The General Data Protection Regulation has some key differences from 1995’s Data Protection Directive, even if the principles are the same, Esther Franks – a senior associate at law firm Latham Watkins – told attendees at a Computing event last week.
The GDPR is a single overarching set of laws that will apply to all companies operating in the European Union – even those that are based in non-EU countries. Perhaps the biggest difference is that the same rules will apply everywhere, while under the DPD member states had some discretion about transposing the Directive into internal law. “Theoretically, that makes regulation easier because each country will have the same laws,” said Frank.
The principles of both the GDPR and DPD are the same, but a quick poll of the room, plus LW’s own research, showed that “not many” people are compliant with all of them. Some of the key changes include the necessity of data protection by design and default; transparency; and data breach notification.
Franks highlighted the tricky issue of data portability, another change that allows consumers to request their data from one company and transfer it to another. This will normally be a competitor, but nevertheless the move must be free.
Preparation is essential to avoid the worst fines
Every business, large or small, is justifiably concerned about the potential for fines that accompany the GDPR. These come in two ‘levels’: up to €10 million, or two per cent of global annual turnover; or up to €20 million, or four per cent of turnover. The second level is reserved for significant offences like data breaches. “This is just the tip of the iceberg,” said Franks. “There could be other financial damage in people claiming damages or reputational damage, too.”
James Donnelly, senior director at Alvarez Marsal, reassured the audience that the maximum level of fines will only apply to companies that have consistently been shown to be in breach of the regulations. Minor breaches will not be subject to the maximum level – a good thing, as another show of hands showed that no-one in attendance was fully compliant with the DPD, which has stood as law for almost two decades.
It’s not going to be IT team responsible for your company’s data
Donnelly reiterated the importance of recruiting a data protection officer, rather than relying on the IT department: “At the end of the day, data is created by line of business like sales, marketing, HR and finance; it’s totally different from IT,” he said. “That data doubles in sizes every 12 to 18 months, and companies have been keeping it because storage is so cheap. That’s not good enough any more; companies must have processes in place to discover, identify and classify identifiable data; cleanse valueless or right to be forgotten data; and remediate valuable data to a secure archive, when required by regulation.
“You could start doing this in a very manual way, but in the long term you’re either going to have to employ a lot of people or look at automated tools.”
The head of the ICO, Elizabeth Denham, has said that she doesn’t expect everyone to be compliant by the GDPR deadline, but does expect them to have a risk assessment plan; “And if you don’t, God help you,” said Donnelly (we are tracking down the source of the quote by Denham). The ICO wants to know what is unique to your business and to ensure that you are complying with the spirit of the regulation, not just the letter.
Everyone in the audience agreed that the GDPR was a good move (even if they are still far from compliance), and Donnelly called the regulation “a shield and sword”: compliance can be used as a selling point; but the GDPR can also be used to bring litigation against organisations that are poor stewards of data. Make sure that you’re in the first group.
Save this article