The long-awaited General Data Protection Regulation (GDRP) will put individuals in control of their personal data, writes Shane Quinn, Commercial Product Director, Friends First.
The General Data Protection Regulation (GDPR) has been the most lobbied regulation in the history of the European Parliament. It is expected to have the most significant effect on the financial sector, where millions of financial records and personal data transactions are handled daily. Data is the lifeblood of the financial services industry and the need for proper management and use of such data has never been greater.
Some companies look at the new GDPR rules as a hindrance to how you run your business, placing stricter data protection rules that could limit your ability to advance your digital offering.
However, another school of thought is stronger data protection laws is an enabler to offer an enhanced service to customers and build that all important aspect of trust with both your existing and potential customers.
The GDPR will put individuals in control of their personal data. It is one of the most groundbreaking pieces of EU legislation in the digital era. The GDPR aims to make businesses more accountable for data privacy and offers citizens extra rights and more control over their personal data.
Where personal data is not treated correctly, individuals will have increased legal rights and, in certain instances, claim compensation. Regulators across the EU will have significant powers to enforce the legislation and impose hefty fines in instances of non-compliance.
The GDPR will replace the current EU Data Protection Directive, which has been in place since 1995. It will be directly applicable in all 28 member states without the need for further national implementing legislation.
It’s fair to say that the majority of business in financial services are only becoming aware of this legislation while it is complex and wide-ranging the following are the key areas of change that organisations need to be aware of and prepare for:
- Increased territorial scope – the jurisdiction of the GDPR will be extended to apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location.
- Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.
- Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified.
- Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
- Data portability – data subjects will now have the right to receive the personal data concerning them, which they have previously provided, in a commonly used and machine readable format.
- Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server backups and cloud facilities.
- Privacy by design – privacy by design calls for the inclusion of data protection from the onset of the designing of systems.
- Mandatory data protection officer (DPO) – a DPO must be appointed by all public bodies and by businesses where core activities involve regular and systematic monitoring of data subjects on a large scale or the handling of a large scale of special categories of data. There is an exemption available for certain categories of SMEs.
- Tougher penalties – companies will face fines of up to Ä20m or 4% of global turnover for non-compliance, whichever is higher.
- Appointment of data protection officers – Certain organisations will be required to appoint a DPO.
The GDPR will have a significant impact for all organisations doing business in Ireland and the EU. It is critical for organisations to begin preparing for what will be the biggest change to data protection laws in over 20 years.
Where personal data is not treated correctly, individuals will have increased legal rights and, in certain instances, claim compensation
Education and awareness of the key changes as outlined above amongst the senior management team is vital in getting the attention this legislation deserves and needs.
Thereafter, conducting a gap analysis to understand your company’s state of readiness is among the necessary first steps in preparing your organisation well in advance for this legislation.