If your business processes personal data, then the General Data Protection Regulation (GDPR) should be of real concern. Failure to comply could result in fines of up to the higher of €20 million or 4% of aggregate global group sales.
GDPR imposes increased obligations on the handling of personal data compared to previous legislation. As such, its application from May 25, 2018 will impact most businesses within the EU economy but also businesses outside the EU who hold any data on EU citizens – and either way will continue to apply to UK businesses after Brexit. If you have yet to start preparations, then the deadline is drawing near.
What is GDPR?
The GDPR is the EU’s attempt to enhance the data security protection of EU individuals. Considering today’s data-rich environment, personal (and private) data is of increasing value. Similar to stock-in-trade, information is being easily bought and sold, globally, across many sources and platforms. This availability of data, along with an increase in data breaches, has led to some of the stringent requirements stipulated in the GDPR framework.
Personal data is the new currency in the digital age. Whilst GDPR might be seen just as a burden on business, this regulation should also be seen in the overall context of encouraging people to share their data and should ultimately give the consumer more power to exploit their currency. The Open Banking initiative is one example of how individuals could benefit from giving explicit consent to share their data.
The regulation aims to bring together all applicable laws on the use and processing of personal data. The goal is to increase corporate accountability on data processing and provide more robust data protection compliance. All companies providing services to EU citizens are subject to GDPR.
The GDPR is set to affect three key data areas:
- Rights of individuals
From May 25, 2018, any company that identifies data misuse or loss must notify all relevant breaches to the competent data protection authority (DPA) within a maximum 72 hours. In the UK, this is the Information Commissioner’s Office (ICO).
If these breaches have no impact or present no risk to the rights and freedoms on the part of the data subjects concerned, then no report is required. However, whenever misuse of data puts individuals at high risk of adverse impact, then the individuals must also be notified immediately.
The potential adverse publicity from such data breach will focus many businesses on the need for enhanced cyber security.
The individuals controlling and processing data and their service providers must maintain records about their processing activities. For many businesses, identifying the source and location of personal data will be one of the biggest and most time-consuming GDPR challenges. These records should contain information such as:
- data content;
- purposes of data application;
- data categories processed;
- categories of data recipients;
- data security measures adopted; and
- length of planned storage period.
Many companies engaged in processing personal data will be required to appoint a so-called Data Protection Officer, for instance if processing certain specified categories of data or performing on line behaviour tracking of individuals such as consumer preferences.
Rights of individuals
Many of the rights of individuals are enshrined in existing legislation. However there are new rights including the right to permanent erasure of all information held, and the need to obtain specific consent from individuals on opt-in basis regarding the collection and processing of their data, and with clear privacy notices which are no longer buried within the terms and conditions.
Why you need to be aware
The GDPR affects just about any economic entity, regardless of its scale and location. Any company that has its own payroll accounting department or a comprehensive customer administration system will be touched. It will also affect all companies that request personal data from customers.
Make a decent start
It will be a challenge for many organisations to be fully compliant with GDPR by 25 May 2018. However, organisations cannot afford to ignore GDPR requirements. The legal framework is maturing and interpretations still being refined, but we recommend organisations start their journey towards GDPR compliance as soon as possible.
Below are some high level suggestions on what organizations can and should do to ensure GDPR compliance:
- Appoint a senior manager to oversee the project
- Prepare a data inventory and data flow map
- Prepare a gap analysis
- Update data protection policies
- Review and update cyber security measures
- Review existing contracts with clients, suppliers and employees
- Review adequacy of consents previously provided
- Implement breach management processes
- Provide staff training.
- The changes are far-reaching: it is almost unthinkable to consider a company existing without the personal data of customers, suppliers or employees - and the existence of such data should trigger a review to ensure GDPR readiness.
As part of Nexia International, we have the combined resources to enable the delivery of GDPR advisory services to our international clients.
By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. This briefing does not constitute advice nor a recommendation relating to the acquisition or disposal of investments. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of writing.
This article was previously published on Smith & Williamson prior to the launch of Evelyn Partners.