Tresorit guest blogger Regina Mühlich (AdOrga Solutions München) is a sought-after German expert, consultant and author for data protection and quality management. As a certified specialist, she provides companies consultancy services in data and IT security. In our blog, she explains the changes European entrepreneurs can expect with the EU General Data Protection Regulation; the legal requirements that IT departments have to comply with and how SMBs can start preparing for GDPR.
There have been various heated debates about the new EU General Data Protection Regulation (GDPR) for the last four years. This new regulation aims to unify national legislation regarding data protection for individuals on a European level. GDPR reconciles and replaces scattered national data security laws. For national lawmakers, however, certain areas of regulative freedom remain, which need to be addressed before the GDPR is put in force. From the 25th of May 2018 onwards, the same standards will apply to all countries within the EU. But, where do we go from here? What remains the same, what is going to change?
WHAT DOES GDPR CHANGE FOR BUSINESSES?
Is the GDPR really stricter than its predecessor? This is a controversial issue, and the answer depends – as is often the case – on the individual company’s and country’s point of view. The EU gets involved in many affairs:
Even though fines have hardly been an issue in the past, Brussels is now getting serious about sanctions. These are supposed to be “effective and dissuasive”. If companies or businesses do not comply to the new regulations, they are at risk of substantial fines, e.g. up to two percent of their turnover or 10 million Euro in the case of violating organizational rules. A future breach of admissibility and rights of the person concerned will result in a penalty of up to 20 million Euro or four percent of the company’s global turnover.
2. BURDEN OF PROOF AND INFORMATION
Businesses must introduce effective data security guidelines and train their employees to comply with these. An effective data security management system, including risk assessment, structures, protocols, monitoring and change management, will become a necessity. Moreover, employers will have to inform employees about their data processing in a more detailed and time-sensitive manner. A breach of such will result in considerable fines.
3. DATA SECURITY IMPACT ASSESSMENT
Data Security Impact Assessment is another new obligation. If a business introduces new technology, software or data processing systems, it needs to assess and evaluate any arising risks for individuals affected by the changes. This regulation shall prevent any violation of fundamental rights due to conflicting interests and roles of all parties involved. Thus a company has to carry out and document a detailed preliminary review and potentially coordinate the assessment with the data protection authority, if data processing is highly likely to result in an infringement of the personal rights and freedom of affected persons.
4. GLOBAL JURISDICTION OF THE GDPR
The General Data Protection Regulation will not only apply within the European Union, but is supposed to become global legislation. Therefore, even businesses outside the European Union – be it Switzerland or the USA – have to comply to the European Data Protection Regulation, if they process data of European Union citizens or offer them goods and services.
NEW RIGHTS FOR AFFECTED INDIVIDUALS
Data protection suggests that data is protected. GDPR’s true and foremost objective though is to protect all people who generate the data. As a logical consequence, the GDPR primarily focuses on strengthening the rights of affected individuals. This will become a major challenge for businesses.
1. RIGHT TO BE FORGOTTEN
In cases of data publishing, appropriate – and potentially technical – measures have to be implemented to be able to inform third parties about a possible request for data deletion. Thus in the future, users will have the right to have information deleted more easily.
2. DATA PORTABILITY
Another new right is Data Portability: every person affected is entitled to a copy of processed data, which has to be handed over in a standardized and structured format. This regulation is likely to cause substantial extra workload and costs for small and medium-sized businesses. Data Portability also applies in cases of terminated employment.
3. EMPLOYEE DATA PROTECTION
EU member countries will have more individual flexibility in the area of Employee Data Protection. E. g. the question as to when monitoring of employees meets the statutory definition. We have to watch and wait how national lawmakers will make use of it.
4. DATA PROTECTION BY DESIGN AND BY DEFAULT
The concept of “Privacy by Design” has been introduced to guarantee a new technology’s compliance with data security and protection already at its design stage. The aim is to protect the users’ privacy and give them control over their data.
“Privacy by Default” is similar to “Privacy by Design” on a technical level: a product’s settings have to be “data-security-friendly” by default (e.g. the setting of cookies is prohibited or only permitted with the user’s consent).
WHAT CAN BUSINESSES DO FOR NOW?
It is advisable that businesses already start preparing for the implementation of the new EU General Data Protection Regulation now, in order to avoid unpleasant surprises in May 2018:
- All of the above will result in (substantial) costs of implementation. Make sure you plan for these in your future budget.
- The new data protection comes with a comprehensive accountability and documentation obligation. Consider now how and through which means you will be able to adhere to it in the future.
- A detailed definition by national lawmakers may still be pending – but it is already apparent that the GDPR stipulates for most businesses to provide a data protection officer. Now is the best time to assess your company’s internal situation and get external help if required.
- Devise a plan. Transforming bigger businesses for the General Data Protection Regulation will be a challenge. Start with it early enough – some work steps can be carried out now.
- Plan your resources, both regarding personnel and budget. There will be a lot of changes, and a lot of adjustments resulting from these.
- Carry out a risk assessment. Which risks and threats do your business face?
- Where does your business stand today and what will you have to do in order to comply with the GDPR?
- Assess if your current data management processes meet the requirements.
- Check now which of your company’s systems and software – from your accounting system to your data storage solution – may be affected by the new legislation.
Data protection is not a product, but a process! With this in mind, even the challenges of the new EU General Data Protection Regulation can be overcome.