After four years of tedious but important deliberation, the EU General Data Protection Regulation (GDPR) is finally upon us as a final text, or will be when it is formally ratified by the European Council in early 2016.
After being confirmed by the 28 member states, it should come into force by 2018, a timetable that gives affected organisations just over two years to implement its provisions or face the consequences. The GDPR comes loaded with these, many positive, some surprisingly negative in terms of implementation and cost.
A lot of vendor commentaries talk up the downsides, usually out of self-interest. Frankly, there is a lot of money to be made helping companies understand what the GDPR is, how it might generate risk, and how it should be safely navigated. Organisations shouldn't let themselves be lulled into the consultant's world view. This isn't just about compliance but a change in the way they must understand the gathering of customer data. Power is deliberately being moved from the collectors of data to the collected and a lot of assumptions need to be re-examined.
It's not easy to summarise the GDPR's many complicated effects on the current data protection regime but here is a starter list:
EU General Data Protection Regulation - for organisations
- Only one set of laws across all 28 states - this makes life a lot simpler for multi-nationals compared to today's mish-mash of national provisions
- Organisations ('controllers') will only have to work with one authority instead of 28, good when it comes to reporting breaches
- Organisations above 250 employees (or 5,000 records held) must appoint a Data Protection Officer (DPO). This post can be shared with other organisations
- Non-EU companies will also have to comply. Nobody's getting off this one, including third-party partners
- Every organisation will have to design in data protection during roll-out of new services and technology
- Personal data now has a defined lifecycle. Organisations will have to manage it very carefully or get into an expensive muddle
- Fines have been set at up to 4 percent of turnover or $20 million, whichever is higher. A two percent figure will apply for more minor breaches.
- Requirement to notify of data breaches within 72 hours. Where breaches are not notified records still need to be kept
- Encryption avoids breach notification but only if it has been competently implemented
EU General Data Protection Regulation - for individuals
Individuals will get more control over their data, including 'portability' when they move from one provider to another
Consent must be given explicitly (not passively at present) and can be withdrawn at any time
Individuals will have to be given more information about what data is held on them and how it is processed
Sign up for CIO Asia eNewsletters.