The EU General Data Protection Regulation will come into effect in May 2018: The countdown has begun
It was 20 years ago that the EU first issued a directive on the processing of personal data. A great deal has changed since then, including the type and volume of data, the processes involved, etc. Now, data protection has been revised and, on May 25, 2018, the EU General Data Protection Regulation will come into force. But what does that mean for businesses? Here is an overview.
The EU General Data Protection Regulation (GDPR) standardizes European data protection legislation to a very large extent. It aims at protecting the basic rights and freedoms of natural persons – specifically the right to the protection of personal data. There are a number of changes compared with the currently applicable legislation. The GDPR also requires that businesses first need to implement numerous new processes. Especially the new obligations regarding transparency and the provision of information to affected individuals, documentation of data protection processes, data portability, data protection through technology and data protection default settings – as well as the assessment of the impact of data protection – will require businesses to invest some effort in implementing suitable measures.
The marketplace principle for personal data
The territorial area where this applies is also being expanded. The marketplace principle is valid here. If a data processing operation serves the purpose of offering the affected individuals in the European Union goods or services or of observing their behavior in the European Union (e.g. in the case of web tracking), the processing organization must comply with the GDPR – even if it is located outside the EU. And last but not least, the fines for violations are being drastically increased compared with current legislation where, in the event of non-compliance, businesses can be fined up to 20 million euros or four per cent of their global turnover – whichever is greater. The supervisory authorities are also called upon to ensure that such fines are “effective, proportionate and dissuasive”.
What needs to be done?
Every business that processes personal data must implement the GDPR. A multi-stage process can be helpful in this implementation,
1. to establish the status quo with respect to data processing operations, processes, and documentation within the business, answering questions such as:
- Which departments process what data for what purpose and in what way? How long is this data stored? What rules are in place for deleting data?
- What is the status of documentation with respect to the identified processing operations? Are the appropriate procedure logs available?
2. Comparison of the status quo with the requirements of the GDPR (gap analysis), e.g.:
- Performing a check to establish whether there is a legal basis for each data processing operation in compliance with GDPR requirements. That is the case, for instance, if consent has been obtained from the affected individual or if the processing is necessary for the fulfilment of a contract to which the person concerned is party (Section 6 Para. 1 (b) GDPR). If there is no legal justification, the particular data processing operation is inadmissible.
- Performing a check to establish if a controller/processor relationship exists (see Section 28 GDPR). In that case, any order processing contracts that continue beyond 05/25/2018 must be adapted to meet the requirements of the GDPR.
- Maintaining a record of all processing operations, including the details required by the GDPR (Section 30 GDPR). The record of the processing operations pursuant to Section 30 GDPR includes details exceeding those required by current legislation.
- Introduction of a data protection management system to ensure control and monitor compliance with data protection requirements. This system must include standard processes for the documentation of the legal basis and fulfilment of rights of the affected individuals pursuant to Sections 12 to 21 GDPR, for example.
- Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the person or body responsible must carry out a prior assessment of the impact of the processing. Among other things, this risk assessment must include a systematic description of the planned processing operation, an assessment of its necessity and proportionality, and the measures envisaged to overcome any risks (Sections 35 and 36 GDPR).
3.Prioritization of the measures to be implemented (Impact Analysis) and preparation of a project plan for the implementation phase
The competitive advantage from the GDPR
The new GDPR will pose a number of challenges for businesses – and the key date next May is approaching fast. But the regulation also harbors some opportunities. First of all, the redesigning of processes can be used to optimize these processes, thereby saving time and costs in the long term. Secondly, businesses can realize a competitive advantage by not only implementing the new regulation, but also showing that they use data to improve the customer experience.
There is still great skepticism among consumers where the divulging of personal data is concerned. This is shown in the current Global Trends study by the Ipsos market research organization. 54 per cent of respondents in this survey stated that they felt uncomfortable about passing on or sharing personal data. But three years ago, this proportion was actually still as high as 63 per cent, so the willingness to share data has risen. And a representative survey commissioned by the Vodafone Institute for Society and Communications, where over 8,000 people in eight European countries were surveyed, showed that a large proportion of European users of digital services are willing to share personal data as long as there is transparency on the part of the businesses and the consumer gains some added value.
You can find the finalized text of the General Data Protection Regulation at: https://gdpr-info.eu/
This article is intended to provide general information about the GDPR. It is not to be seen as legal advice.
Author: Redaktion Zukunft. Kunde.
Image: scanrail – Adobe Stock