aware of it. The DPA must be informed of the details of the breach, and must be offered descriptions of the consequences of the breach and the measures taken to address it. When a personal data breach is likely to affect the data subject’s privacy, for example potential cases of identity theft, fraud, physical harm, significant humiliation or damage to reputation, the data controller must then also communicate the data breach to the data subject. This would bring financial implications to the data controller with it, such as possible loss of reputation, loss of business and maybe even drop in share price. These financial and reputational implications might be even costlier than the sanctions mentioned before.
Because of the enlarged scope of the GDPR, the new regulation also heavily affects companies from the US. PwC did a research in December 2016 on the preparedness for the GDPR under US companies. They conducted a survey of 200 CIOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies with more than 500 employees, where they asked them about their plans for the GDPR. Over half of US Multinationals, 54%, said that the GDPR is their top data-protection priority. Another outcome of the survey was that 77% of the respondents plan to spend $1 million or more on the GDPR. The GDPR’s potential 4% fine of global revenues has boosted the budget for mitigating this GDPR risk.
For us, the data subjects within the EU, the GDPR is a great thing, as it ensures that we get more control over our data and forces companies to improve security. For the organisations that have to comply with the GDPR, the regulation is less fun, as it might cost companies a lot of money to update their security, some more than others. However, eventually these companies end up with a better information security, which is beneficial for everyone and prevents breaches which might hurt their company even more. Which company will be the first to receive a gigantic fine, remains to be seen.
EU Data Protection Reforms: The challenges and benefits of compliance for businesses, PwC (http://www.pwc.com/us/en/risk-assurance-services/publications/eu-data-protection.html)
General Data Protection Regulation – our view on the key components in the GDPR, PwCUK (https://www.youtube.com/watch?v=srh2hpz-1CU)
Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets, PwC (http://www.pwc.com/us/en/increasing-it-effectiveness/publications/gdpr-readiness.html)
EU General Data Protection Regulation (GDPR) – High-level impact assessment, PwC (https://www.gov.gg/CHttpHandler.ashx?id=104159&p=0)