2017 may well be the Chinese year of the Rooster, but in the security industry so far it seems to be the year of the General Data Protection Regulation (GDPR).
Not a day goes by without inboxes filling up with invitations to presentations on the GDPR warning that the GDPR is coming and we better be ready! It feels like nearly every security vendor is promising products that will solve your GDPR issues.
You could be easily led into believing that the GDPR does not become law until May 2018. You would however be wrong as the reality is that GDPR is already here and became part of UK Law in May 2016 when the final version of the GDPR was published. As the UK Information Commissioners Office (ICO) has said “organisations should be well into their planning and transition to the GDPR”.
The GDPR is designed to enhance the data privacy rights of the consumer (the data subject), with the burden of proving compliance to all aspects of the GDPR firmly residing with the organisations providing services to the data subject.
So what does GDPR mean for organisations?
Much has been made of the potential fines. What organisations need to understand is that previous fines levied for breaching the UK Data Protection Act will be small in comparison to the fines that can be levied from May 2018 under the GDPR.
Future fines are more severe and fall into two distinct maximum level categories that account for the nature of the infringement. As many people, will already know the worst offences carry a potential administrative fine of up to 20 million EUR, or up to 4 % of the total worldwide annual turnover or on the lower scale (for lesser infringements) an administrative fine of up to 10 million EUR, or up to 2 % of the total worldwide annual turnover whichever is higher.
The GDPR clearly states that fines will be issued taking into consideration the nature, gravity and duration of the infringement. Organisations also need to be aware that the GDPR is clear that penalties are intended to be ‘effective, proportionate and dissuasive’ with the onus once again falling on the organisation to prove that they were not in contravention of the regulation.
Another clear challenge for organisations will be the role of the Data Protection Officer (DPO). There is within the GDPR defined criteria for organisations to consider to understand if they need a DPO or not. Many organisations will likely need to employ one.
Organisations must also consider several factors when appointing a DPO. The role is designed to be both an advisor on GDPR Compliance to your company, whilst also acting as the point of contact with the data protection supervisory authority, which in the UK is the ICO.
Organisations need to be clear that the DPO cannot have any conflict of interest within their role, which could include having an equity stake in their employer or even a performance related salary award as part of their remuneration.
The DPO should report to the board. Organisations need to understand that their DPO is obliged to report all data breaches or non-compliance with the GDPR to the ICO. They need to be clear they cannot influence or discipline their DPO in the performance of their duties. The DPO must remain independent and be able to ensure compliance with the GDPR. Organisations must weigh all the legal issues before making an appointment and ensure the role has the necessary level of seniority. It is clearly a challenging role.
Brexit adds an interesting and subtle potential new dimension to how UK businesses operate. The UK will need to adopt the GDPR as it comes into force before the UK exits the EU and the ICO has said as much. However what businesses need to realise is that the derogations within the GDPR only apply to EU Member states so UK business in theory will need to adopt the GDPR in full. It is unlikely the UK government have considered this point yet as part of the planning for Brexit negotiations. So, this is something organisations will need to impact against their operation.
Organisations still have time to transition to the GDPR. They have until May 2018 but there will likely be a lot of changes required to an organisations operation, how they manage and report risk, and how all areas of the business work together. GDPR will be a cultural change for many companies hence why company boards need to be aware, understand the implications, and budget for the change.
It is not too late to impact and implement the changes needed to comply with GDPR, and this is something our data privacy experts at Bridewell Consulting can help you with.
Call us today on 01189 255 084 for your free initial GDPR consultation or email at BC@BridewellConsulting.com