The General Data Protection Regulation (GDPR) is a new EU law that will be in place as of May 2018. Many firms will already be anxious about the coming changes, and anyone who is handling the data of EU citizens should be giving the law due consideration.
The law will introduce many changes to existing rules. Most of these changes focus on enhancing individual citizens’ digital rights.
The GDPR will also introduce consistency, in that the rules will apply to anyone handling EU citizens’ data, which is a significant improvement on the existing complexity introduced by regional variations in law. But there are controversies.
In particular, the GDPR mandates penalties that are significantly larger than existing fines under the Data Protection Act.
All businesses will have to comply with the new GDPR rules irrespective of Brexit. The UK will still be part of the EU at the time the regulation comes into force, and there are no plans to seek an exception.
The reality is, in May 2018 the General Data Protection Regulation will apply to any organisation handling the data of EU citizens, regardless of the organisation’s size. This reality appears daunting to many, and anxieties abound.
However, there are benefits to the situation, and any business willing to embrace the coming changes may find themselves at a huge advantage.
The penalty for data breaches under the new GDPR will be €20million or 4% of the company’s annual turnover, whichever is larger. This sum is intended to serve as a deterrent, and it will be applicable in all EU member states two years after the rules are in place.
Due to the UK’s negotiated special status about justice affairs, these provisions will only apply in the UK to a limited extent.
Undoubtedly, companies will need to be mindful of the potential penalties when they consider data protection and finances.
The upside in this situation is that data protection should be a priority for anyone processing personal data anyway, and the looming threat of large penalties may help formalise strong protections as a priority in many organisations.
While the potential fee for noncompliance with the rules is assuredly concerning, it is a risk easily minimised by developing good data protection processes.
Currently, organisations operating within a member state must register with a data protection authority in that member state, even if they have already registered within another country beforehand. This formality piles on unnecessary bureaucracy for international companies, and the pointless busywork of repeated registrations wastes valuable time.
As of May 2018, organisations need only register with the data protection authority in the Member State home to their main establishment.
This vastly simplified process is of immense benefit to international organisations.
Consistency Throughout the EU
Because it is a regulation, the GDPR will be directly applicable to each Member State. The exact measures of enforcement may vary, but the principles of the regulation will be applied and enforced relatively uniformly regardless of where in the EU you are located.
There are currently 28 EU Member States, and compliance with each of their rules can present an organisational nightmare presently. The GDPR will go a long way to solving this.
In theory, once the GDPR is in place, an organisation will have only one set of rules to follow regarding data protection. This means organisations will only have one set of standards to keep track of, and this clarity and consistency allow a degree of focus that is currently impossible.
Sources of Opportunity
A Clean Slate
Data protection needs to be a fundamental priority for all organisations. Systems need to be modern, robust and intelligently managed. Sometimes, existing company infrastructure can get in the way of these needs.
The GDPR will demand businesses review their data handling processes, and this will enable organisations to review their data flows objectively. Use the implementation of the Regulation as an incitement to find opportunities for improvement – not just for the sake of compliance with the rules, but for efficiency too!
Many grey areas of data protection have been clarified by the GDPR, and this is cause for celebration.
For example, the regulation confirms that the need for data protection does not apply in the same way to anonymous information (i.e. information unrelated to an individual, or personal information that is not identified with an individual).
It also confirms that pseudonymisation of data (i.e. processing data in such a way that the individual it relates to cannot be identified solely by the information within the data) is a desirable step and is considered an “appropriate safeguard”.
Organisations can embrace clarifications such as these and use them to refine and redevelop their practices. The existing ambiguity has left many guessing at what their processes should look like. Clarification of these concepts allows for focused improvements.
Many organisations are still lagging behind in their mindsets with regard to data. Any organisation that is willing to innovate and make changes will be at a huge advantage and will be well-placed to benefit from our changing world.
Rather than make multiple changes that are necessary to comply with the GDPR regulation and little more is a missed opportunity to transform your business.
Instead, businesses should consider using the new regulations as a foundation for introducing new systems, building new processes and organisational structures that prioritise data protection at every level. This will create greater efficiencies throughout your organisation and empower your employees.
May 2018 is not far away, and there is little time for complacency. Businesses must now start to take action in order to comply with the new rules on data protection, or they risk large penalties. The time for considering data protection to be anything other than a high priority has long since passed.
The best way to avoid being hit with penalties is simply by seeking to attain excellent data protection standards. There are many benefits to the GDPR, such as improved clarity of organisational obligations, and a minimised regulatory burden.
Above all, the GDPR marks a shift in attitudes as we seek to embrace new technologies, and the best attribute of the GDPR is the opportunity it provides for businesses to embrace its principles and innovate in coordination with them.
Organisations that can view GDPR not just as a new set of rules to comply with, but a new reality in which to flourish, are the ones who will be benefiting most after May 2018.