The new EU General Data Protection Regulation (GPDR) took a significant step forward on 17 December when the European Union’s trilogue (Parliament, Council and Commission) reached agreement on the proposed EU GPDR. All that is needed now is for the full parliament and member state governments to approve it in January next year. Once that has happened, a date will be set for the two-year run in period before the new Regulation comes into being and organisations processing personal data about European citizens will be required to be compliant. The big but in this though is that some data protection regulators may decide to implement some of the coming changes earlier.
Not everything that was proposed went through. The most significant watering down, much to the delight of companies involved in social media, was the requirement to increase the age of digital consent from 13 to 16.
Whilst there are some positive changes coming for individuals and organisations, not having to deal with 28 different data protection regimes being one of them, the headline grabbing change is that penalties for non-compliance will include fines of up to 4% of annual global revenue or €20million, whichever is greater. Perhaps this, plus the requirement to report breaches within 72 hours, will be the tipping point for ensuring that privacy becomes a board level issue?
The requirement to appoint a Data Protection Officer (DPO) was carried through to the compromise text, though to a milder extent than initially proposed, not requiring SMEs to appoint a DPO unless their core business concerns processing personal data.
A significant change to existing legislation is the extraterritorial effect, consequently requiring companies outside of Europe offering services to European citizens to be compliant with the Regulation.
Companies will be expected to take a positive approach to the full data lifecycle, from the point personal data is collected or created through to its destruction. Knowing what data organisations need to collect is something that should be looked at now as it will form the basis for many of the changes organisations need to make to comply with the Regulation. Procuring large systems, or changing them, can take a long time and businesses should plan now to identify any changes or new requirements sooner, rather than later to ensure that they will be compliant by Q1 2018 when the new regulation is likely to come into force.
Whilst two years seems a long time away, it really isn’t when you consider the nature and scale of the changes that organisations will have to make to their systems processes, and procedures to ensure they are compliant (and have tested their compliance). We are beyond the point of waiting to see what happens, now is the time to start preparing.