On December 15, the European Parliament and Council announced that, after years of negotiating, they’ve reached an agreement on a consolidated text of a brand-new General Data Protection Regulation. The GDPR is here!
The Luxembourg Presidency of the Council of the European Union called it a historic agreement.
In contrast, Green MEP and rapporteur Jan Philipp Albrecht called it a major step forward for consumer protection and competition, ensuring Europe has data protection rules that are fit for purpose in the Digital Age.
Some of the 200-page document’s major provisions include that the law applies to any controller or processor of EU citizen data—regardless of controller or processor location.
- Breach notifications for breaches involving “significant risk” for data subjects must be made within 72 hours of discovery.
- Data protection authorities are granted more powers, including issuing fines of up to 4% of an organization’s annual revenue.
- Many organizations will now be required to appoint a data protection officer.
- And data processing may only occur with explicit consent unless certain conditions exist.
The GDPR is Here: the Time for GDPR Compliance is NOW
For those who’ve been closely watching the various iterations of the text in the three years since draft one entered the scene, there may be a few surprises—though the change in age for children’s consent to 16 was a doozy, wasn’t it? Whether you’ve been glued to the news or this is the first you’ve heard of the regulation, veterans in the field agree the time to daydream is over.
The text is here, and the time to move is now.
“With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out.” Field Fisher’s Phil Lee, CIPP/E, said
While Parliament and the Council still have to formally adopt the text and implementation will come two years after that, what must happen now for some companies is no small feat.
“The significant nature of the changes, from revising internal policies, procedures and notices, to appointing DPOs, to instituting data breach management notices, to revising contracts, really means that companies need to being planning now,” he said.
“With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out.”
Difficult Changes Ahead for Companies Outside of Existing eDirective
Lee said the changes will be most difficult for companies that have been outside the scope of the existing Directive. First, businesses should figure out if they’re subject to the law to begin with, and then get to work remediating.
Privacy strategist Bob Siegel, CIPP/US, CIPP/C, CIPP/E, CIPM, CIPT, president of Privacy Ref, says that’s exactly what he’ll tell his clients: Get moving.
“Start looking at what the impact to business is going to be,” he said. “I think people now are going to have to realize it’s a reality and address those requirements,” he said.
What’s Step One?
“The first thing I would do is to put together a cross-functional team; the privacy office, inside or outside counsel, IT and compliance [if it sits outside of those groups] to create an understanding of what the plan will be over the next 18 months to two years to begin implementing those changes,” Siegel said.
Director of TrustArc’s consulting group, Eleanor Treharne-Jones, CIPP/E, agreed that a good place to start is to meet with the privacy management committee, if there is one, to establish the kind of initial work that should be done and who should be briefed first.
Treharne-Jones said TrustArc’s research found 40% of companies would allocate budget toward the GDPR once the change had passed but before it went into effect. So for many, it may be a case of acquiring budget before progress toward compliance.
But it’s not necessary to wait for the funds to roll in before taking steps toward compliance, Trehaarne-Jones said, including briefing the board and senior management. For some, it’s been a question of how to package the GDPR as a priority in C-suite agendas.
“With the GDPR, it’s going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to,” Royal explains.
“For many people, data protection is still not high on the C-suite agenda, but there’s potential this [regulatory change] will push it there.”
K Royal, CIPP/E, Vice President and Privacy Counsel, said companies who may have previously thought their privacy officer a bit of a Chicken Little, worried the sky might be falling without reason to believe so, are now realizing the sky is in fact falling.
While Safe Harbor’s recent invalidation may have woken some companies up that slept through warnings about regulatory changes to come, the GDPR ruling got them out of bed entirely.
“With the GDPR, it’s going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to,” Royal said.
Privacy Pros Need to Prepare with the Right Messages
But Treharne-Jones said having the respect and attention of the C-suite means your messaging has to be on point, and privacy pros need to be careful how they go about their messaging for implementing changes. That means having understanding of what’s in the final draft before you go barging into the CEO’s office as well as appointing a project owner if there isn’t one already.
“That’s one of the key things needed before you even start the budget process,” she said.
Royal agreed, saying pros must read the new text. All of it. Know the rules.
David Smith, formerly deputy commissioner of the UK’s Information Commissioner, said the political agreement means a major milestone has been passed and the end is in sight.
“Now that the shape of the regulation is clear, it’s time for CPOs to start preparing.
This includes putting in place their arrangements for compulsory breach notification both to data protection authorities and to affected individuals, carrying out privacy impact assessments and being able to account for the effectiveness of their data protection compliance programs,” Smith said.
3 Key Critical Actions
Beyond that, Royal said there will be three key actions that will be critical to companies now, especially U.S. companies.
First, you must map your data.
Where’s it coming from? Why are you collecting it?
Next, it’s time to stop collecting data you don’t have a legitimate purpose to collect and stop using data for something other than what it was collected for.
“I think that’s going to have the biggest impact on U.S. companies, controlling the data,” she said.
“In the U.S., we just love data. Even if we don’t know what we’re going to do with it now, we just love it. It’s like gold panning in the rivers, when you just pick out what you have and take the gold nuggets. Well, we just gotta start throwing the rest of it in the river.”
Lastly, companies are going to need to prep by taking a look at relationships with third-party vendors and ensuring none of those relationships mean you risk non-compliance with the rules.
Companies with BCRs already should be in decent standing, though they’ll need to go beyond the provisions of most BCRs to comply with the GDPR. But they likely won’t have as far to go as companies that haven’t had to reach compliance agreements with European supervisory authorities.
Siegel added that moving toward compliance with the final regulation is complicated further by the fact that the next version of Safe Harbor, the Transatlantic Data Protection Framework, is still being negotiated.
“So while having this laid down is good, there’s still a question of how to legally export data from Europe, and people are going to have to keep an eye on Safe Harbor while they’re doing this as well.
They may find themselves having to pay attention to some things more than others, more than they may have had to do so six months ago.”
In any case, all agreed the time to act is the present.
After all, Smith said, “The next two years will pass very quickly!”
**This article was first published on the IAPP Privacy Advisor