The countdown clock on Morrison & Foerster's EU General Data Protection Regulation (GDPR) readiness client hub tells me that (as at the time of writing) we have less than 10 months until the GDPR comes into effect on 25 May 2018. Our experience is that, in general, US-headquartered companies have been getting into gear for GDPR for many months, while many EU-based organisations are only now revving the GDPR engines. GDPR readiness is often portrayed as a mammoth task; many organisations are only too aware of the potential sanctions (€20 million or 4% of annual turnover) and against that rather severe backdrop, compliance teams face the unenviable task of working out "where do we start"? In this article, we set out a roadmap for CIOs involved in GDPR preparations.
What is GDPR and is anything really changing?
The GDPR is a comprehensive data protection regulation that replaces the current EU data protection directive and (in part) the UK Data Protection Act. It imposes more uniform requirements across the EU. At its core is accountability and transparency; being clear with individuals about how their data is used and putting high standards of data protection at the heart of how we do business. The UK Information Commissioner's Office (ICO) views the GDPR as a means of increasing data trust and confidence among the UK public.
Many of the concepts under the current data protection regime remain unchanged, and the ICO's view is that companies which are compliant with the current regime have a "strong starting point" to build from. But there are important new elements and some things will need to be done differently. Apart from the increased enforcement powers described above, the GDPR regime will make it more difficult for business to rely on an individual's consent as a lawful basis for storing, transferring or otherwise processing their personal data. This is particularly true in the employment context. More emphasis is placed on data record-keeping, data retention, data security and impact assessments - and that will replace the requirement for data controllers to register with the ICO. Moreover, the GDPR requires compliance not just from EU-based data controllers and processors but also by organisations based outside the EU which offer goods or services to UK-based consumers or which monitor behaviour of individuals in the EU.
Individual rights to access information remain (subject to some changes, particularly in response times), but there is a new right to data portability, object to profiling (e.g. the use of personal data to predict behaviours). The renowned "right to be forgotten" also features.