The European General Data Protection Regulation (GDPR)

The implementation of the new General Data Protection Regulations (GDPR) is gathering momentum heralding far-reaching changes to business operations, global commercial relationships and personal freedom in the business community relating to the European Union.

The Main Tenets of the GDPR

• A single set of rules. Data protection rules will blanket the entire EU to remove onerous administrative requirements.
• A single authority. Each region will have a data protection regulator who will need to liaise with regulators in other EU countries. (That word “single” is not entirely accurate because there will be a super regulator.) The EU Data Protection Board will include the head of each national data protection regulatory body and the European Data Protection Supervisor. This Data Protection Board will be empowered to guide and resolve disputes among national regulators.
• Definitions of data. The scope of “personal data” has expanded. Two new categories of data – genetic and biometric – are included on a list of “sensitive data”, which also includes racial or ethnic origin, political opinions, religious or philosophic beliefs, trade union membership and data concerning health or sexual orientation.
• Pseudonymised vs anonymised data. The regulation does not apply to fully-anonymised data whereas pseudonymised data is personal data because it can be re-associated with a specific individual.
• Consent. This must be specific and informed and given freely by the data subject. There are, however, limitations on consent and consumers cannot be asked to agree to any unfair contractual terms in exchange for their consent. Consent is also not valid where there is “a clear imbalance [of power] between the [consumer] and the [company]”. Importantly, consent is not valid in the context of a contract if the consumer must give consent for use that is not necessary for the performance of the contract. This will significantly affect the business model of free apps or services that rely on selling user data to pay for the costs of providing the service.
• Internal controls. Policies and procedures regarding this will have to be produced in the event of a complaint. Data breaches and investigations must be documented.
• Data Protection Officer (DPO). Companies operating with large scale customer databases must have a DPO. SMEs of less than 250 employees will be exempt unless personal data processing is core to their business.
• Data portability. Consumers will have easier access to their data and transferring it will be made easier.
  A "right to be forgotten" or erasure. When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
• Data protection by design and by default. ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
• Breach notification. Companies have 72 hours to notify the national data protection regulator of any breaches.
• Fines for mismanagement. Fines of up to 4% of worldwide turnover will be issued to companies for data mismanagement.

How to prepare for GDPR

1. Prepare to redesign your data management processes and IT systems with a much greater emphasis on data protection and security. Note that you will be required to show your security policies and strategies on request.
2. Form a group to oversee all your privacy activities under a senior manager. If you have more than 250 employees, appoint a Data Protection Officer. This group will need to report regularly on the status of privacy efforts and create statements of compliance.
3. Create and implement a breach notification process and enhance your incident management and detection and response capabilities. Every data breach must be reported even if protective measures such as encryption are in place.
4. Prepare your company to fulfil the “right to be forgotten”, “the right to erasure” and the “right to data portability” requirements. You will need to institute a strategy for data classification, retention, collection, removal, storage and search. All methods of data collection must be included such as the internet, call centres and paper.
5. Create and enforce privacy throughout your systems. Privacy control will have to be simpler, stronger, harder to by-pass and embedded in the system’s core functionality.