Dr John Ghent, managing partner with Sytorus, a leader in data protection, demystifies the new EU General Data Protection Regulation.
On March 12th in Strasbourg, the European Parliament voted in favour of the new General Data Protection Regulation (GDPR). As this is a regulation, and not a directive, this law will come into effect once it is passed by the Council of Ministers. All indicators so far suggest that this regulation could be enforceable as early as 2016.
So what does this mean for Irish companies?
The regulation will strengthen citizens’ rights and compel companies to place more emphasis on the security and treatment of personal data.
Some of these new obligations are:
The creation of a data protection officer: One of the new proposals of the upcoming EU GDPR is the mandatory appointment of a data protection officer for companies processing the personal data of more than 5,000 data subjects in any 12 month period.
This will undoubtedly affect a huge number of businesses in Ireland. There is also a significant shortfall of qualified individuals for this role across Ireland and Europe.
While it was initially intended that this data protection officer would be a member of staff, there is no specific requirement in the current draft of the legislation that the officer must come from within the organisation, or that this is a full-time role.
The right to be forgotten: In addition, individuals who wish to have their data deleted have the right to ask companies to be ‘forgotten’. In the two weeks since the European Court of Justice backed up a ‘right to be forgotten’ request, Google received another 40,000 requests. This right will apply provided there are no other legitimate reasons for keeping the data.
The right to data portability: Individuals will also have the right to ask companies to transfer their data to a separate service provider. Not dissimilar to Subject Access Requests (SAR), this challenges companies to know where data is at all times, in both paper and electronic form.
Companies can currently charge a maximum of €6.35 for a valid SAR; it is as yet unclear what fee can be charged for portability requests.
Privacy by design: Companies will be obliged to compile Privacy Impact Assessments (PIA) for any new projects that involve processing of personal data and where there is perceived risk to the personal data.
The goal is to have privacy by default, rather than privacy as an afterthought. In certain situations, particularly where the PIA suggests there is a significant risk, the company (data controller or processor acting on behalf of the data controller) will have to consult with the data protection commissioner to receive an authorisation form permitting the data processing.
Interestingly, enforcement of the new regulation currently proposes fines of up 5% of worldwide turnover for non-compliance.
Turning compliance into a business advantage
While there are significant obligations on companies under the new regulation, companies that embrace good data management practices will gain significant benefits.
According to a recent EU press release, the value of European citizens’ personal data will grow to over €1 trillion annually by 2020, leading many commentators and investors to the belief that ‘data is the new oil’.
Irish companies are perfectly placed to realise much of this benefit. Firstly, the same rules will apply across the EU, which makes scaling a little bit easier. Companies can now select one jurisdiction and one data supervisory authority within the EU with whom to deal and not have to liaise with potentially 31 different jurisdictions (28 EU states, plus Norway, Iceland, and Lichtenstein).
Secondly, and perhaps most importantly, proper management of personal data dramatically decreases the risk of a breach which can have significant reputational damage.
Data protection best practice increases the usefulness of the data which an organisation holds; it provides for higher quality analysis and more informed, compliant marketing. It minimises the costs of keeping and storing data, and introduces efficiencies within the flow of information throughout any company.
Getting the right information to the right people in real-time is a by-product of optimised data management practices. As data is now seen as the new oil, isn’t it worth turning compliance into a business advantage?