The General Data Protection Regulation (GDPR) will replace the existing European Data Protection Directive legislation in May 2018, and it’s a hot topic for many businesses that are in various stages of preparation for it.
While the existing directive is open to interpretation, the GDPR spells out exactly what is needed to stay within the confines of the law; any company not compliant will be subject to fines.
So what are the realities of the GDPR legislation, and what do responsible businesses need to accomplish to meet the final compliance deadline in May?
I sat down with Nicola Howell, the EU Data Protection Attorney at Dun & Bradstreet, to find out from our resident expert more about what the GDPR means, who it affects, and how companies can best prepare for and sustain GDPR compliance in the longer-term.
What is the GDPR and why is it needed?
Nicola Howell: The GDPR is the new data protection regulation within Europe. The existing Data Protection Directive legislation is more than 20 years old, and in the last two decades, we’ve seen huge advances in technology. The way people use technology and social media has completely changed the landscape, and this regulation catches us up with the world today.
This law comes into effect throughout the EU on 25 May 2018, and it will replace the existing directive. As the UK will be subject to EU law when GDPR is enforced, the UK government has signalled its intention to observe the new regulation, despite the impending departure from the EU due to Brexit.
How is GDPR different from the existing directive?
Howell: We see GDPR as an evolution of the current legislation. The rule book has not been torn up and started again; rather, it builds on what is currently there. A lot of the concepts are the same; a lot of definitions are the same. But from a technical and legal perspective, there is a fundamental difference: the current legislation is a directive, and the new legislation is a regulation.
The current legislation means each of the member states can implement the existing directive within a certain framework. It gives member states flexibility and room for manoeuvre. A regulation, however, applies directly in all member states, ensuring more consistency across the board. Under current legislation, there are 28 different versions of what data protection looks like, which has created complexity and confusion. Now there will be one main version of the law that will align the 28 different member states. Other differences are that data governance is being strengthened and more accountability will be required, which means companies need to dedicate more resources to meeting the regulation.
How does the Privacy Shield Framework fit in?
Howell: Privacy Shield is an EU-approved mechanism of transferring personal data out of the EU to the US. There’s very little point in having legislation within Europe that all goes out window when data is transferred outside of Europe. An organisation needs to put in place safeguards, and Privacy Shield was created by the EU and the US as one of several safeguards available to address this issue. Transferring personal data out of the EU is one section of the GDPR, so the Privacy Shield aligns and coincides with the GDPR, even though it precedes it.
What are the key challenges businesses face regarding GDPR compliance?
Howell: The key thing businesses need to understand is how the GDPR affects them, and I think many are still trying to work this through. The new accountability obligations in the legislation will be new for all businesses. Each company needs to review the regulation, figure out how it applies to their business and what compliance means for them. The legislation is written in a general way to capture every single industry and organization, regardless of size or type (government, not-for-profit, or commercial), that processes any type of personal data. It covers everyone from online retailers to banks to video shops, and it will have varying levels of impact.
Because we’re moving from a directive to a regulation, some member states will feel a different impact than others. For example, some may see a relaxation of data regimes, while others are looking at a more restrictive regime. How companies deal with GDPR varies greatly by country. The UK, for instance, will see no change to the grounds under which a business can process personal data: the GDPR is very aligned to the current Data Protection Act 1998 in terms of grounds of processing. However, for Spain and Hungary, a new ground of processing will be introduced by the GDPR, so those member states are currently adjusting to a whole new concept.
The GDPR has been drafted to make sure international companies are on a level playing field with European countries when it comes to managing EU data.
What should companies focus on for the May 2018 deadline?
Howell: GDPR legislation has been in force since 2016, when it was initially passed, and May 2018 is the final deadline to comply. Companies have been given two years to get up to speed, so they are expected to have everything in place by the time the regulation is enforced in a few months’ time. Companies can be prosecuted for non-compliance, so it’s important to ensure everything is in place.
The areas of focus we suggest to companies to help them prepare for the GDPR deadline include:
- Know your definitions – Ensure you have a full understanding of the regulation, terminology used, and the impact it will have on your specific business.
- Identify your high-risk activities – Look at your business in full to assess what impact GDPR will have and where you need to focus to avoid penalties.
- Who has the right? – Make sure you have a full understanding of the rights of the data subjects and of your role as data controller.
- International Data Transfers – The GDPR does not just apply to businesses within the EU; it covers personal data on any European individual, so companies operating globally need to be clear about what the regulation means for them.