The EU General Data Protection Regulation (Regulation 2016/679) requires companies to act lawfully, fairly and transparently in their use of personal data and in how they deal with people whose data they process. Businesses have to be transparent and honest about what they’re doing and why. What does that mean?
The GDPR reshuffles the existing regulatory framework to impose tougher data protection rules across the European Union and beyond. In short, every EU-based organisation acting as “controller” or “processor” of personal data is concerned, as is every organisation based outside of the EU and acting as a controller of personal data of EU residents. The law entered into force on 24 May 2016 and will apply as from 25 May 2018.
What are the key issues to focus on from a company point of view?
Companies need to rethink how they collect, process and store data. The new rules will impact them at different levels:
1. Compliance: for example, companies will have to deal with a new “accountability” obligation, which means creating written compliance plans for the GDPR-related measures on risks and impacts, which regulators might demand.
2. Usage controls: personal data will be subject to strict usage controls principles, such as data minimisation, data portability and right to be forgotten. This means companies have to limit the use of data, enable individuals to take back their data at the end of a relationship, as well as to delete and destroy data on request. In addition, the GDPR also restricts the automated decision-making as well as the profiling of natural persons.
3. Consent: it will be more complicated to achieve and prove the consent to use personal data.
4. Bundling: the regulation bans a very common practice in marketing services, for example, which is conditioning the provision of services by individuals’ consent for their data to be used for non-essential purposes.
5. Aggregation: the new rules severely curtail the ability to collect data and create individual profiles.
6/ Supervision: regulators will have the right to carry out audits and inspections of entities on demand.
7/ Breach disclosure: GDPR requires businesses to report serious contraventions of the law to regulators within 72 hours and to communicate to the people affected. Public disclosure of failure is likely to fuel regulatory sanctions and compensation claims, as well as causing damage to companies’ brand and reputation.
8/ Fines: companies that don’t comply with the law risk fines of up to either 4% or EUR 20 million of group annual worldwide turnover.
9/ Litigation: citizens and pressure groups have the right to engage in group litigation to recover compensation for mere distress caused by contraventions of the law.
Frédéric Vonner, Advisory Partner at PwC Luxembourg, explains it all in this video:
What should companies do to make sure they comply with the new rules?
Companies have until May 2018 to be fully compliant. This might seem as a long way off, but they should take advantage of the next year and prepare. For the preparation phase, companies should:
- Assess and review their existing personal data protection treatments, identify gaps with the GDPR requirements and see to what extent adaptation measures across the whole organisation are necessary,
- Document and monitor the way they comply with the GDPR;
- Appoint, for those who don’t have it yet, a “Data Privacy Officer”, as required by law;
- Update their contracts with commercial partners. Let’s not forget how lengthy negotiations can be.
- Check the security of processing and possible transfers of personal data outside the European Union.