What is the GDPR?
On May 25th, 2018, the General Data Protection Regulation (GDPR) finished its two-year transition and officially came into effect. The GDPR replaces the outdated 1995 Data Protection Derivative (DPD) by updating procedures for how organisations collect, handle, process, and protect an individual’s personal data.
The DPD was an attempt to govern data protection across the EU. Since 1995, the ways in which organisations collect and process data has drastically changed. In 1995, the Internet had only recently emerged and was available through dial-up to only .04% of the global population. While mobile phones had been invented nearly twenty years earlier, only 16% of British citizens owned one.
Over the last two decades, Internet and mobile phone usage has radically altered the world. Today, 48% of the world has Internet access and have a variety of options/devices for connecting to the Internet. Mobile phone ownership in the UK has grown by 80% and consumers can now access the Internet through mobile 4G networks.
The prevalence of the Internet has allowed organisations to collect even more data about consumers. Organisations now have access to everything from consumers' geo-location to bank account/credit card information. As our lives become increasingly monitored by organisations, new laws are required to address new technologies and ensure the protection of personal data
How is the GDPR different from the DPD?
The GDPR superseded the DPD and extends the definition of personal data. The GDPR expands the examples of the type of data that are considered personal to include data such as IP addresses, mobile device identifiers, geo-location, and biometric data. To collect and process personal data, organisations must provide specific information about intended uses and have a legal basis upon which to process the data, which may be linked to a contract, other legislation or an individual's consent.
The GDPR also seeks to provide individuals in the EU with greater control of how their data is used. Organisations will need to provide clear, specific explanations about how they will use individuals’ information and may need to gain consent. Under the new laws, individuals will have the right to request detailed reports about their information and will have the right to be “forgotten” or erased from the company's databank if no legal basis to retain the data exists.
These new data laws should provide individuals with better online protection.
Who must comply?
GDPR compliance is required from any organisation, regardless of headquarters, that collects data about individuals in the EU. For example, organisations located in the USA that operate within the EU and collect data on European individuals, such as an e-mail address or credit card number, will need to comply with the GDPR.
Organisations that process personal data must retain records about the data they hold and what they do with this data. Organisations with less than 250 employees that do not frequently process certain types of sensitive information or data that could impact European citizens' rights or freedoms may be exempt from the obligation to retain these records, nevertheless, it would be good practice to do so.
Any organisation that makes decisions about the processing of personal data is a Data Controller and has responsibility for complying with the GDPR. Organisations that process data on behalf of Data Controllers and make no decisions about what to do with the data are Data Processors and, unlike under the DPD, they too have direct obligations under the GDPR. Data Controllers and Data Processors may need to appoint a Data
Protection Officer (DPO), who should be a suitably qualified person, to monitor the processing of personal data. DPOs are only required if an organisation processes or stores large amounts of personal data or certain types of sensitive personal data, regularly monitors individuals in the EU or if it’s a public authority. Organisations who do not legally need to appoint a DPO should still consider appointing someone within their organisation to take responsibility for ensuring compliance with the GDPR and other data protection requirements.
Data Controllers and Data Processors are each responsible for ensuring that the GDPR is complied with and may be fined if they are responsible for a data breach.
When will the GDPR go into effect?
Organisations were expected to comply with the GDPR requirements by May 25th, 2018.
How much will it cost to comply?
Ensuring that your organisation complies with the GDPR requirements will require extensive investment. Large Fortune 500 organisations are expected to spend $7.8 billion to update their data protection processes. The GDPR will have the biggest impact on financial and tech sector organisations and medium-sized organisations within these sectors will spend an average of $550,000 to ensure compliance.
With such hefty outlays, many organisations may struggle to meet the May 25th deadline. In fact, a recent Ovum survey reported that nearly 52% of organisations expect to miss the GDPR deadline and as a result could face substantial fines.
What happens if your company does not comply?
Organisations that do not comply with GDPR requirements may be fined up to 20 million Euros or 4% of global revenue (whichever is greater). Avoiding GDPR non-compliance fines is, for good reason, a priority for every affected company.
Smaller offenses can result in GDPR fines of up to 10 million Euros or 2% of global revenue (whichever is greater).
Even organisations that comply with GDPR requirements can be fined for failure to meet specific requirements, e.g. not appointing a DPO if mandated, or if a data breach occurs.
Can you insure against GDPR fines?
With such significant GDPR fines, it's reasonable to consider insuring your company against data breaches. Heavy financial penalties could easily bankrupt SMEs or even larger organisations. While cyber insurance policies may cover fines that are “insurable by law”, these policies are unlikely to cover GDPR fines and specialist GDPR insurance may be appropriate.
Many grey areas remain regarding GDPR insurance and further clarification will probably not be obtained until after the new laws come into effect. Clarification on this matter is likely to only be obtained following a court decision. Avoidance is, therefore, the best way to protect your company against the hefty GDPR fines.