1. New rights and obligations
The GDPR is the culmination of a four-year legislative process designed to give EU citizens greater control over their personal data, and create consistency and lower compliance costs for businesses.
New individual rights have been created, such as the Right to Portability meaning you have the right to access and take your personal data from a company upon demand, and the Right to be Forgotten which gives individuals the right to ask a data controller to remove content about them.
Organisations have an obligation to honour these new individual rights.
Other obligations include the requirement for organisations to perform regular audits on the privacy impact of their new services to consumers, and incorporate privacy by design and default into the products they create.
2. Two years to implement
Organisations will have two years from the date the GDPR officially becomes published, which will be fairly soon, to be in compliance.
That may sound like a long time, but it’s not.
Implementing change at any large multi-national corporation is akin to turning an aircraft carrier; something I imagine can only be done in a slow moving arc.
Many organisations – if they haven’t already begun the process – will need to undertake a gap analysis to determine what they presently do against what they will need to do.
This initial step, which may also necessitate a Request For Proposal (RFP) to outside privacy consultants or legal counsel, will take many months to accomplish.
Once completed, a remediation plan will need to be developed and agreed upon.
Finally, budget will have to be allocated and then the plan executed. Two years – it will fly by.
3. Notice and consent
The GDPR will require websites and apps, as well as connected devices or sensors, to provide a prominent notice to the website visitor so they can decide whether or not to give them consent.
Sound familiar? ‘Transparency for all’ is our mission statement, and while we are well positioned to help many organisations with this new obligation, they need to be aware that it has to be in place with the switch turned on by the end of the two-year implementation period.
4. Applicability and penalties
While the GDPR is a EU law, it really has the de facto effect of being the global data protection standard.
Think about it – if any website or app is opened, even once by a EU citizen, then the requirements to comply with the law are triggered.
Importantly, regulators have been granted huge authority to impose financial penalties, depending upon the severity of the transgression, up to 4% of a company’s annual gross revenue.
You read that right, up to 4%.
In real terms, a company with $1bn a year of global revenue will have an annual risk exposure of up to $40m.
That is a material amount of money, and probably has to be disclosed in annual filings and processes put in place to mitigate against the risk occurring, not to mention the possible increased purchase of risk transfer instruments under an insurance policy.
All very complex and high stakes.
While organisations face huge challenges in 2016, none of them are insurmountable.
This year will see privacy transition from the conceptual to the concrete as businesses are forced to understand how to make privacy a core business process, something that hasn’t been done on a wide scale before.
Those that get it right, and there will be a few, will be the winners of 2016. It’s going to be a lot of fun.
For more on this topic, read: