After four years of tedious but important deliberation, the EU General Data Protection Regulation (GDPR) is finally upon us as a final text, or will be when it is formally ratified by the European Council in early 2016.
After being confirmed by the 28 member states, it should come into force by 2018, a timetable that gives affected organisations just over two years to implement its provisions or face the consequences. The GDPR comes loaded with these, many positive, some surprisingly negative in terms of implementation and cost.
A lot of vendor commentaries talk up the downsides, usually out of self-interest. Frankly, there is a lot of money to be made helping companies understand what the GDPR is, how it might generate risk, and how it should be safely navigated. Organisations shouldn’t let themselves be lulled into the consultant’s world view. This isn’t just about compliance but a change in the way they must understand the gathering of customer data. Power is deliberately being moved from the collectors of data to the collected and a lot of assumptions need to be re-examined.
It’s not easy to summarise the GDPR’s many complicated effects on the current data protection regime but here is a starter list:
EU General Data Protection Regulation - for organisations
- Only one set of laws across all 28 states – this makes life a lot simpler for multi-nationals compared to today’s mish-mash of national provisions
- Organisations (‘controllers’) will only have to work with one authority instead of 28, good when it comes to reporting breaches
- Organisations above 250 employees (or 5,000 records held) must appoint a Data Protection Officer (DPO). This post can be shared with other organisations
- Non-EU companies will also have to comply. Nobody’s getting off this one, including third-party partners
- Every organisation will have to design in data protection during roll-out of new services and technology
- Personal data now has a defined lifecycle. Organisations will have to manage it very carefully or get into an expensive muddle
- Fines have been set at up to 4 percent of turnover or $20 million, whichever is higher. A two percent figure will apply for more minor breaches.
- SMEs (
- Requirement to notify of data breaches within 72 hours. Where breaches are not notified records still need to be kept
- Encryption avoids breach notification but only if it has been competently implemented
EU General Data Protection Regulation - for individuals
- Individuals will get more control over their data, including ‘portability’ when they move from one provider to another
- Consent must be given explicitly (not passively at present) and can be withdrawn at any time
- Individuals will have to be given more information about what data is held on them and how it is processed
- Qualified rights to be forgotten and more power to object to the ay data is processed
The first list is a lot longer than the second but that’s no guide to the long-term implications. Too many companies have grown used to collecting data as if it’s a riskless part of their business, a mere data management headache. Once the GDPR gets into full sing it will start to become apparent that collecting data now comes with legal risks that dwarf the old IT assumptions.
The sort of data breaches that afflicted UK companies in 2015 would, if they occurred in the future, no longer be simply embarrassing clean-up jobs but financial and legal minefields opening shareholders to major losses. Take TalkTalk’s embarrassing series of data breaches as an example. The company claimed its loss-of-business and clean-up costs for the incident were around £35 million ($50 million). Under the GDPR they might have faced an additional £70 million fine and the possibility of legal action by customers. There would also be the possibility of further follow-on fines for repeat offences.
It'll be three years before GDPR bares it teeth and companies will face major logistical challenges getting a grip on their data, especially unstructured data scattered hither and thither. Fortunes will be made making all this tick over. But disaster awaits companies that misunderstand what’s going on here.
The GDPR isn’t something they have to understand, spend a bit of money on, and move on. It’s here for good. Personal data will never be the same again.