International Data Protection Day: Where Do Organizations Stand with GDPR?
Observed across 50 countries within North America and EMEA, International Data Protection Day aims to raise awareness among businesses about the importance of data security and personal privacy. As part of Atos’ contribution to the cause, here Lionel de Souza, Group Chief Data Protection Officer at Atos, discusses the changes heralded by the EU’s upcoming General Data Protection Regulation (GDPR) and the implications for businesses…
Signifying a landmark shift in how organizations collect, protect and process personal data, the EU’s GDPR is a welcome initiative that will help create a new level of trust between businesses and their customers. However, with the regulation set to come into force from 2018, time is rapidly running out for organizations to put in place the necessary protocols to remain compliant with the new legal framework. Worryingly, a recent study found that over a third of firms felt they weren’t ready for GDPR, while a mere 3 per cent said their companies had plans in place to be ready for the new regulation.
If you’re one of the organizations still in the dark, here is a ten-point summary that will bring you up to speed with the expected impact of GDPR…
- A Broader Scope: For the first time, the legal framework makes European data protection legislation applicable beyond the EU. In fact, any organization using the data of EU residents will be required to comply with GDPR. This will have a direct impact on the way in which many organizations across the world operate; ensuring that citizen privacy is upheld no matter where they purchase services.
- Definitive Definitions: Working to define the full scope of previously vague terms such as ‘data relating to health’ and completing certain concepts such as sensitive data’ will ensure that personal data is offered better protection, and will remove any previous confusion around an organization’s data protection obligations, including security.
- Increased Accountability: GDPR will add greater levels of accountability to the data processing phase. The regulation includes an obligation for organizations to follow data protection requirements as well as being able to demonstrate such compliance across its operations.
- Clarity of Personal Data Use: Crucially, GDPR is an evolution, not a revolution. Again, the regulation better clarifies rules concerning personal data use – including clarifying and strengthening the rules around the concept of consent from individuals.
- Data Breach Transparency: The regulation not only requires the implementation and maintenance of security measures, it also generalizes the requirement of notification of pertinent data breaches that occur – ensuring full transparency between the organization, the data protection authorities and, where necessary the customer when it comes to protecting their interests.
- Assigning Clear Roles: Under GDPR, the controller (the entity that defines why personal data is processed and how) is now required to do more in ensuring that data protection is at the heart of their operations. Meanwhile, processors (i.e. those processing the information on behalf of others) are also going to be held more accountable for data protection, facing, sometimes, the same obligations as the controller. Transparency between both parties will be essential and a fundamental part of achieving compliance.
- Stronger Rights for Data Subjects: Data subjects are now at the centre of the issue. Whether it is through the reinforcement of existing rights (right to access; right to be forgotten), the creation of new rights (right to restriction of processing; right to data portability) or the affirmation of individuals’ right to obtain remedy for violations of the GDPR.
- Greater Scrutiny Over International Transfers: Organizations intending to transfer personal data outside the EU will have increased options. GDPR not only recognizes existing mechanisms (including, for the first time, officially, Binding Corporate Rules), it also includes new approaches such as validated codes of conduct or certification mechanisms.
- More Powers for Data Protection Authorities: With further accountability for involved parties, most formalities with data protection authorities will progressively disappear. This will increase the bandwidth of data protection authorities to conduct enforcement actions and to exercise their controlling, correction or sanctioning powers. At the same time, multinational companies will benefit from the establishment of the ‘one-stop shop’ principle with their lead authority and from greater harmonization through the European Data Protection Board.
- Severe Consequences: Failure to comply with the new GDPR could in extreme cases result in a fine of up to 4 per cent of the company’s annual worldwide turnover.
For citizens of the EU, it’s a progressive step forward in the push to ensure their privacy is respected and their personal data protected. For organizations, the evolution of GDPR will have significant consequences on the operational, contractual, and strategic considerations of their business model. The full impact of GDPR must be carefully considered and stringently addressed as soon as possible.
Discover more on the impact of General Data Protection Regulation on the Atos Ascent blog.