All businesses are now bound by the EU’s General Data Protection Regulation (GDPR), even if they keep only limited information on customers or outsource data processing to third parties.
The EU’s General Data Protection Regulation (GDPR) is designed to protect EU citizens from data grabs, security breaches and loose business practices, but its effect will be to radically transform how businesses—as well as public bodies, charities, voluntary associations, and even some individuals—think about the information stored on their systems.
In today’s connected world it is impossible to imagine even the smallest micro-business operating without some IT-based data storage and processing, from an online calendar to a web ordering app or a simple Facebook page, to the backbone of business in accounting and finance, right up to complex customer-relationship management (CRM) and enterprise resource planning (ERP) systems.
Ireland’s Data Protection Commissioner, for example, says that anyone who answers yes to the simple question “Do you keep or process any information about living people?” is a Data Controller. As the GDPR is a uniform law across the EU this applies to all 28 EU member states, including the UK. As a result, from May 25, 2018, any business that keeps any personally identifiable information about any individual living in the EU will be designated as a Data Controller.
Data Processors, meanwhile, are also subject to the GDPR, meaning cloud service providers must be compliant with the Regulation. This is a significant sea change in EU law and represents the plugging of a significant loophole. Under previous EU data protection legislation, service providers that process personal data on behalf of other businesses were not held directly liable to individuals for any breach of data security. As a result, even if data processors were at fault the data controller who contracted them was held responsible for non-compliance.
Following the implementation of the GDPR in 2016—which comes into full force in May 2018—both parties are liable.
And under the GDPR a breach does not even need to occur in order for fines to be levied. Non-compliance with the GDPR could lead to fines of up to €20 million (approx. £17.2 million), or four per cent of annual, global turnover for the preceding financial year, whichever is greater.
Download the GDPR Guide from TRC Solutions
Outsourcing data controlling and/or processing is a natural direction for many businesses to take when faced with data protection issues, and while doing so will continue greatly ease compliance, it is no longer a “fire-and-forget’ solution.
For a start, any entity that is a processor under the outgoing data protection directive and its local implementations in the various EU member states likely continues to be a processor under the GDPR. Some differentiation is made between data controllers and processors, but both will be subject to enormous penalties.
Data controllers that breach rules on personal data processing (set out in Article Five of the GDPR), can be served with the highest possible fine: that of €20 million or four per cent of annual, global turnover. If Data Processors, meanwhile, breach their statutory data security obligations, set out under Article 32 of the GDPR, which requires them to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, they will be penalised with fines of up to €10 million (approx. £8.6 million) or two percent of annual, global turnover.
In either case, the fines are at a potentially bankrupting level.
The first step in getting ready for the GDPR is to recognise that you are a data controller and that even if you outsource data processing, you are still liable for penalties and subject to its provisions at every level of your organisation. “This is a legal situation, not an IT one,” said Gavin Peacock, Group CEO of TRC Solutions. “If May next year comes around and you do not have a plan, you are leaving yourselves open to fines,” he said. “Organisations need to recognise that banal, daily activities that every business engages in result in becoming a Data Controller.”
“It’s a reminder that you have a duty of care. There will be legal precedents, such as keeping invoices for a certain amount of time, but you will have a situation where anybody that sends newsletters, emails clients or takes calls from supplies is liable,” he said.
Of course, despite not being a technical problem, the solution to GDPR compliance includes technical measures. First and foremost is getting control of data, which is likely at present sitting “siloed” across different departments with unconnected or barely connected discrete systems.
Once a business has accepted that is liable under the GDPR as a data controller or processor, or possibly as both, the only sensible solution is to rationalise what data is held, who it is held by, how long for and how it can be retrieved or removed.
The severe penalties should not be seen as a punitive assault on business, says Peacock. “If you have a plan, if you’re on a journey, then you’re in the right place”.
“This legislation is not designed to bring companies and countries to their knees, but it has been authored in such a way that anyone who puts their head above the parapet can be censured very quickly and very severely.”
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”green”]Arrange a call with one of our SAP Business One Consultants[/cta]