This article was first published on Nexia International Global Insight April 2018.
The 25 May 2018 deadline for the new European data protection regulation is fast approaching and will affect almost every company in the EU, as well as any business outside the EU that holds data on EU citizens.
For any business that processes personal data, the General Data Protection Regulation (GDPR) should be of real concern, as failure to comply could result in fines of up to the higher of €20m or 4% of aggregate global group sales.
GDPR imposes increased obligations on the handling of personal data compared to previous legislation. As such, its application from 25 May 2018 will affect most businesses within the EU economy but also businesses outside the EU that keep any data on EU citizens. Businesses need to act quickly if they have not started making preparations.
In today’s data-rich environment, personal (and private) data is of increasing value. Similar to stock-intrade, information is easily bought and sold, across many sources and platforms around the world. GDPR is the EU’s attempt to enhance the data security protection of EU individuals, set in the context of ultimately giving individuals the trust and the power to exploit their own data currency.The need for the stringent requirements stipulated in the GDPR framework arises from the increasing volume and value of personal data, as well as the increasing number of data breaches. The regulation aims to bring together all applicable laws on the use and processing of personal data. The goal is to increase corporate accountability on data processing and provide more robust data protection compliance. All companies providing services to EU citizens are subject to GDPR.
The GDPR is set to affect three key data areas:Breaches
From 25 May 2018, any company that identifies data misuse or loss must notify all relevant breaches to the competent data protection authority (DPA) within a maximum 72 hours. Each EU country has a separate DPA.If these breaches have no impact or present no risk to the rights and freedoms to the data subjects concerned, then no report is required to the DPA. If the misuse of data puts individuals at high risk of adverse impact, then the individuals must also be notified immediately.
The potential adverse publicity from such data breaches means many businesses will need to focus on enhancing their cyber security.
Anyone controlling and processing data, along with any service providers, must maintain records about their processing activities. For many businesses, identifying the source and location of personal data will be one of the biggest and most time-consuming GDPR challenges. These records should contain information such as:
• data content
• purposes of data application
• data categories processed
• categories of data recipients
• data security measures adopted
• length of planned storage period
Many companies engaged in processing personal data will be required to appoint a data protection officer, for instance if they process certain specified categories of data or perform online behaviour tracking of individuals, such as consumer preferences.
Rights of individuals
Many of the rights of individuals are enshrined in existing EU directives. However, GDPR also introduces new rights for individuals, including the right to permanently delete all information held about them. Companies will have to obtain specific consent from individuals on an opt-in basis regarding the collection and processing of their data, and with clear privacy notices, which can no longer be buried in terms and conditions.
The potential penalties for non-compliance with GDPR may be draconian, although in reality it is likely that the more severe penalties will only be applied to businesses who choose to ignore GDPR. Either way, it should be recognised that GDPR affects just about any economic entity holding data about EU subjects, regardless of scale and location. This includes, for example, any company that has its own payroll accounting department or a comprehensive customer administration system, or any company that requests personal data from customers.
These changes are far-reaching, since very few companies can exist without the personal data of customers, suppliers or employees. It will be a major challenge for many organisations to be fully compliant with GDPR by 25 May 2018. Although the legal framework continues to be developed and interpretations are still being refined, organisations should plan their journey towards GDPR compliance as soon as possible. It is particularly important for businesses that hold sensitive data. At the very least, all businesses must be able to recognise notifiable data breaches if they occur from 25 May 2018, and know how to make an appropriate report within 72 hours.
Here are some high level suggestions on what organisations can and should immediately undertake to help ensure their compliance with GDPR:
• Appoint a senior manager to oversee the project.
• Prepare a data inventory and data flow map.
• Prepare a gap analysis.
• Update data protection policies.
• Review and update cybersecurity measures.
• Review existing contracts with clients, suppliers and employees.
• Review adequacy of consents previously provided.
• Implement breach management processes.
• Provide staff training.
For more information on regulatory compliance in GDPR or PDPA, please contact:
Forensic & Litigation Support Services,
Cybersecurity & Technology Advisory Services
This article is contributed by Nexia member firms:
Consultatio Wirtschaftsprüfung GmbH & Co KG, Austria
Ingo Koehne (Nexia GRC chair)
Ebner Stolz, Germany
Smith & Williamson, UK