GDPR – EU privacy law version 2 is here, so let’s get ready!
16 December 2015
After four long years of political processes, business lobbying and endless articles, blogs and tweets, the General Data Protection Regulation is here. And last’s night’s compromise even managed to deliver some surprises, such as the maintenance of the compulsory Data Protection Officer (DPO) requirement and financial penalties at 4% of worldwide turnover. The GDPR represents the biggest shake up of data protection law in over twenty years. It will have a massive effect. In 2016 we expect the GDPR to be a top agenda item for most entities.
You see, every entity uses personal data: every business, public authority, charity, school and hospital. And any entity that holds or uses European personal data will be captured by the new law, regardless of where in the world they are situated. Every person whose personal data are held in Europe will be the beneficiary of the new law.
There is no other law with such breadth and scope.
So, why is this new law so important? A seismic shift in power relationships
In addition to its breadth and scope, the new law is important because of what it seeks to do, which is to impose more regulatory and citizen control over personal data, a vital asset of the global economy. In other words, the power relationship between entities on the one side and regulators and citizens on the other has changed, with power shifting from the former to the later. Citizens who are worried about privacy have a lot to be happy about.
Firstly, the GDPR imposes a multitude of new compliance obligations on entities, which will be time consuming and costly to address. These compliance obligations include:
- New rules about the obtaining of consent to use personal data. Obtaining consent is about to become a lot harder.
- There will be new requirements to carry out Privacy Impact Assessments, in order to understand the risks to personal data and privacy that can flow from the use of data.
- There will be new requirements for Privacy by Design, so that protections for personal data and privacy are baked into all business operations and processes right at the beginning.
- There will be new obligations for transparency, including a Breach Disclosure requirement for the reporting of security and confidentiality breaches to the regulators and to people affected. Breach Disclosure is akin to washing one’s dirty linen in public and it is bound to lead to legal problems.
Secondly, the GDPR gives people very enhanced new rights over their personal data, which we can use against entities and in court. For instance: we will be able to demand the Right to Be Forgotten, so that our personal data are deleted and destroyed by entities; we will be able to demand Data Portability, so that we can move our data from one entity to another; and we will be able to demand greater access to our data. Most significantly, we will be able to sue entities for compensation, if we are distressed by a breach of the law. And of course, we will be able to pursue our complaints before the regulators.
Thirdly, the GDPR gives the European data protection regulators considerable new powers over entities, enabling them to intervene more readily in their business and operations, to shape how personal data are used. The regulators will also be able to impose massive financial penalties for non-compliance, which in serious cases will run into many millions of Pounds or Euros, perhaps even tens of millions. The maximum fine is 4% of global turnover. That’s a staggering high risk for businesses.
Delivering change through Vision, Strategy, Readiness Assessment and Bootcamp
Well, entities now need to get themselves ready for the new law. There’s no time to waste, because the workload is massive. Anyone working in this field will already know that it can take years just to get simple tasks moving on data protection. The GDPR is likely to need end to end reform of business processes and practices.
So, entities will have to make some difficult choices about their priorities, so they need to quickly develop their Visions and Strategies for compliance. This is where PwC and PwC Legal can help. Our global, multi-disciplinary team of data protection experts are vastly experienced in this area, trusted by some of the world’s leading brands and we are here for you.
We have built a free to use online GDPR Readiness Assessment tool, which you can use to test your current state of readiness for the new law and your risk profile.
We are also holding monthly GDPR Bootcamps, which you can join in person or by webinar, to upskill yourself in the requirements of the new law, in the company of your peers and like-minded individuals, again free of charge.
We have also published a series of guides on the new law and how to comply, which are being added to all the time.
If you would like to know more about any of these matters, please contact me or any member of the PwC data protection team for more information.
Here are some links to some core resources:
- The agreed final text of the GDPR
- European Commission’s press release
- European Parliament’s press release