GDPR overview in the Nordics
The EU General Data Protection Regulation (GDPR) brings in major changes to the current EU Data protection legislation by fundamentally changing the way organisations manage personal data.
It applies globally to organisations that manage EU citizen data and introduces requirements around unambiguous consent, portability of data and the right to erasure. The maximum penalties for a breach are increasing from hundreds of thousands to millions of euros or krone. Organisations can incur fines of up to 4% of global gross turnover or €20 million, whichever is greater. In the world of data privacy – GDPR is a game changer.
GDPR applies to any organisation that trades with the EU or with EU citizens, or handles EU citizen data. Under the present Data Protection Directive, there is the principle of adequacy across the 28 (current) EU countries and three EEA member countries (Norway, Iceland and Liechtenstein). The EU Commission has also recognised 11 non-EU countries that provide adequate protection – Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Therefore, global regulators are already demonstrating their keenness to maintain consistency with the EU to encourage and facilitate cross-border trade and operations. In short, companies should proceed with their GDPR planning either because they process EU citizen data or because non EEA-states are likely to implement laws that are essentially identical to the GDPR.
We have identified the top three priority areas for any organisation. Each of these areas will change the way organisations ensure protection of personal data:
- Requirements around unambiguous consent, data portability and the right to erasure mean organisations fundamentally need to rethink how they manage and retain data, and have a complete understanding of the information flow ecosystem
- Data governance, privacy within systems and organisational culture will need to happen by design, rather than as an after-thought. Essentially, organisations need to take a more proactive approach towards management of personal data, subsequent monitoring and reporting
- Liability extension to third-party data processors will enable organisations to have clearly defined accountabilities and agreements
Organisations need to understand the scale of the challenge. When new regulations are imposed, many assume that compliance can be achieved with changes to a few administrative processes and technical upgrades. In reality, the GDPR will pose greater challenges around the management of data that companies hold, and some of the required systemic changes will be very time-consuming and resource-intensive. It is therefore critical that action starts now.
The management of data, how it is managed and what happens if things go wrong, all have a wide-reaching set of new requirements. Organisations will need to explore the implications of the strengthening of individual rights, such as the right to be forgotten and the need to carry out privacy impact assessments. There is also a requirement for organisations to report any breaches to the regulator within 72 hours – this is a significant step up from the previous (and non-specific) expectation of a ‘reasonable’ time for notification.
The new requirement for unambiguous consent for data usage means that organisations should start work early to define their specific consent model as this will have far-reaching ramifications on the systems and processes they use to capture data. The consent model must ensure control over their data remains with the individual – one of the main aims of the GDPR.
Another important change is the need for proactive governance of third parties who process information. The increased use of outsourced vendors and suppliers means organisations must take care to identify where and how information is processed, transmitted and stored, and have clarity over the designated data controllers and data processors.
Organisations have a choice. They can treat it simply as another compliance issue – or they can take a more business- and customer-centric approach that will allow them to explore how they can manage personal data to help make more informed decisions and create a better experience for their customers and other stakeholders.
Successful GDPR implementation demands that organisations have a complete understanding of the personal data flow aligned with the overarching business processes and underlying systems. If this is closely coupled with their data governance programme, organisations can generate valuable insights – for example, into customer behaviour and how to improve customer experience.
There are a number of practical steps an organisation can take to start their GDPR planning and preparation – from reviewing their current consent model to locating where personal data is current held, from conducting internal awareness and training to reviewing all third-party contracts. We have a tried and tested approach to the GDPR, which includes:
- Conducting a detailed gap assessment against GDPR requirements
- Defining and shaping an appropriate remediation programme as per the findings of the gap assessment
- Identifying opportunities within your organisation to use data to improve decision-making and customer experience.
With just over a year until the May 2018 GDPR implementation deadline, it is important to act now to ensure you are compliant and to maximise opportunities to effectively use customer data.