When is privacy not something to keep quiet about?
GDPR to take effect in 2018
Technology advancements have fundamentally altered how organizations collect, use and manage data. In light of this, in 2012 the European Commission embarked on a process to both update, simplify and bolster privacy regulations, and allow EU residents to resume control over their personal data. The culmination of these efforts is the General Data Protection Regulation (GDPR).
Released in 2016, and due to come into effect 25 May 2018, the GDPR is an omnibus data protection law that builds upon and expands the Data Protection Directive 95/46/EC (the Directive). It will ultimately replace the Directive to become the single regulation for data privacy protection.
The GDPR applies to any organization, regardless of geographic location, that controls or processes the data of an EU resident.
What the GDPR will mean for businesses
The GDPR strengthens individual rights over their personal data. Organizations will have to provide EU residents with clear and unambiguous information on how their data is being processed, and they will have to obtain explicit consent from residents to process it.
Any organization that markets or provides products or services to EU residents will be subject to the GDPR. For all intents and purposes, this makes the GDPR a global law.
Under the GDPR, data protection authorities have been consolidated under one supervising authority through which organizations will liaise. This will streamline reporting obligations for organizations and reduce the cost of reporting.
Organizations that conduct large-scale processing, or processing of certain types of data as part of their fundamental business activities will be required to appoint a data protection officer. The data protection officer will be the single source of contact for the supervising authority and will be required to advise upon, and maintain compliance with the GDPR.
Rather than requiring a one-size-fits-all solution, the GDPR advocates a risk-based approach that allows organizations to tailor their privacy protection programs based on the risks that are most material to the organization. A risk-based approach elevates privacy protection from a tactical compliance initiative to a strategic imperative.
Organizations will now be required to design policies, procedures and systems that follow Privacy by Design (PbD) principles at the outset of every product or process development. This will force organizations to embed privacy protection into every aspect of their business rather than bolting it on as an afterthought.
Organizations will now report data breaches to one supervising authority under a single streamlined breach notification requirement. This requirement stipulates that organizations have 72 hours from the time they discover the breach to notify the authority.
Organizations that violate the basic processing principles of the GDPR may be subject to fines totaling as much as 4% of the organization’s total global annual revenue.
Organizations will be required to implement security measures that balance the newest technology with the cost of implementation and reflect the severity and likelihood of risks to an individual’s rights and freedoms. Organizations that adhere to either an approved code of conduct or an approved certification mechanism may use these tools to demonstrate compliance with the GDPR’s security standards.
Consent must be “freely given, specific, informed and unambiguous.” Specifically, the GDPR requires the data subject to signal agreement by “a statement or a clear affirmative action.” It also places new restrictions on the ability of children to consent to data processing without parental authorization.
The GDPR allows data transfers to countries that provide an “adequate” level of personal data protection as determined by the EC. Transfers may also be allowed to non-EU states without an adequate level of personal protection, provided they use other methods of data protection, such as the use of standard contractual clauses or binding corporate rules (BCRs).
Data processing may be characterized as “profiling” when it (a) involves the automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. This definition implicitly excludes data processing that is not automated.
EY is ready to help our clients assess their programs against the GDPR requirements, design practical recommendations and help the monitoring of the program’s performance.Contact an EY privacy specialist for further information about how GDPR will affect you and for assistance preparing to comply with the new regulation.