OUR THOUGHTS ON:

Preparing for the General Data Protection Regulation (GDPR)

Cybersecurity|International|Risk Advisory/Internal Audit|Technology

By Eric Fair

History and Overview

The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Since a Directive allows Member States a margin of flexibility when implementing into national law, Europe ended up with an array of privacy laws. With the increases in security breaches, technology advancements, and globalization over the past 20 years, new challenges have surfaced over the protection of personal data. Therefore, the EU has developed the GDPR.

The announcement to finalize GDPR was made in December 2015, and following a vote by the EU parliament, the GDPR will take effect on May 25, 2018. The intent is to strengthen and unify data protection for individuals within the EU, while controlling the export of personal data outside the EU. Simply, GDPR will give EU citizens control of their personal data. However, the comprehensive legislation surrounding GDPR has made it very hard for organizations across the world, which conducts business within the EU, to adapt and prepare for compliance with GDPR.

Non-European Businesses

Does GDPR apply to your organization? GDPR extends to non-European businesses that offer goods and services to data subjects in the EU and even those non-European businesses that monitor EU data subjects’ behavior, regardless of the non-European business maintaining an office or subsidiary in the EU.

Key Points

  • In the event an organization outside the EU targets or monitors consumers’ behavior in the EU, that organization would be subject to GDPR.
  • A Data Protection Officer (DPO) is highly recommended, however only required, if one of the following exists:
    • Data collection is being performed by a public body or authority; or
    • Data collection is being performed by a systematic process on a large scale; or
      • Subjects to consider when determining “large scale”
        • Number of data subjects involved
        • Volume and range of data being processed
        • Duration and permanence of data processing
        • Geographical reach of the processing activity
    • Data collection is being performed and the data collection represents information from special categories of data.
  • In the event a DPO is not appointed, the decision to not appoint must be documented.
  • Accountability is placed on data controllers to demonstrate compliance, requiring them to:
    • Maintain documentation
    • Conduct a data protection impact assessment for high-risk processing
    • Implement data protection by design
  • Consent must be freely given, specific, informed and unambiguous. Requests for consent should be separate from other terms and be clearly communicated.
  • Data controllers must notify most data breaches to the data protection authorities (DPA) without delay and where feasible within 72 hours of awareness. Justification must be provided if this time frame is not met, and in some cases, the data controller must also notify the affected data subjects.

Implications of Accountability under GDPR

As GDPR focuses on accountability to organizations with access to personal data, these organizations must prepare to respond to requests from individuals who want to exercise their rights for the processing of their data. If an organization would suffer a data breach under GDPR, the following implications may apply, based upon the severity of the breach:

  • Organizations must notify the local data protection authority and potentially the owners of the breached records;
  • Organizations could be fined up to 4% of annual revenue or €20 million Euros, whichever is higher. Other specified infringements would include a fine of up to the higher of 2% of annual revenue or €10 million Euros, whichever is higher;
  • Reputational damage; and
  • Loss of business opportunities.

Act Now

Organizations have to revisit their IT strategies for alignment with GDPR; however, they also need to ensure that they continue to meet their business requirements and any impacts to the business based upon strategic initiatives.

In the event you want to learn more about the GDPR and its potential impact to your organization, please feel free to contact us.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments