From 25 May 2018, the long awaited General Data Protection Regulation (GDPR) will apply across the EU, representing the biggest shake up of data protection laws in the digital age. With GDPR implementation now just months away, AGCS cyber experts Christopher Rau, Jens Krickhahn and Marek Stanislawski offer their insights on what businesses can expect.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a set of rules and requirements aimed at protecting personal data held by businesses and other organizations. Currently, data protection laws vary by country, but the GDPR will harmonize privacy rules across all 28 EU countries. The new rules strengthen the role and powers of data authorities, affirm additional rights to data subjects (principally, every individual), enhance potential fines and sanctions and define additional requirements for organizations to protect personal data. These requirements include but are not limited to implementing certain policies and processes, developing an effective internal data protection management system and appointing a data protection officer.
Why is the GDPR needed?
The processing and protection of personal data has become a hot topic in recent years as more personal data is processed due to digitization, whether through internet shopping, a digital app, social media or a routine trip to the doctor. As a response to the challenges of the 21st century triggered by new technologies, new business models and new cyber risks, European lawmakers decided to update and harmonize the European data protection laws by replacing the existing guideline from 1995 with the GDPR.
Who is in scope for the GDPR?
Generally, the GDPR protects the personal identifiable information of individuals with permanent residence in the EU, but it will also have legal reference for European Economic Area (EEA) countries. Basically, only information of natural persons is in scope and corporate data is out of scope. Any company that controls personal data or processes personal data by itself or on behalf of another company must comply with the GDPR, even if the company is based outside the EU. The GDPR is not linked to an EU passport and does not apply for EU nationals with permanent residence outside of the EU.
So SMEs are also covered by the GDPR?
That’s right. Small-to-medium-sized enterprises (SMEs) are also subject to the GDPR. The GDPR may grant some flexibility to smaller companies, but in general the GDPR pays no special attention to a company’s size.
Does the GDPR introduce new requirements?
Many GDPR requirements to protect personal data already exist under national laws, but the GDPR sets a new tone and improves the principles of processing personal data, the accountability and obligations of legal entities, the data subject’s access requests and regulatory oversight power. The GDPR is more an evolution to existing EU data protection laws than a revolution.
How does the GDPR increase risk for businesses?
Additional to the extended extra-territorial scope, the GDPR also significantly increases the possibility of higher fines and sanctions to non-compliant companies. It contains a catalogue of different breaches with maximum limits. Businesses will be much more challenged to understand their risk exposure and their data protection management will be in the spotlight. Data protection will be a top risk for companies, especially considering the potential reputational risks they face as a consequence of data breaches or poor handling of personal data.
Which aspects of the GDPR will be most challenging?
There are many challenging issues from an organizational and technical perspective. Moreover, the timeline for implementation is very ambitious and difficult to meet especially because many requirements will not be sufficiently defined by the GDPR itself or the authorities until May 2018. The most prominent and complex new change is the data subject’s “right to be forgotten”, whereby they can request that a company erases their respective personal data. Companies will need to put processes in place to locate the data and comply with these requests, although deleting a single data record that may have been copied to numerous databases, aggregated, or shared with a third party may not be simple.
How significant is the data breach notification requirement?
Another major challenge of GDPR compliance is the new requirement to notify authorities of a data breach within 72 hours of its occurrence. This has implications for risk management. Companies will need to put adequate processes and systems in place to identify what data is affected and to improve internal collaboration before informing the regulator. Consecutive breaches will result in higher penalties and stricter regulatory monitoring.
Will fines be larger under the GDPR?
While the regulatory response to a data breach may differ between countries, generally we would expect to see more and larger fines for data breaches under the GDPR. The new rules give authorities the ability to levy fines of up to 4% of a company’s global revenues (at the group level not just the single legal entity level) and a personal liability of up to €20mn. This would be far higher than the current maximum fines of £500,000 ($707,300) in the UK and €300,000 ($710,000) in Germany.
How will the GDPR be enforced?
Authorities in individual EU countries will be responsible for enforcing the GDPR in each member state, meaning that some could take a more aggressive stance than others, for example when it comes to fines. Additionally, the European Data Protection Board will mediate conflicts between national authorities and issue guidelines on dispute findings with more or less binding effect. Data subjects, companies or regulators can seek a final decision in matters of dispute with the European Court of Justice.
How ready are businesses?
It depends on the individual business and its size. A number of EU countries and certain sectors – such as telecommunications and financial institutions – are already subject to higher levels of data protection regulation. More generally, most companies are on their way to compliance but aren’t there yet. Many do not yet have the systems and processes in place to handle the “right to be forgotten” requirement. Others are not prepared for making sure their legacy data is compliant. If a company realizes it will not be compliant by May 2018, it should reach out to authorities and engage in a dialogue ahead of time, rather than hide and hope nothing happens. The GDPR does not establish any grace period, so each case would be individually assessed by the respective authority.
How can companies best prepare for the GDPR?
They need to get a clear understanding of the personal data they are processing: how much, what information, where it is stored and with whom it is shared. If the company determines that its data processing activity would pose a “high risk” to the GDPR requirements and the “rights and freedoms” of individuals, they would also need to conduct and document a detailed data privacy impact assessment, keeping in mind that it is the domicile of the data subject, not the company, that generally determines who is in scope of the GDPR. The recent Paradise Papers data breach, which included personal data of EU resident clients of an offshore law firm, would have been covered under the GDPR.
How can businesses mitigate the risks of a breach?
Being well prepared for a data breach will help reduce the reputational impact as well as the business interruption. Past experience has shown that the way in which an organization manages a breach has a direct impact on the cost, and this will become even more the case under the GDPR. Authorities are more likely to penalize companies that are not well prepared and do not handle breaches according to best practices.
Is there a role for risk management in preparing for the GDPR?
It has taken time for companies to realize the extent of the exposure, but now we see that the risk management function is highly involved in an organization’s GDPR projects. However, risk management should keep data privacy on the risk agenda even after “readiness” projects are concluded. The GDPR also requires “privacy by design” and “privacy by default” to encourage data protection from the earliest stage of any project or initiative. A robust privacy check early in the beginning of every project or new process will become a mandatory internal requirement. Since the GDPR is not a one-off implementation, it will require a continuous risk approach.
How does insurance help prepare or comply with the GDPR?
Cyber insurance can help with aspects of compliance. Insurance, for example, often includes consulting and incident planning services, as well as breach response services. If a company suffers a breach it will need access to expertise, such as specialist lawyers, IT forensics and crisis management consultants. Insurance provides instant access to these experts and helps demonstrate to authorities that a company has taken immediate and appropriate steps to reduce the impact of a data breach, as well as to meet regulatory requirements and deadlines.
Will its introduction improve cyber security and drive demand for cyber insurance?
A common saying in the field is that “you can have security without privacy but you cannot have privacy without security”. If companies approach GDPR requirements with due diligence, they are bound to augment cyber security through process refinement, increased awareness and often a growth in the security budget in order to deploy additional security measures. The GDPR is expected to support uptake of cyber insurance, but ultimately this will be up to individual companies to decide how to best allocate their risk management and security budgets.