GDPR is the next big thing in data privacy, data protection, and compliance
Mitigating digital and information security risk to support protection of data privacy is an integral part of SAI Global's mission and why we're supporting the National Cyber Security Alliance as a Data Privacy Day Champion. Established to commemorate the 1981 passing of Convention 108, the first legally binding privacy and data protection international treaty, Data Privacy Day this year comes on eve of the next big data privacy regulation to impact global businesses. The EU's General Data Protection Regulation (GDPR) is destined to become one of the most important regulatory changes of 2018.
Guest blogger Robert Bond talks about the GDPR below as part of our 2018 Trends & Predictions series. Take the first step in bolstering your data privacy. Try a free demo of our ethics and compliance education on data privacy and GDPR.
There is no doubt that the EU's General Data Protection Regulation (GDPR), set to take effect on May 25, 2018, will be one of the most significant trends of the year. This regulation will have a major impact on companies, customers, individuals, and third party vendors around the world and, as interest in GDPR continues to climb, so too will preparation for GDPR compliance. For compliance teams around the world, this needs to lead to executive buy-in for resources, implementation support, and new employee training content.
GDPR is applicable to any business processing personal data in relation to EU citizens, wherever that business is in the world. Businesses will therefore need to analyse the “who, what, when, where and how” of their data processing activities over the next five months, if they haven't already started. Because GDPR imposes strict record keeping obligations in relation to different personal data processing activities, and failure to have adequate internal record keeping is an offense, the significant increase in enforcement and fines under GDPR will drive data protection to become a major C-Suite issue.
Six lawful grounds are set out as part of the GDPR for processing personal data, of which consent is one ground on which legal and compliance often tend to focus. While there is no doubt that consent is necessary in many cases, particularly where the data is sensitive, other lawful grounds such as contractual necessity and legitimate interests are something that the compliance team will need to focus on.
GDPR introduces key principles such as transparency and accountability, so businesses will need to ensure that their privacy notices and mechanisms for obtaining lawful grounds for processing are spelled out in plain language, and that there is an audit trail within the business of when and how permission was obtained for processing and sharing personal data.
For businesses that process large volumes of personal or sensitive data as a core activity, a mandatory Data Protection Officer role should be created that will oversee compliance functions in relation to GDPR. Even if a mandatory Data Protection Officer is not required, many large businesses may feel the need to ensure that there is a team dedicated to managing GDPR compliance.
As GDPR increases a range of personal data rights for individuals such as access, portability and erasure, the compliance team will need to ensure that there are appropriate policies and standard operating procedures in place to deal with the ramifications of those exercised choices.
Many businesses do not currently have policies that cover areas such as data portability, right of erasure, and right to object to profiling.
As part of the GDPR, obligations are placed on controllers to ensure they have suitable agreements in place with vendors to whom they outsource personal data processing activities. Failure to have the appropriate contracts and measures in place will become an offense. As so many businesses outsource to cloud providers and other software as a service (SaaS) organizations, it will be a major task for compliance to audit those contracts and ensure that they are GDPR compliant. Given the focus that GDPR places on records management and internal record keeping, the compliance team will also need to ensure that there are appropriate policies and procedures to cover compliance and demonstrate accountability.
While it's clear that the effects of GDPR will reach far and wide across all industries, we'll be keen to keep an eye on how this new regulation will influence Facebook, Twitter, and other global media companies that rely heavily on user data to customize experiences and deliver targeted advertising. There is no denying that GDPR will impact everyone but we believe the most significant impact, both in terms of potential financial repercussions and changes to their core business, will be to online media companies and social networks that use data-driven targeting for advertising and customization.
Read all eight of SAI Global's trends and predictions for the 2018 by downloading our new report, 'The Future of Ethics, Compliance, Risk, and Corporate Culture: 8 Trends and Predictions for 2018.'
Guest post by Robert Bond
Robert Bond has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. He is a recognised legal expert and author in the fields of IT, e-commerce, computer games, media and publishing, data protection, information security and cyber risks. He is Secretary of the Board of the Society for Corporate Compliance & Ethics, Chairman of the Big Data Governance committee of Tech UK and a member of the UN Data Privacy Advisory Group to the United Nations and is an Ambassador for Privacy by Design.