Companies have to work through a large number of complicated steps in order to become fully compliant with the new EU-GDPR. Significant additional expense is to be expected on the part of the organizations. According to a current Ponemon study, more than one third of surveyed German companies said they had not yet taken any steps towards ensuring GDPR compliance.2 Equally concerning is the fact that only 38 percent of global businesses have a specific implementation plan.3 This is due among other things to the imprecise wording of the data protection regulation, which is causing confusion and problems in implementation. Some degree of legal uncertainty is therefore to be expected in the early stages.
The new EU regulation
After lengthy negotiations, the new legal basis for data protection in the EU was adopted on May 25, 2016. With the introduction of the new EU-GDPR, there will be only one applicable law for all 28 EU member states. The aims of the regulation are on the one hand to protect the fundamental rights and freedoms of natural persons and on the other hand to enshrine their right to protection of their personal data as well as the free movement of these data (see Art. 1 GDPR). The new regulation will come fully into force on May 25, 2018, and thus looms increasingly large. Companies must act now, as numerous measures are required to become compliant, and breaches of the GDPR or failure to meet the deadline can be costly for them.
What are personal data?
According to EU Directive 95/46/EC, personal data are "any information relating to an identified or identifiable natural person [...] who can be identified, directly or indirectly [...]" (see Art. 2 of Directive 95/46/EC). Data such as name, address, e-mail address, ID card number, IP address and information provided on gender, title, height, hair color etc. are therefore personal data. Information considered especially sensitive includes data on origin, politics, health, religion, ethnicity, trade union membership or sexuality (see section 3 par. 9 of the German Data Protection Act).
To whom does the law apply?
The GDPR states fundamentally that it applies to any person in an organization (e.g. legal person, public authority, institute etc.) that operates within the EU and processes personal data. The new regulation moreover also applies to non-European companies if they operate within the EU, and to data processing companies regardless of whether the data are processed within the EU (see Art. 3 GDPR). In the future, the marketplace location principle will pertain: the new regulation applies if the service is aimed at a specific market within the EU or the data are processed on behalf of persons in the EU.
Strictly speaking, every company is affected, as organizations process sensitive data in the workplace almost every day: bank account details, telephone numbers, contracts, pay scales, etc. Companies are therefore responsible for the safety of their data and for that of the personal data of their employees and customers.
What is changing
The GDPR will standardize data protection law across Europe in order to give individuals better control of their data. Accordingly, the same data protection laws will apply in all EU member states in future; data protection "gray areas" will no longer exist in Europe. A major challenge for businesses is doubtless the implementation of data subjects' rights, that is, the rights of the people whose data they are storing. The new EU regulation thus brings new obligations for businesses. Less than half of all companies around the world have a concrete plan for implementing these obligations. There are six major areas that companies will have to consider:
1. Data protection through technology (Art. 25 GDPR)
Companies are required to define internal strategies and initiate steps to ensure data protection through technology (by design) and as a standard approach (by default). Possible measures include minimizing and pseudonymizing the processing of personal data. Furthermore, transparency must be established with regard to the functions and the processing of personal data, data subjects must be allowed to monitor the processing of their data, and the persons responsible for processing must be enabled to create and enhance security functions.
What measures have you already been implemented, and what measures are still needed?
2. Accountability (Art. 5 GDPR)
Companies are required to ensure and demonstrate adherence to data protection regulations, for example through certification.
Has your company introduced a data protection program, and is your company able to demonstrate that it meets GDPR requirements?
3. Notification requirements (Art. 33 GDPR)
Companies are required to report data breaches (e.g. through hacking attacks) immediately, within 72 hours, to the competent supervisory authority and the affected data subjects. Failure to do so may lead to fines of up to 20 million euros or 4% of the company's global annual turnover.
Are corresponding processes implemented in your company to meet this requirement in a timely manner?
4. Data protection officer (Art. 37–39 GDPR)
It will become mandatory for all companies in Europe to appoint a data protection officer. According to the GDPR, the data protection officer's responsibilities include informing and advising the data controller or processor and the employees who carry out processing; monitoring compliance with the GDPR and national data protection provisions; awarenessraising and training; providing advice as regards the data protection impact assessment and monitoring its performance; and cooperating with the supervisory authority.
Do you know who is your company's data protection officer?
5. Data protection impact assessment (DPIA, Art. 35 GDPR)
A DPIA must be performed "[...] where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons [...]". The data protection officer analyzes the risks of the process together with the technology owners and then submits a declaration on the legality of the data processing.
Does your company regularly conduct data protection impact assessments for new technologies?
6. Penalties and fines (Art. 83–84 GDPR)
More severe fines and penalties are designed to deter companies from infringing against data protection regulations and to make companies more aware of the fact that offenses also violate the EU Charter of Fundamental Rights. Fines of up to 20 million euros or, for companies, up to 4% of annual turnover in the previous business year may be levied. Other penalties, such as seizure of profits, injunctions to end infringements, and permanent prohibition of data processing may also be imposed.
Have you invested appropriately in your IT landscape in order to avoid such fines?
Do you want to know more? Be sure to read our whitepaper "Mastering the GDPR with Enterprise Architecture".