What the EU General Data Protection Regulation means for accountants
A uniform data security regime is being introduced across all EU member states. Find out what it means for your practice.
On 18 December 2015 Europe’s General Data Protection Regulation (the ‘GDPR’ or the ‘Regulation’) was, after almost three years of negotiations, agreed. While the final wording hasn’t been released, we know it will have a material impact on organisations that hold or handle corporate, financial or personal data in any media format whether digital or physical.
Why is the new GDPR required? The 20 year old Data Protection Directive (DPD) – which is being replaced by the Regulation – is part of the overall strategy across the world to prevent and respond to cyber disruptions and attacks. The EU has recognised that cybersecurity incidents are increasing in frequency and magnitude and becoming more complex and cross-border in nature. As such incidents can cause major damage to safety and the economy, the EU Commission considered that efforts to prevent, co-operate on and be more transparent about cyber-incidents should improve.
The old DPD was limited because it was just that – a Directive. As a Directive it could only set the minimum legal standards. The member states could otherwise craft their legislation as they saw fit. This led to a patchwork of data protection laws across Europe.
The new Regulation is meant to solve this problem. As a Regulation it directly imposes a uniform data security regime across all EU members. There will be no need to enact the legislation: it will become law, thereby harmonising EU data protection law across the whole of the EU.
How does the GDPR differ from the outgoing Directive?
1) Increased fines for violations – if a company violates certain provisions within the GDPR – such as basic data processing principles or the rules relating to cross border data transfers – it may be subject to fines amounting to 4% of the company’s worldwide annual turnover.
2) Data breach notification– data controllers will be required to notify the appropriate supervisory authority (in the UK this is likely to be the Information Commissioner’s Office) of the data breach within 72 hours of learning about the breach. The notification must describe the nature of the data breach, the categories and the approximate number of data subjects implicated, the contact information of the organisation’s data protection office, the likely consequences of the breach and the measures the data controller has taken or proposes to take to address and mitigate the breach.
Additionally a data processor is required to notify a data controller of a data breach ‘without undue delay’. Article 32 of the GDPR requires data controllers to notify data subjects of breaches when the data is likely to result in a high risk to the rights and freedoms of individuals and must notify subjects of the breach ‘without undue delay’
3) Data protection officers – Article 35 requires companies whose ‘core activities’ involve large scale processing of ‘special categories’ of data – defined as information that reveals a data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or sex life or sexual orientation - to designate a data protection officer. Companies should be aware that even if they don’t collect this type of data from clients they may collect some of this information from their employees for human resources purposes and therefore may need to appoint a data protection officer.
4) Greater controls for data subjects - Article 17 set outs the ‘right to erasure’ also known as the ‘right to be forgotten’ which gives a data subject the right to order a data controller to erase any of the data subject's personal data in certain situations. The Article requires the data controller to erase a data subject's personal data ‘without undue delay’ when the personal data is no longer necessary in relation to the purposes for which it was collected or processed or the data subject withdraws his or her consent or objects to the processing and there is no other legal basis for the processing.
How can companies prepare for the GDPR? There is no question all companies will need to determine how the new GDPR will relate to them. Our conversations with clients show that organisations are taking a moralistic view to protecting personal data and we recommend any company transacting business across the world should, if they haven’t done so already, prepare for and address the following items well in advance of the GDPR coming into effect:
Are you a data controller or a data processor or a mixture of both? Review your contracts with third parties to understand where respective roles and responsibilities lie.
Get your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time.
Form a governance group that oversees all your privacy activities, led by a senior executive. If you appoint a data protection officer (recommended for companies that employ more than 250 people) they should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s annual report.
Implement a breach notification process and enhance your incident management processes and your detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place or the likelihood of harm is low.
Prepare your organisation to fulfill the ‘right to be forgotten’, ‘right to erasure’. A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, call centres and paper.
The new rules will have direct effect from early 2018 – two years from the date of formal adoption and publication of the Regulation. Businesses have time to prepare, but there is much work to do. We are moving towards the most stringent data laws in the world. Data permeates everything we do in our digital lives and touches all organisations.
However, in the short time that remains before implementation, organisations will need to completely transform the way they collect and use personal information. This is not a compliance or legal challenge: it is much more profound than that. Organisations will need to adopt entirely new behaviours in the way they collect and use personal information.
If you have any questions about the new Regulation please contact your normal Lockton Associate or a member of the Global Technology Privacy Practice: