The General Data Protection Regulation (GDPR) is a rule that will go into effect on May 28th, 2018. It is designed to enable individuals to better control their personal data. The law will apply to any company providing services in the EU. It’s about making sure the services are in line with the GDPR compliance while dealing with any individual who is from the EU.
The GDPR applies to controllers and processors that are handling the personal data of European individuals. Perhaps one of the most important things to note is that this new regulation applies to ALL organisations collecting and processing personal data of individuals residing in the EU, regardless of the company’s physical location.
Article 4 of the EU GDPR clarifies the different roles between controllers vs. processors, which are defined as:
- Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
- Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Key features of the GDPR:
- Jurisdiction of the regulation is less related to the location where a business is incorporated or headquartered and more to the location of business activity.
- GDPR will apply to the processing of personal data by businesses “established” within the EU. Additionally it also will apply to businesses established outside the EU if their processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.
- In addition to ‘consent’ the “right of portability” and the “right of erasure” are two additional privacy rights granted to individuals under the GDPR.
- The right of portability affords citizens easier access to their own data. Upon request, individuals will be able to transfer all data from one provider of goods or services to another; specifically, this provision was created to foster healthy competition and increase accountability among providers.
- Under the “right to erasure,” (also known as the “right to be forgotten”) individuals can have their personal data erased upon request.
- Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”
- In the event of a personal data breach, data controllers will be required to notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it,” unless there is a “reasoned justification” for the delay. If the data controller determines that the breach is likely to “result in a high risk to the rights and freedoms of individuals,” it also will be required to notify the affected data subjects.
Obligations of data controllers
- Under the GDPR, data controllers will be required to implement the concepts of Privacy by Design and Privacy by Default. These obligations mean that, at all stages throughout the conceptualization, design, and execution of data processing, the controller must implement measures to ensure that the requirements of the GDPR are met.
- Data controllers and processors will be required to designate a data protection officer to oversee compliance with the regulation. Data protection officers must be appointed where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data.”
How should companies budget for GDPR compliance?
- Preparing a budget for GDPR compliance is a difficult task as it can vary based on the industry that a particular organization is in and the data that needs to be processed. Sensitive data, such as data relating to health, are regulated much more strictly under the GDPR than other types of data and will require compliance with additional obligations, such as conducting data protection impact assessments.
- For instance in healthcare GDPR prohibits the processing of certain special categories of personal data (or “sensitive personal data”), subject to certain exceptions. The special categories of personal data include, among other things, genetic data and data concerning health – all of which have been defined. This means that more non-EU-based organizations operating in the life sciences and healthcare sectors (for example, contract research organizations involved in clinical trials, providers of healthcare services and health insurance companies) are likely to be subject to the GDPR, going forward, than were subject to previous European data protection legislation.
- The size of the company also matters since it is usually more cumbersome to implement a privacy program in a big company as fundamental organizational change impacts so many more individuals, databases and processes.
- The most important factor for determining the required budget is whether a company is starting from scratch or whether it is building on an existing privacy program. However a broad template that can be used to create a budget GDPR compliance can be as follows:
- Budget for data inventory and mapping.
- Budget for privacy and state-of-the-art safety by design and by default. But, note that neither privacy by design or state-of-the-art safety are achieved through single software solutions but involve two distinct processes – one for future data collection and one for “sanitizing” legacy data sets that a business wants to hold on to or for erasing datasets it no longer wishes or has reason to rely upon.
- Budget for solutions to enable the exercise of Art. 15-22 data subject rights. This part of the budget should be owned by IT, especially as Art. 17 right to erasure, Art. 20 right to portability, Art. 21(1) right to object to processing and Art. 18 right to restriction of processing are not achievable through ad hoc intervention alone but involve core and very demanding IT architecture changes. Note that reliance on legitimate business interest as a lawful basis for processing is no easier on the IT architecture than reliance on consent.
- Budget to train employees to recognize GDPR personal data flows. A business’ first and best line of defense, they will contribute to filling the inevitable gaps in a data map.
- Budget for incentives for hunting down “rogue or non-obvious” personal data records . If, on budget day, anyone laughs this off, refer them to the extensive Bug Bounty literature in IT security and Microsoft Corp.’s well known six-figure vulnerability rewards for ethical hackers.
- Budget to train employees. Existing employees should be trained to understand the functional specifications of the GDPR in their own role and business function.
- Budget to train employees to negotiate with sector-specific vendors and co-design GDPR solutions for their role and business function. If they have not helped design these solutions, they will not use them. Central ownership of the compliance programme is key, but delegating/decentralizing the research of potential solutions multiplies chances of success.
- Budget for stress-testing GDPR resilience of the solutions proposed. Seek inspiration from the “Hack the Pentagon” initiative and the EU’s own Bug Bounty funding. Keep the two budgets separate: one to support identification of personal data potential leaks, and a different one to stress-test the solutions found to prevent personal data leaks, including access control layers, encryption and de-identification of the data sets themselves.
- Budget to co-ordinate and integrate the solutions crowd sourced from the business units/functions. Set up single accountability/demonstrability framework. The different solutions need to integrate with each other and central project management is key.
- Budget to hire both a GDPR architect and a GDPR DPO. There will be collaboration first and then a handover between the first and the second, but a single professional profile with both sets of skills does not yet exist or is extremely rare.
Market size estimation for GDPR compliance
- Data protection in the UK is based on compliance with the, ‘Data Protection Act 1998’ that was passed to bring British data protection law into line with the 1995 EU Data Protection Directive.
- Most UK companies have therefore developed data privacy standards that are already in place that can satisfy some portion of the new GDPR. However, heavy penalties arising from non-compliance of the latest regulation has forced companies to review their standards once more.
- Under the GDPR, administrative penalties, at least on paper, will be mandatory and uniform, and they could be imposed for any intentional or negligent violation of the GDPR’s provisions. Depending on the provision of the Regulation that is violated, companies could face fines of up to € 20 million or 4% of annual worldwide turnover.
- Despite this a new study conducted by Crown Records Management found that 24% are no longer preparing for the regulation. A further 4% have not even begun to prepare.
- According to the MOJ the cost to UK businesses will be £320 million a year, and £2.1 billion over fourteen years.
- A report for the Information Commissioners Office finds that to appoint a data protection officer to oversee compliance will cost between £50,000 and £75,000 annually, and for UK businesses of all types a total of £229 million. For SMEs it could add £182 million to salaries, and for larger companies £47 million.
While getting to full compliance can be difficult and complicated, once full compliance is achieved, organisations will likely see significant benefits – especially for larger corporations looking to enter new markets. Since data protection regulations will be the same throughout Europe, organisations no longer need to consult local lawyers to ensure local compliance, which results in direct cost savings and legal certainty. Whatever the costs will be for individual companies the cheapest way to tackle GDPR is to start preparing as soon as possible. The later it is left the more expensive and disruptive it will be, and the time available in which to prepare might not be sufficient.