As the implementation date for the EU’s General Data Protection Regulation approaches, Businesslife looks at what it entails and why firms need to be sure they’re ready
As the most ardent Brexiters are discovering, the UK’s exit from the European Union won’t mean an end to the enactment of EU laws and regulations by Westminster. At best, it will mean the creation of UK-equivalent laws that, in order to maintain trade and services with the world’s largest free market, will essentially be copies of EU mandates.
One of the clearest examples of this is the European Union’s General Data Protection Regulation (GDPR), which comes into force on 25 May and must be complied with in the UK if businesses want to trade with EU citizens.
It can be argued that the new data protection regulations swing the pendulum away from businesses and towards consumers. But however you interpret their effects, with the Channel Islands adopting their own equivalents, organisations of all sizes have to be aware of the changes that will hit them in May.
We spoke to five Channel Island-based experts to find out more about GDPR and its likely effects.
What is GDPR and who will it protect?
GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 Data Protection Directive.
“GDPR recognises the increased need for control and management over what organisations can do with private information,” explains Elaine Gray, Partner at Carey Olsen. “It couples this with a more rigorous enforcement regime for those who don’t follow the rules.
“The new regime is designed to integrate privacy considerations into the heart of how every organisation operates and to give individuals much better control over who gets their information and what they can do with it.”
Why is it being introduced?
The reality is that the old rules were no longer fit for purpose. The amount of digital information we create, capture and store has increased massively in recent years.
GDPR isn’t aimed at creating new legal controls but “updates and improves the current regime” created by the 1995 Directive, says Emma Martins, Data Protection Commissioner for Guernsey.
“It strengthens our rights in this digital era, which has seen an explosion in the amount of data being processed about us. It’s designed to be technology-neutral to ensure that it’s future- proof in this fast-evolving environment. It recognises that there are certain fundamental principles which should apply around the handling of our information.”
How does GDPR differ from its predecessors?
“Organisations that handle personal data (data ‘controllers’) now have increased responsibilities to process data in an accountable and lawful manner,’ says Martins. “They will have to report any breaches to the regulatory authority, which is a completely new requirement. Also, for the first time, there are statutory duties for data ‘processors’ (organisations that process data on behalf of data controllers).
“More and more organisations benefit from relationships with providers, whether that’s for cloud services, financial administration or HR support. It will be more important than ever to ensure that such providers understand their own legal duties and that the contractual agreements between data controllers and data processors reflect the new requirements.”
For Gray, GDPR’s focus on individual rights and greater transparency about the use of data are some of the key differences. “Under the old regime, individuals had a right to obtain certain information about their data and to get copies of this. These rights are considerably enhanced under GDPR, with individuals being able to force a business to hand over information about how it’s using the individual’s data and why.
“This also requires businesses to explain whether the individual is required to give their data and the consequences if they don’t do so.”
Does GDPR include penalties for non-compliance?
GDPR gives regulators the opportunity to levy considerable fines for breaches, but Sara Johns, Partner in Ogier’s corporate team, believes this power will be used sparingly.
“The proposed penalties of up to €20 million or four per cent of global annual turnover (whichever is higher) have attracted the headlines and forced commercial organisations to take the law seriously, which was the intention. In reality, fines at that level are only likely to be levied in the most egregious cases.”
Martins also sees the headline-grabbing fines as detracting from the real purpose of the laws. “If we spend all our time and energy doing something solely to avoid legal or financial sanction, we’re focusing on the wrong thing. Rather than seeing this as a burden of regulatory compliance we need to embrace it as an essential part of doing business in the 21st century.
“Doing data protection well underpins good business models and successful economies. Data is the most valuable, non-consumable asset any organisation has and needs to be looked after as such.”
How will businesses be affected and what action should they take?
All non-domestic processing of data is covered by the new regulations, but because businesses should already be in compliance with existing laws, companies aren’t in the position of having to start from scratch when considering GDPR’s ramifications. Each organisation will also have its own data profile, which means that there’s no one-size-fits-all solution.
“The scale of change facing businesses hinges on the kind of personal data that they hold, and what they do with it,” says Johns.
“It’s hard to imagine a business of any kind that doesn’t have a database of customers – but some businesses will go significantly further than a list of names and addresses, and may need to hold health or financial information. They will need to take more care in how they process, store and use that data.”
With GDPR’s greater scope for sanctioning organisations when they fail to meet the new standards, Kate Sole, Programmes Manager at GTA University Centre, says companies should take time to review their processes and third-party relationships.
“For many businesses, this means appointing a data protection officer, training existing staff in data protection, or employing external contractors to support them through the change,” she says. “Ideally, all businesses by now should have a clear plan in place that will prepare them for compliance by 25 May, including performing data audits, reviewing their data privacy policy, reviewing policies and procedures, running staff awareness sessions and so on.”
There’s certainly work to do, but as Jon McCulloch, Enterprise Sales Director at Sure, points out, organisations don’t need to do it all by themselves. “GDPR is new and certainly has more teeth than its predecessors, but that doesn’t mean compliance has to be a burden,” he says.
“Firms can achieve the majority of GDPR’s requirements by working with trusted third parties that not only understand the implications of the new law, but which also have the resource to ensure compliance.”
Is GDPR just an information technology issue?
McCulloch says not. “GDPR compliance requires a business-wide transformation of privacy and governance operations wherever personal data is stored or processed. Given that this will include customer records, databases, CRM systems and ERP platforms, technology certainly plays a role in protecting personal data.
“Organisations need to review their data security culture as well as the adequacy of their systems in order to become GDPR-compliant. In practice, this means that organisations using data centres and cloud services to process data must ensure that their providers comply with GDPR. Companies should confirm that their providers offer ‘GDPR-ready’ contracts that contain the relevant EU ‘model clauses’ to ensure compliance.”
For Sara Johns, GDPR is about the people within an organisation and the way they perceive the importance of data security. “Fundamentally, GDPR is a cultural, not an IT issue,” she says.
“Businesses can’t survive without data about suppliers, customers and staff. This legislation seeks to acknowledge that, and to create responsibilities and rights to reflect the importance of data in an era in which it can be transmitted very easily and quickly, with potentially serious consequences.
"It also acknowledges the weakest link in information security practice tends to be people and behaviour, not a lack of sophistication in firewalls.”
With so little time left, is everyone ready?
GDPR has been the subject of business media attention for well over a year, but that doesn’t mean every business is going to be ready. “In November of last year, [technology solutions provider] Thales stated that two out of every five UK companies responding to their survey didn’t think they would be ready, so it’s unlikely,” says McCulloch.
On the other hand, Kate Sole has seen demand rising for GDPR courses in Guernsey, which suggests that local awareness in the Channel Islands may be higher. “Judging from the intake on our GDPR training courses, there are a large number of people and organisations locally who are preparing themselves appropriately.
“Of course, we’re just seeing part of a bigger picture, but hopefully everyone who’s attended training courses in this area is sharing their knowledge with colleagues and is confident that they’re ready for 25 May.”
How has GDPR been received?
Regulation creates opportunity and while businesses may not be keen on having to implement GDPR processes, Sara Johns believes that there are positive factors to be taken from its introduction.
“Few businesses tend to welcome additional layers of regulation, but in this case there are definitely opportunities for companies who adopt gold standard policies and practices in complying with GDPR.
“The public are much more aware of the value of their data and much more attuned to how they can expect it to be handled, so they’ll choose who handles it accordingly. Those businesses that embrace the cultural importance of GDPR as a means of safeguarding data in our digital age will see it as a positive that brings its own benefits.”