The General Data Protection Regulation (GDPR) which is set to go live in May 2018 poses significant challenges to every business operating in Europe or over the internet and, whilst the UK may be negotiating its exit from the EU, the Government has made it clear that this new EU Regulation will apply to companies here in the UK.
The overall objective of the GDPR is to give data subjects control over their personal data. It has five central provisions:
- Data Protection Impact Assessments become mandatory.
- Any business processing more than 5000 data subjects within a twelve-month period must appoint a Data Protection Officer (DPO) to act as the interface between the business and a new Supervisory Authority (SA) which will regulate the sector territory by territory and unlike a traditional compliance officer, the DPO reports not to the board of the company but directly to the SA.
- Data Subjects must, in future give explicit consent for their data to be collected and processed.
- All data breaches must be reported to the SA as soon as the business becomes aware of them, no matter how small or seemingly inconsequential
- Where an “adverse impact” arises from any data breach the data subject must be told as well as the regulator as soon as the company becomes aware of the breach.
The penalty for non-compliance is that the SA has the power to impose a fine of up to EUR20m or 4% of the worldwide turnover of the business in the preceding financial year.
Clearly, GDPR compliance is going to be challenging and call for a new level of internal discipline and procedural rigour in order to deal with the dynamic and fast changing data processing environment that many organisations face on a daily basis. A key feature of such procedures will be that firms are able to submit a report when required or, as importantly, produce an evidence trail to show why a report was not required.
Following the introduction of similar federal legislation in the US which gave data subjects substantial remedies for non-notification of data breaches there was a significant increase in companies putting in place cyber risk insurance. It will almost certainly be the case that such cover will become a standard component of programmes for companies here in the UK and across Europe and, in the light of territorial disconnects, it may also be sensible to look at Difference In Conditions (DIC) insurance too.
The complexities of GDPR are such that companies need to start planning now.