Organisations, wherever they are based, will soon be subject to fines up to Euro 20 million or 4% of their annual global turnover, whichever is greater if they fail to comply with new data protection laws.
These new penalties arise from the General Data Protection Regulation (GDPR), which comes into force in May 2018. Widely dubbed as the “biggest shake up of data protection laws for 20 years”, the GDPR has an extensive reach. Although developed by the European Union, it will apply to any organisation that holds or processes any EU personal data – regardless of where the organisation is located around the globe.
In the Middle East, the laws surrounding data protection are considered to be quite patchy. For example, in the UAE there is no federally-applicable data protection law or single national data protection regulator. In fact in Qatar, they have recently announced a new data privacy law that itself will carry large fines if organisations do not comply.
Because of the culture in the Middle East surrounding data protection and privacy, there is a much heightened risk that organisations based in these jurisdictions won’t have the relevant internal processes to be able to deal with any regulatory changes. Therefore, for Middle Eastern businesses that have a European footprint, GDPR is a regulation that needs to be taken seriously.
The penalties for non-compliance should focus management minds. Consider Yahoo, which recently reported a significant data breach. If Yahoo was to suffer the maximum penalty on its Euro 5 billion turnover, this would equate to a fine of Euro 200 million. Organisations therefore need to get started now on making sure they have policies and procedures in place to mitigate the risk of any regulatory breaches in connection with the data they hold and process.
What is new?
What should you do now?
- Data processors and data controllers – as well as significant penalties and a wide scope, the GDPR introduces a number of other significant changes that organisations must prepare for. One of the main changes is that data processors as well as data controllers will be captured by the regulation. Therefore, any data controller that outsources the processing of personal data to a third party must consider the implications; if the data processor gets it wrong, your organisation – as the data controller – will still be liable to penalties!
- Data subjects – the new regulation has been designed to provide data subjects – the individuals whose data is being processed – with more power over what information organisations hold on them and how they use it. Under GDPR, all consent requests sent to data subjects must be easy to understand; that means no detailed legalese or jargon, but written clearly and simply. Consent must be just as easy to withdraw as it is to provide and data subjects will have the right to be ‘forgotten' without delay. Data subjects will also be entitled to ask for a copy of all their data being held and an explanation of what it is used for. The data must be provided in a machine-readable format so that the data subject can transfer it to fellow data controllers as part of a new data portability requirement.
- Data breach – if your organisation is unfortunate enough to experience a data breach, the GDPR requires you to report this to all stakeholders and regulatory authorities within 72 hours of the breach being discovered. There is also a new legal requirement for ‘privacy by design’, which states that data protection should be considered during the design stage of any new system implementation.
- Compliance audit – it is imperative to note that your business may be subject to a GDPR compliance audit at any time from 25 May 2018, regardless of whether a breach has occurred. The GDPR applies to all functions processing personal data within a company, and policies must be in place for all areas of the business.
- Data Protection Officer – under the GDPR, unless you process large quantities of data on a day-to-day basis or highly sensitive data, there is no longer a requirement to appoint a Data Protection Officer. However, organisations will still need to ensure that internal record-keeping requirements are met.
Your organisation must not ignore the GDPR. Failure to comply could result not only in a major financial hit, but also potential loss of reputation or even a ban from trading in certain jurisdictions. As mentioned above, you could also be subject to an external review to ensure your organisation has the necessary internal compliance procedures in place.
Make sure key individuals within your organisation understand the implications of the new regulation, how it will affect your business and what is needed to ensure compliance by the enforcement date in May 2018.
Successful compliance will require you to consider many issues. For example:
- What data do you currently hold?
- What procedures are there in place to deal with subject access requests and deletion requests?
- Are your privacy notices up-to-date?
- Are your consents up-to-date?
- What processes have you in place to report and investigate data breaches?
Complying with the GDPR is no small job. Your organisation needs to start now to minimise the risk of a regulatory breach and a potentially large financial penalty.
Contact Christopher Beveridge
if you would like a free introductory call or follow-up meeting to find out more about the GDPR or how our expert Information & Cyber Security team
can support you.