Published today in the Official Journal, the GDPR will be applicable from 25 May 2018
Today a landmark has been reached. The General Data Protection Regulation (GDPR) has been published in the Official Journal of the European Union. From tomorrow the 20 day countdown until the GDPR comes into force on 25 May 2016 begins. However, the Regulation will not be applicable until 25 May 2018 due to its two year implementation period. It is considered to be the most remarkable thing to have happened in data protection over the last 20+ years and during this period the concept of data protection has firmly transitioned itself from the side lines to centre stage. While today 25 May 2018 may seem far off, given the level of fines available to Data Protection Authorities, the increased obligations – the majority of which will be new to data processors, the requirement to demonstrate accountability, the expansion in the rights of data subjects, not to mention the extended territorial scope now is the time to get ready for the GDPR.
So where do you begin. Getting GDPR ready is a fantastic opportunity to "put your house in order" and assess your current data protection practices and the data you collect and process. Once this exercise has been undertaken you can assess the requirements of the GDPR before performing a gap analysis to determine what your organisation needs to do in order to become GDPR compliant. Given the high stakes involved as well as the pervasiveness of data protection today this is not a sole task for a company's data protection officer. It is a firm wide project that needs investment and input from the top down. Getting the Board of Directors involved is an initial first step. It is foreseeable that some Boards may be reluctant to engage yet once informed about the level of fines for non-compliance with the GDPR ("up to 20,000,000 EUR, or … , up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher") any apathy is at their own risk and to the detriment of the company. To quote the UK's Information Commissioner Christopher Graham, "There are 20 million reasons to get EU data reforms right"!
The GDPR highlights how private companies and public authorities utilise technology to "make use of personal data on an unprecedented scale in order to pursue their activities". Upon launching the GDPR, the Commission highlighted how 70% of European data consumers were concerned about their data protection. With increased data subject activism (think Schrems and the invalidation of Safe Harbor) it is vital that businesses get themselves GDPR compliant to avoid such criticism and adverse publicity. Gaining consumer trust is essential for businesses and being transparent with data subjects, as the GDPR demands, will facilitate this. Furthermore, being data protection compliant and GDPR ready while embracing data protection good practices can act as a competitive differentiator and attract customers. It will also enable companies to tap into the value of their data. Another message for the Board, if they are still not engaging, our competitors are getting GDPR ready and we need to do so without delay.
Today's data protection framework is continually evolving and requires data controllers and data processors to frequently assess, monitor and evaluate their data protection practices. To underline the importance of this strategy one only needs to consider the data breach notification obligation under the GDPR. Controllers will need to notify a data breach to the supervisory authority (presently known as the Data Protection Authority) "without undue delay and, where feasible, not later than 72 hours". That's a critical and short time period to contain and manage damage limitation. What security measures to do have in place? Have these measures been tried and tested? Have lessons learnt from such trials been implemented? Do you have a procedure for informing data subjects about a breach? Who are the main points of contact to coordinate the management of a data breach? This is a non-exhaustive list of considerations and practices which companies need to: be familiar with; prepared for; and implement in respect of just one obligation under the GDPR. How does your organisation fair? And of course, besides implementing such practices, organisations need to be able to demonstrate their accountability under the GDPR, which presents further questions such as are all your records and policies readily available; how and when do you deliver security training; can you evidence that the objectives of the training were met?
Brand is everything in a commercially competitive environment, sieged by digital disrupters and constantly exposed to new start-ups. Data protection and security are an essential means by which to protect, sustain and enhance a brand. Furthermore, adopting a GDPR compliant readiness programme can only strengthen one's brand. It is easy to advise don't put off until tomorrow what you can do today. Nonetheless taking a proactive approach to become GDPR compliant will produce results and provide robust resistance to any enforcement provisions and exposure to a high level of fine.
For anyone who may consider waiting a few more weeks for the results of the Brexit campaign that is just another delaying tactic and time wasted. The Information Commissioner's Office has issued a statement highlighting how, regardless of the decision, the "UK will continue to need clear and effective data protection laws". Given the vast amount of input the UK has had into the GDPR and the golden standard of data protection it provides, it would be quite unconscionable for the UK to adopt anything below this threshold for data protection in a digital age, if the UK does leave the EU. So don't delay and get GDPR ready!