On the 14th April 2016 the EU Parliament approved the General Data Protection Regulation (GDPR), and organisations now have until 25 May 2018 to comply. This new regulation is the biggest change in data protection law for 20 years, but what does it mean?
Since 1995 the data landscape has changed significantly:
The World Wide Web, which was previously only available to government and universities, had only just become publicly accessible
In December 1995, there were 16 million users of the internet. In July 2016, internet users reached the level of 3.7 billion, an increase of 23,025%
In 1995, the common formation for data storage was by way of CD
Facebook was not even launched until 2004
- Google.com wasn’t launched until 1997. Today there are approximately 3.5 billion searches made per day worldwide
The world has changed but not everyone has changed with the world. We need new rules and greater certainty about how our information is managed.
With the ability to transfer and exchange vast amounts of personal data across continents and around the globe in fractions of seconds, the need for legislative change is clear. The General Data Protection Regulation (“GDPR”) is the modern age answer to safeguard that all organisations processing personal data are held accountable for ensuring our fundamental right to the protection of personal data is upheld.
The threat is real. Data breaches are happening in all sectors and industries. Companies, customers, vendors and stakeholders need assurance that personal data is being safeguarded in a secure manner, but also that robust processes are in place for ensuring the processing of such data is fair and legal in the first place.
This change in regulation is not something any sector can afford to ignore. On the contrary, each organisation should take a proactive stance in understanding what and how it will be affected by the new regualation.
The GDPR seeks to give data subjects an increased level of control over their information. It also aims to ensure that data controllers and processors are safe custodians of data through promoting behaviour change. The GDPR provides enhanced supervision by increasing the powers of the regulator.
Initial changes that every organisation should look at are:
- Data protection by design
- Right to be forgotten
- Be aware of breach penalties
- Potential for brand damage
- Increased focus on transparency
- Accountability
- Data Protection Officer
Data protection by design
Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design. There are a few key steps if a business did not want to embark on a full review and overhaul just yet: (i) minimise data collected; (ii) do not retain that data beyond its original purpose; and, (iii) give the data subject access and ownership of that data.
Right to be forgotten
This is really a right of consumers to erase their data. This is more far-reaching than an organisation might consider at first glance. A consumer or data subject can request to erase the data held by companies at any time (when applying principles identified in the GDPR) and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.
Be aware of breach penalties
For serious penalties, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher).
Potential for brand damage
If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be informed. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of an organisation overnight.
Increased focus on transparency
This concept has been strengthened under the GDPR to ensure that data controllers are using plain language in the information they are required to provide to a data subject such as the recipients to whom the data will be disclosed, and for the transfer of data. The commission will have the power to lay down standard forms for providing information, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary.
Accountability
Organisations will be required to have relevant documentation in place to demonstrate compliance, for example policies, procedures, staff training etc. Regulators will have the power to audit organisations to verify compliance and their first question will no doubt be about the paperwork. Records must be kept of data processing activities, except in limited circumstances. Data processors will be accountable to individuals under the GDPR and data controllers will be required to carry out effective due diligence in their selection of processors present and future.
Data Protection Officer
Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.
1. Set their vision
2. Agree their strategy
3. Constitute their structures for achieving data protection and privacy operational change and compliance.
Next Steps
Every organisation needs to take a look at where they currently stand with compliance to the GDPR to get to grips with what and where they need to focus in the coming months (by May 2018), so how will your organisation deal and cope with the change?
Getting ready for the GDPR requires multi-disciplinary skill sets. PwC uses a risk based approach to be able to assess current maturity against the GDPR and we work with our clients to develop effective roadmaps to achieve operational adequacy.
Our data protection team includes experts in consulting, security, cybersecurity, legal, risk, forensics and strategists.
How PwC can help you
- Assessing Compliance
- Improving Compliance
- Enhancing Data Governance
Assessing Compliance
Services that can help you understand where you are positioned with respect to GDPR requirements:
PwC can help with understanding where your data assets are, and what are the controls in place to protect those assets.
We can help you conduct data protection assessments, gap analyses, and overall evaluations of the data protection maturity within the organisation.
Improving Compliance
Services that can help you build on your existing structures and controls to improve your personal data protection approach and controls.
PwC can help you with the following challenges:
Educate and train your staff related to GDPR;
We offer face-to-face training, as well as a self-paced eLearning course. Click here to learn more about our GDPR Awareness eLearning course.
Define privacy controls and privacy policies;
Define processes to react to data breaches;
Implement accountability mechanisms;
Mitigate data breaches.
Enhancing Data Governance
Services that can help you build and customise your own governance approach to data protection.
PwC can help you design your own program to improve data protection maturity within the organisation. Specific points in this design include:
Defining specific privacy and accountability policies;
Using robust and sound metrics to compare yourself against competitors;
Selecting and training specific data protection roles within your organisation;
Aligning privacy strategies to business strategies in order to bridge the compliance gap and protect personal data.
