This time next year the General Data Protection Regulation (GDPR) will be applicable. No doubt this is just one of many countdowns we will see over the forthcoming 12 months although as with any milestone it provides a good opportunity to take stock and assess where you are at.
Yesterday the European Commission published a press release about its priorities over the next year. It highlights how the success of the GDPR depends on Member States adapting national laws to the new rules together with citizens being aware of their new rights and businesses being ready for this enormous change in the data protection landscape. The Commission is focused on ensuring the GDPR is a success and to achieve this objective will "engage with companies to make this happen" besides "launch an EU-wide campaign to raise awareness so that Europeans are conscious of their rights".
The GDPR is particularly centred on preserving a data subject's fundamental right to data protection and to this end the legislation extends their rights. Of course, individuals have a new right of data portability under the GDPR and it will be necessary for businesses, where this is relevant, to have the appropriate procedures in place to enable individuals to port their data to a new controller. Under the right to erasure, more popularly known as the "Right to be Forgotten", individuals can request that their data is deleted. Where a data breach results in a high risk to individuals they need to be made aware as soon as possible about the data breach.
Businesses therefore need to be familiar with data subject rights and be able to comply with them easily, especially as they must be exercised free of charge and within strict time limits. Equally, this compliance will take place under the pressure of knowing that if anything goes wrong data subjects, or a representative body on their behalf, can bring a complaint to the individual's local data protection authority and/or a claim for compensation. An individual's ability to make a claim for compensation will also be much easier under the GDPR so while regulatory fines of up to €20 million or 4% of annual worldwide turnover can be imposed, the price tag for non-compliance with the GDPR could be much higher if there are also claims from data subjects.
Beyond ensuring that you are able to effectively respond to and manage data subject rights there are a number of other important considerations which may assist you in determining how you best plan your resources and budget over the forthcoming months.
In no particular order of priority you may want to consider (or even tick off your to do list):
Privacy Notice: Have you reviewed yours recently?
Privacy Notices need to be in a clear and easy to read form and include certain mandatory information specified by the GDPR.
Consent: Are your existing practices compliant under the GDPR?
Consent must be "unambiguous" and, if relying on consent to process data, you must be able to demonstrate that the data subject has given valid consent. Under the GDPR it must be as easy to withdraw consent as it is to give it. Do your systems provide a suitable solution for this?
Outside the EU? The GDPR may still apply to you.
The GDPR applies to businesses established in the EU. It also applies to non-EU businesses that i, provide goods and services into the EU (regardless of whether there is a charge); or ii, monitor the behaviour of EU residents. If the GDPR does apply to you, have you considered whether you need to appoint an EU data protection representative?
Data Protection Officer: Do you need to appoint one? Have you identified who will be your DPO?
A DPO can be in-house or external but they must have expert knowledge in data protection law and a reporting line to the Board. The DPO must not have a conflict of interest either.
Breach Notification: How prepared are you for a data breach?
The GDPR introduces mandatory data breach reporting, which generally will need to happen within 72 hours. Do you know how quickly 72 hours can tick by when time is of the essence? Data protection authorities need to be notified and as mentioned above individuals as well. Do you have a tried and tested incident response plan in place? No? It is an essential must have.
Privacy by design and by default
Data protection is no longer a side issue. It is firmly centre stage and a core element of any design process. Data protection principles must be implemented and data minimisation is a key requirement. How are you ensuring this happens?
Accountability: Can you demonstrate your compliance regime?
Can you evidence that you are GDPR compliant? Under the GDPR a data protection authority has the power to enter your organisation and ask you to evidence your compliance. It goes well beyond the record keeping provisions that the GDPR also demands.
The GDPR specifies mandatory terms that must exist in all contracts with your external data processors. All processor contracts, both new and legacy contracts, must be brought into line. Have you started to prepare new contract templates and to (re)negotiate? Do not leave it too late!
Fines: Up to 2% or 4% of annual turnover
Although the level of regulatory fines that companies are exposed to and an individual's right to bring a civil action have already be mentioned, given the potential consequences it is worthy of repetition. It is also worth considering that the cost of becoming GDPR compliant to any business is a fraction in proportion to what fines, costs, brand damage a business might easily be exposed to if an appropriate GDPR readiness strategy is not implemented before this time next year.
While the above is not an exhaustive list of what you must consider and action before the GDPR becomes applicable it is a comprehensive start which will begin to flush out the more nuanced aspects of the GDPR in tandem with the guidelines which the Article 29 Working Party has begun to publish.
What is certain as we enjoy the spring sunshine and head into a long weekend across parts of Europe and the US is that the clock is ticking, there is work to be done and preparation is key. Taking a proactive approach to data protection compliance can add value to your business and be extremely cost effective in the long term.