Risk managers should prepare now for new EU data protection legislation that will come into force next year, Airmic and law firm BLM have urged. The new regulations are more demanding than current rules and can result in much larger fines. Risk managers are being warned that the changes could take time to implement. The General Data Protection Regulations (GDPR), approved by the European Parliament last year, will automatically become law in EU countries in May 2018.
It aims to clarify and increase the responsibilities of organisations for the personal data that they handle and store and also introduces mandatory breach reporting and much tougher penalties for those who do not comply. A joint report by Airmic and BLM, The EU General Data Protection Regulations: What risk managers need to know, says that UK businesses will be affected regardless of Britain’s decision to leave the EU.
Nick Gibbons, partner at BLM and one of the authors of the report, said: “The Information Commissioner’s Office has recently confirmed that GDPR will come into force and become part of UK law before the UK leaves the EU so the Brexit debate should not delay any action.”
Gibbons said that although there is good awareness about the GDPR, the full extent of the changes have yet to be appreciated. “There has been significant interest in GDPR amongst risk managers; however, many do not yet appear to have a clear understanding of current data protection law, let alone the particular changes to it that will be wrought by the new regulations.”
The report makes clear that complying with the GDPR cannot be sole responsibility of the IT team but must be treated as an issue for risk managers to address and control. “The GDPR brings with it significant changes including mandatory breach reporting and very heavy fines,” the report notes. “Information security is an organisation-wide risk which necessitates physical and organisational as well as technical security measures.” It continues: “In circumstances in which potentially crippling fines may be imposed for breaches, information security must be managed by an organisation’s risk manager and his/her team and cannot simply be left to the IT team to deal with.”
The report outlines the key changes that will come into force and provides detail on what risk managers should be doing now to ensure their businesses are ready for the new law. In particular, Airmic members are urged to:
* Review current data-processing activities;
* Perform impact assessments to establish whether there is a risk of infringement of the GDPR;
* Establish necessary policies and processes to meet all GDPR requirements (e.g. security, complaints handling, data accuracy, breach reporting, etc.);
* Update current policies regarding personal data and make the necessary changes to business operations.
Gibbons believes that careful planning will be key to a smooth transition. “The most important thing for risk managers to do right now is to create a plan and a budget for compliance by June 2018. There is a lot to do and identifying how much financial and human resource will be needed is important.” He added, however, that complying with the new data protection laws is not just about a one-off change in process, but rather a shift in way of thinking. “Risk managers and the staff in their businesses need, in my view, to start thinking about data protection law and using it in the same way they think about and use the Highway Code: it is something to be learnt and internalised rather than the subject matter of a voluntary bi-annual lecture.”
Data protection law originally came into being as a reaction to the misuse of personal data by totalitarian regimes before and during World War 2. It is intended to strike a balance between the rights of individuals to privacy and the capacity of businesses, organisations and governments to use personal data for their own purposes.
Current EU regulations came into force in the UK in 2000 under the Data Protection Act. However, it is widely recognised that these rules have not kept pace with technological advances and changes in the way businesses and individuals handle data.
Key changes that will come into force
The GDPR aims to address this, as well as creating a more uniform regime across the EU. Some of the key changes that will come into force next year include:
A requirement to notify breaches : Data controllers will have to notify personal data breaches to the supervisory authority no later than 72 hours after becoming aware of the breach and notify data subjects “without undue delay” if the breach is likely to result in a high risk to their rights and freedoms.
Much tougher fines : Under the current regime, Member States determine their own penalties. In the UK the ICO currently has the power to impose fines of up to £500,000. This will rise significantly under the GDPR to €20 million or 4% of annual global turnover.
Extra-territorial applicability : Non-EU businesses will be subject to EU data protection legislation if they offer goods or services to individuals located within the EU, or if they monitor individuals’ behavior which takes place within the EU.
Application to both processors and controllers : The current data protection legislation imposes most of its obligations on data controllers only. Article 3 of the GDPR provides that the new regulations will apply to the processing of personal data by both EU and non-EU controllers and processors.
One Stop Shop – lead supervisory authorities : Under the current legislation data controllers that process data in more than one EU country can be subject at the same time to the different data protection laws of several EU countries. The new regulation aims to create a “one stop shop” so that where processing activity affects data subjects in more than one Member State, the supervisory authority in the main establishment of the controller or processor will act as a “lead supervisory authority” and will regulate that particular activity across the EU.
A right to be forgotten
When a data subject no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. Furthermore, individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.
Source : Airmic