29 Jan GDPR is a reputational challenge that can seriously impact our organisations
The implementation of the European Union’s General Data Protection Regulation (GDPR) will take place on the 25th May, and involves a comprehensive review in the way of managing European citizen’s data for practically all organisations. We say ‘practically all’ given that all public, private and non governmental organisations…, regardless of their size, who store data of citizens living in the EU, including those who operate outside of the territory of the EU, must apply them.
It is the biggest European legislative change in the last 20 years; it replaces the 1995 Data Protection Directive, and exceeds our already stringent LOPD (Organic Law for Data Protection).
More rights for some and obligations for others
On the one hand, it improves citizen’s privacy rights but, on the other, it increases obligations for businesses.
In the first section, it guarantees the right to be forgotten: people must give clear and express consent for the use of their data, they have the right to restrict its processing (only for the purposes for which the data was given), and it grants rights to data portability to another organisation appointed by them.
In terms of obligations for businesses (we refer to public and private institutions), the new regulation establishes new codes of conduct and transparency in the handling of data. Specifically, businesses are required to notify security breaches within a maximum time limit of 72 hours. They must have a comprehensive record of the handling of data. They must review technologies to guarantee the protection of information, having the final objective of having what is considered to be “state of the art” in data handling.
Ultimately, organisations must start to prepare themselves already for a new proactive, rather than reactive, responsibility. Not doing so would mean sanctions that can reach up to 20 million euros or 4% of global turnover. Whichever is the largest amount. It isn’t just a direct economic risk, but also a reputational challenge, you could be exposed to class actions and even be suspended from handling data by the regulator.
In our country, according to a study published by IDC Research Spain in November 2017 about the impact of GDPR on Spanish companies, only 10% comply with the regulations, another 45% was going to deal with it in 2017, 25% already had a solid plan to ensure compliance, 15% was waiting for more information, and 5% didn’t know where to start.
General challenges for the CEO
Firstly, we shall say that you should consider applying GDPR as a competitive advantage or an opportunity to improve the efficiency of information governance and its security. At least, that is how 36% of our businesses see it. As the person who is ultimately responsible for the organisation, you…
- Must keep up with the areas that it affects and the requirements that its application entails.
- Delegating to the technical team, you must ensure the correct classification of data (there are a series of special categories such as ethnicity, race, political opinions, religious or philosophical beliefs, trade union membership, genetic data, bio-metrics, health, sex life/sexual orientation).
- Staff who have access to the data must be trained, establishing strict rules for the editing and transmission of the data.
- It is necessary to prevent accidental loss, remove data that no longer meets the objectives for which it was collected, or at least make it anonymous so that there is no direct link with those affected.
- You must ensure there is a designated DPO (Data Protection Officer) who will be in charge of compliance, cooperation with regulators, communication, as well as the education of the business at all levels, from management down to the last employee who has access to them.
The DPO is only required when the organisation is a public institution, when data is being handled systematically on a large scale, or when the data belongs to the aforementioned special categories. The rest, according to article 37 of the regulation, are exempt from this feature.
In our next installment, we will focus on the main areas of investment that will lead the compliance setting, and the role of the Cloud in the application of this new legal framework.