:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VKPW2GDY65X2P5VRTD7JAR3FYQ.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/QGSZQFF57APFUB6UH4BC47M3DE.png)
May 25th, 2018, is a date which every organisation should have highlighted on its calendar. It marks the coming into force of the EU General Data Protection Regulation (GDPR), which brings in a range of new obligations for organisations which hold personal data, along with fines of up to €20 million, or 4 per cent of global turnover, for breaches.
“The GDPR was under development for four years and is reputed to be the most lobbied piece of legislation ever to go through the EU,” says Rob Corbet, head of technology and innovation at Arthur Cox. “People are probably very aware of the fines and from an EU perspective it’s probably job done in that respect.”
But there is a lot more to it than just fines. “It is a difficult piece of legislation to operationalise. There are 99 articles compared to 34 in the previous directive. The existing regime dates back to a 1995 directive which didn’t have teeth. It was based around fair-use principles on personal information. The situation now is unrecognisable and the new regulation is forcing it onto the boardroom agenda.”
Corbet points to a key difference in approach as well. “The 1995 directive gave member states discretion in transposing it into local legislation. One upside of the GDPR is that there is going to be one single law for all 28 member states, but in reality, every member state does have to bring in some local law so there will still be differences to contend with after May 25th next.”
The regulation itself is enormously complex, with 99 articles and nearly 200 recitals. There were only 34 articles and 72 recitals previously. It’s the way they do law in the EU, according to Corbet. The legally binding bits are the articles while the recitals are effectively the explanatory notes.
“It was negotiated to within an inch of its life and there were a number of last-minute changes,” he notes. “We are acting for lots of different clients who are challenged in different ways. They want to know where and how they should start to prepare and there are lots of organisations out there claiming to offer magic-bullet solutions for GDPR compliance. There aren’t any magic bullets. But there is no point in being paralysed by fear.”
He also points out that while there will be significant changes, the principles of data-protection have survived. “It is an evolution,” he says. “What is changing is the new obligation to be able to demonstrate compliance. And there could be an awful lot of demonstrating required.”
Houses in order
The expectation will be that organisations have their houses in order. The GDPR requires them to maintain records of personal data they hold as well as to have policies and procedures in place for how it is stored and used and so on.
Corbet says another area that organisations should probably think about now is third parties that they share data with. “Article 28 specifies the contractual requirements that need to be put in place there and this will have to be addressed before the regulation comes into force.”
He also points out that while the fines are potentially ruinous, there are other areas of concern. “We have seen in areas like competition law and state aid rules that the Commission is willing to impose fines of billions of euro when it sees fit. But nobody is expecting €20 million fines being dished out willy-nilly. But one area of concern with the regulation is the right of individuals to compensation even when there has been no material loss. You will not have to prove material loss to be entitled to compensation. The courts in Ireland haven’t awarded damages for data-protection breaches up until now but that will change from May 25th next.”
That is clearly a risk that organisations will have to prepare for and it is not too late to start that process.
“If you have done nothing yet it’s not too late,” says Corbet. “But keeping your head in the sand is not a good idea. If you do one thing, it should be to identify the top three risky areas of data protection in the business. Do a data-protection impact assessment and identify risk and mitigation measures that you are putting in place to reduce it. We are providing assistance to our clients to help identify the priority areas and to address them strategically and cost-effectively.”