Three years in consultation and 15 years since the inception of its predecessor, the EU General Data Protection Regulation (GDPR) is finally entering the last stages of ratification – but not without some controversy. There's been much criticism from the civil rights movement (too lenient) and advertising brigade (too strict) but under closer scrutiny, it appears the adjustments could bode well for business.
The Council of the EU has removed the requirement for an appointed data protection officer, reduced data breach notification obligations, increased the disclosure window to 72 hours, and is discussing lowering the maximum fine from five percent of total worldwide annual turnover to just two percent.
In a bid to appease member states and international business, the EU seems to have done something of a climb down but don't be fooled. The inference is that it is still very much advisable for companies to adopt data protection practices that will seek to protect, mitigate and disclose data breaches responsibly and in a timely manner; there's just no longer the pressure of a rebuke and hefty fine to motivate you.
This might at first seem confusing but with this leniency comes flexibility. Take, for instance, the compulsion to have a data protection officer. This has been removed but the insinuation is that it is still advisable for certain companies to appoint one, either independently or as a group. The regulation even documents what the DPO duties should be, the need to remove any conflicts of interest in their job description, and dismissal procedures (the DPO can only be dismissed if they no longer fulfil the conditions required).
This shows a sensitivity towards the cost-strapped enterprise which doesn't feel it needs or wants to devote resource to a DPO. And the Council has addressed concerns about overloading SMEs, removing the obligation to keep records of personal data processing activities provided such activities are not deemed high risk.
Data breach notification has also been toned down. The requirements have seen the disclosure window widen from 24 hours in the initial draft consultation to 72 hours in the final one.
Where disclosure takes longer, the company concerned needs to provide an explanation justifying the delay. Of course, in reality most organisations know the value of early disclosure; the longer window simply makes it easier to comply.
What's also interesting is that timely disclosure is only required to report a breach. When it comes to notifying the affected parties whose data is now in the wild, there is no time limit. Rather individuals whose rights and freedoms could be compromised should be notified “without undue delay” and “as soon as reasonably feasible”.
Indeed, disclosure to these data subjects is not required at all if the necessary technical measures have been put in place to protect the data and render it “unintelligible”, making it far more attractive for companies to invest in such data protection.
The punitive fines of up to five percent of worldwide annual turnover have also been reduced (subject to final agreement) to a maximum of two percent if the company “intentionally or negligently” violates the terms of the regulation. This change is no doubt in response to concerns that hefty fines could either put some companies out of business or lead to an exodus of the big data handlers out of Europe.
There's clearly less stick and more carrot. The regulation abolishes the need to notify the authorities when an organisation intends to process personal data, instead encouraging notification of high risk processing. In these instances, Data Protection Impact Assessments will be required and a DPO consulted or employed, showing a much greater emphasis on procedures and controls than existed previously.
The regulations also suggest codes of conduct should be drawn up and data protection seals awarded to compliant companies, although these would span a maximum of three years after which the company would need to seek a renewal.
But we're not home and dry yet. Although its predecessor Directive 95/46/EC has now been repealed and a European Data Protection Board established on which authorities such as the ICO will sit, the next step will see a first dialogue between the Commission, the Council and the European Parliament at the end of June 2015 after which, at the earliest, the Regulation cannot be approved until year end. Then it will take two years to come into force.
For many organisations, there will be a collective sigh of relief that the regulation does not shackle European business nor shut out the international players. Common sense has prevailed, with the onus very much on the business to pragmatically address data protection.
The only danger now is that the two year window creates a sense of complacency. Businesses need to view this as an opportunity to take stock, identify weaknesses in the way data is handled and seek to put in processes and procedures to safeguard what for many is their greatest asset: data.
Contributed by James Henry, consulting practice manager, Auriga
James Henry can be contacted at firstname.lastname@example.org