New EU rules raise the stakes on data protection
GDPR will strengthen data protection for individuals and simplify the regulatory environment by establishing a unified standard across the EU. But it poses significant challenges for companies.
To be successful on the business side, a data protection officer needs to be a facilitator and a communicator because they need to be able to bring everyone in the business on board to focus on privacy and data security.
White & Case partner Detlev Gabel, Bloomberg
Enforcement of the EU’s General Data Protection Regulation (GDPR), which was first published in April 2016, starts on May 25, 2018. GDPR represents a major change in how lawmakers think about privacy, and the rules affect almost all of the ways that organizations process personal data. Three points highlight the size of the challenge that GDPR presents for organizations—particularly compared to previous regulations, which were put in place in the 1990s:
Wider, global scope
Every organization that is established in the EU is subject to GDPR (EU member states generally cannot interpret the rules in light of national laws, except in a limited number of narrowly defined circumstances). Moreover, organizations that are not based in the EU are subject to GDPR if they customize their offering of goods or services to individuals in the EU (e.g., by using local EU languages, currencies and web addresses) or monitor the behavior of individuals in the EU.
Higher bar for compliance
GDPR requires greater openness and transparency, imposes stricter limits on the use of personal data and gives individuals more rights to enforce the rules against organizations. GDPR may limit the ability of organizations to lawfully process personal data, and this could have a significant impact on an organization’s business model.
Higher penalties for violations
GDPR dramatically increases the maximum penalties for non-compliance to €20 million or 4 percent of the organization’s worldwide revenue, whichever is higher. The penalties were deliberately set at a high amount to attract C-suite attention. GDPR affects a wide range of activities and covers all business sectors. It is vital for organizations to consider the practical impact that it will have on their operations.
Five steps toward GDPR compliance
Given the May 2018 deadline for enforcement, what should companies do if they have hardly begun to prepare for GDPR? First off, don’t panic. The rules are complicated but companies can get started down the road to compliance, and make good progress on the most important issues, by prioritizing five critical activities.
- Set up an appropriate data protection team, which may include, either on a mandatory or voluntary basis, the appointment of a data protection officer (DPO).
- Conduct a gap analysis and create a comprehensive compliance roadmap with clear tasks, responsibilities and milestones.
- Generate quick wins by meeting easy-to-complete requirements such as updating or creating privacy policies, notices, contracts with customers and vendors, and other key documentation.
- Prioritize issues that are likely to be the focus of attention—for the media, consumers and authorities—and that may lead to high penalties, such as handling data breaches, complying with the rights of data subjects and ensuring adequate safeguards for the transfer of personal data to countries outside the EU.
- Build awareness of GDPR and its business and operational impact throughout your organization.