With the official announcement of the General Data Protection Regulation (GDPR), the world will see the biggest change in data protection regulation yet. The GDPR introduces among others significant fines for breaches of data protection regulation and an obligation to report breaches. The GDPR will have an effect on all organizations dealing with data of EU citizens.
The GDPR came about after more than four years of deliberations and discussions and will be applicable starting from early 2018. The GDPR consists of a number of marked changes compared to the current EU Data Protection regime. Let us have a closer look at the three most impactful changes.
With the GDPR, failure to comply with one or more provisions of the regulation may lead to fines that can amount to EUR 20 million or 4% of global annual turnover, whichever is higher. This is a big and serious change from the limited sanctioning possible under the old EU data protection regime, where the risks of financial sanctions were insignificant for most organizations.
Right before announcing the GDPR, the European Data Protection Supervisor, Giovanni Buttarelli, stated,”Data protection will be the new anti-trust”. Under EU anti-trust legislation, or ‘competition law’ as it is often called in Europe, fines for non-compliance can be as high as 10% of the global annual turnover of a company. This has regularly led to fines of tens of millions for major organizations for alleged breaches of competition law. As a result, in today’s business world, anti-trust considerations are of vital importance for organizations worldwide and lie at the heart of organization’s strategic decision making. We foresee a similar situation once the GDPR becomes applicable.
Extended geographic reach
Under the former EU data protection regime, organizations were only in scope if they were either located within the EU or made use of (automated) equipment that was located within the EU. With the GDPR, the geographic reach of the legislation has been extended to ‘all organizations offering goods or services to EU citizens’ and ‘organizations that monitor (online) behavior of EU citizens’. Hence, organizations that do not have any branches or processing equipment in the EU could also come into scope of the new EU data protection regulation.
The expansion of the scope of the GDPR should not be underestimated. Many non-EU organizations currently serve EU citizens, but have not seriously implemented requirements of EU data protection legislation because of their limited activities in the EU. With the GDPR, the emphasis is on the protection of the personal data of EU citizens, regardless of where the data is processed. This will mean that many more organizations will be bound by EU data protection regulation and for EU citizens, an increase of their overall data protection and privacy.
Data Protection by Design
Under the former data protection regime, organizations were already required to have ‘appropriate technical and organizational measures’ to protect personal data. Under the GDPR, organizations will now have to demonstrate that measures are continuously reviewed and updated. Additionally, organizations must now demonstrate that the appropriate measures are included in the design of processing operations and that by default, personal data are only processed where necessary. Related to this, under the GDPR, organizations should carry out a Data Protection Impact Assessment on the envisaged processing operations, in the cases where processing is likely to lead to high privacy risks.
These Data Protection by Design requirements cover the essence of data protection. Mere policy updates for data protection compliance will no longer suffice. Organizations will no longer be able to get away with covering data protection compliance as an afterthought. The GDPR requires organizations to include data protection considerations in the core of their business when developing new solutions and services. This will lead to situations where products or services are deliberately not launched before its data protection risks are resolved and citizens’ privacy can be guaranteed.
In the past few years, we have often seen examples of digital services and products that stretch and even transgress the limits of data protection compliance and data protection regulators opposing to that to limited avail. Because of this, we repeatedly had to conclude that data protection regulation and compliance does not have the effect that many citizens demand in the current digital age. With the GDPR, this will fundamentally change. From now on, organizations will be required to include data protection considerations into the core of their business activities. Rather than just adapting their policy framework to the new regulation, organizations are now faced with the challenge of having to demonstrate effective data protection controls throughout their organization and even those of suppliers. Data protection will become a main agenda item of boards of organizations and data protection failures will feature prominently in the newspapers. These changes will happen in the near future – 2018 is here faster than we think.
- Factsheet: Towards effective Data Protection
- Article: Invalidation of Safe Harbor: Where to dock Swiss data?
- CIO Advisory Services at KPMG