Any company handling the data of EU residents should start preparing now for its stringent new data-protection rules
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
This article was first published in the May 2017 international edition of Accounting and Business magazine.
The digital economy is built on the collection and exchange of customer data, including large amounts of personal data – much of it sensitive. For the digital economy to grow, there has to be public confidence that this information is protected.
This is the context for new EU data protection rules that are due to come into force on 25 May 2018. They replace the 1995 data protection directive, do not require any enabling legislation to be passed by the bloc’s national governments, and extend the scope of EU data protection law to all foreign companies that process the data of EU residents. The rules are designed to strengthen the privacy rights of European citizens and make businesses more accountable for data protection.
According to Andrus Ansip, the European commissioner for the digital single market: ‘With solid common standards for data protection, people can be sure they are in control of their personal information. And they can enjoy all the services and opportunities of a digital single market. We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage.’
A single regime
There are currently 28 different data protection regimes across Europe. The new legislation will replace that patchwork of rules with a single pan-European piece of legislation.
The general data protection regulation (GDPR) applies not only to EU businesses but to any business that offers goods or services to European consumers. Failure to comply with the new rules could result in fines of up to €20m (or 4% of total annual global turnover).
While businesses will recognise many of the principles enshrined in the GDPR, the regulation includes new measures and enhancements that will affect systems and processes across all business units.
Among the changes that will be coming into force in May 2018 are the introduction of data protection impact assessments, mandatory appointment of data protection officers for certain organisations, more stringent rules for obtaining consent to collect and use personal data, tighter rules for data controllers and data processors, changes to data breach disclosure requirements and the introduction of substantial fines for failure to comply with the GDPR.
Meeting these requirements will be a challenge for many businesses, according to Pat Moran, a PwC partner.
‘The GDPR introduces widespread changes to the current regulations, which were last enacted in 1995,’ he explains. ‘For example, an organisation handling another organisation’s EU personal data will now be directly liable under the GDPR for failure to meet certain obligations.
‘It impacts processes across all business units, from marketing to sales to IT. It will need careful consideration and collaboration with all heads of functions involved to ensure every aspect of the regulation is adhered to by 25 May 2018. Additionally, the regulation adds genetic data and biometric data as sensitive and requiring special measures and increased protection.’
The GDPR gives individuals enhanced rights over the processing of their personal data and imposes corresponding obligations on organisations that collect that data. Individuals will have the right to have their data deleted or transferred to alternative service providers, and will be able to sue for material or non-material damage arising from data breaches. They will also be able to participate in group litigation.
For businesses, the operational and technical difficulties of complying with the GDPR will include knowing when an individual’s data should be recorded and when it should be removed.
Moran says: ‘Organisations will need to have sophisticated technologies in place to ensure an individual’s data remains private, and if [they are] no longer a customer that it is correctly deleted from records. This requires detailed technical abilities, and companies need to act now in order to get ready to comply.’
Non-EU businesses that offer goods or services to EU consumers will also have to comply with the GDPR. ‘The regulation applies to any organisation doing business in the EU,’ explains Moran. ‘This includes those organisations with no establishment in the EU, but which are selling goods and services there. For example, a US retailer or technology company that markets its products or services to customers based in the EU, via online, will be impacted. The new law also applies to those service providers that handle information about individuals in the EU on behalf of other organisations, even though those organisations may not be based in the EU.
‘Organisations and their marketing functions will need to be very vigilant and be conscious when and if these new regulations apply to them and have the appropriate processes in place.’
Getting up to speed
With just a year left to prepare, businesses will need to get up to speed quickly. Mazars partner Liam McKenna says: ‘If they haven’t already started, organisations should begin now to review their internal procedures and controls in light of the impending changes under the GDPR, and consider what amendments to procedures will be required and what other measures should be taken to ensure they are GDPR-ready. The penalties could be severe for those who do not comply.’
Daisy Downes, journalist
"rganisations will need technologies in place to ensure an individual's data is private and is correctly deleted if they are no longer a customer"