GDPR – An Irresistible Regulation?
Data protection laws are not a novelty, so why all the fuss about the EU’s new General Data Protection Regulation (GDPR)? We look at the forces pushing this Regulation up the corporate agenda.
Imagine the two year GDPR transition period which began in May 2016 and closes in May of this year as a 100m racetrack. We’re at the point where athletes start to dip for the line. In reality, some GDPR participants are only now heading for the starting blocks. Even those whose race has begun do not necessary feel closer to the finish than when they started. A privacy professional at a multi-national company with significant operations in Malta recently told me that ‘The more we learn about GDPR, the more non-compliant we realise we are’. For others, being conscious of their incompetence would be a big step forward.
It’s true that the GDPR will extend the rights of data subjects and increase the obligations on organisations in numerous ways, but on paper, the changes are more evolution than revolution. So why the pain? To begin with, very few organisations are fully compliant with existing data laws. Many are needing to start from scratch on issues as basic as policies and privacy awareness, never mind more technical matters covered by the GDPR such as data inventories, consent management systems and technical security measures, like pseudonymisation. While individual GDPR requirements are often challenging, the overall task of compliance can be daunting and is Herculean in the time remaining before the deadline. Many organisations are already resigned to not being fully ready on time and are trying to decide which bits of the law they can tackle later.
You may well ask why organisations are worrying so much about this law if they cheerfully ignored the old one. This gets to the crux of the matter. The most notable feature of the GDPR are the potential costs of non-compliance. This Regulation has teeth and is intended to bite.
Under the current Maltese regime, the largest fine which has been levied on an organisation by the Information and Data Protection Commissioner is €10,000. This can not be described as dissuasive. On the other hand, the maximum fines under the GDPR are eye-watering, being the greater of 4% of group turnover or €20m. Not only can a breach result in financial penalties from the competent authorities, but Article 82 of the Regulation provides the possibility for data subjects to obtain compensation where an organisation’s breach has damaged them. To understand what this could be mean in practice reading up on the successful class action in North America against Standard Innovation – an adult toy manufacturer - may be instructive. The establishment of the European Data Protection Board is likely to prevent national regulators from employing light touch sanctions. What is clear is that the potential direct financial costs are making a difference to how seriously many companies are taking this law.
The Domino Effect
Even organisations that have thus far taken the ostrich approach to the Regulation may start to feel the pressure indirectly. As they are obliged to do, corporate customers are demanding that suppliers processing personal data on their behalf can guarantee GDPR compliance. Consequently, in certain sectors, business is already flowing away from organisations which are unprepared for GDPR. In the future we may well see the development of seals and certifications to denote GDPR compliance, further demarcating corporate circles of trust.
The excitement surrounding GDPR also means that the general public is becoming more aware of their rights. This heightened awareness may be something telemarketers and other front office staff are already noticing. Once the GDPR applies, organisations retaining chaotic data arrangements may experience a wasteful diversion of internal resources to respond to data subject requests and may also incur damaged reputations and regulatory sanction.
You may well think that the hoopla around GDPR is hype, and you may see the current efforts as panic, but there’s little doubt that this is a transformative law. Can you afford to resist?
Article originally appeared on Business Observer