The European General Data Protection Regulation (GDPR) will take effect in May 2018. This regulation should protect the privacy of European citizens in the fast-growing data economy. The law was already adopted in 2016, but now its implementation is also approaching. This causes panic among companies. Rumour has it that approximately half of the companies will not be ready by the deadline, which would theoretically risk penalties that could amount to up to 20 million euros or 4 percent of annual worldwide turnover, whichever is higher.
Let's not beat around the bush: the impact of the GDPR is huge and wide-ranging. Although the regulation does spare SMEs on a number of issues, the regulatory pressure is high for all companies that own or process personal data. Both large and small companies increasingly need to explicitly ask consumers to use their data, while at the same time give them the opportunity to withdraw this permission more easily. They are responsible for identifying their data streams and risk a high (or higher) fine if they do not report data leaks to the supervisor within 72 hours. In short, this new legislation calls for far-reaching administrative, technical and organisational measures.
The question is: wasn't this reorganisation necessary for most companies anyway? Efficient work requires an up-to-date housekeeping. Which data is collected? What is it used for? For what purpose and where is this documented? Are the IT systems secure enough? Which data may be removed, or, from a legal perspective, must be removed? Those who want to survive will need to have these matters in order. Not the nicest job, but it needs to be done. A major clean-up, so to say.
The upcoming privacy legislation puts pressure on the companies, but maybe this is just what some companies, especially SMEs, need. It will provide the necessary sense of urgency with the board, ensuring that funds are made available. However, at many companies, this sense of urgency unnecessary turns to panic. If they still haven't properly completed this major clean-up in one or several years from now, it will be more complicated. For now, it is still too early.
The GDPR will enter into effect in 28 countries. To ensure uniformity, the legislation has not defined every detail. The fact that there is a European working group actively crystallising certain matters and laying them down in policy guidelines says enough. The new legislation will outline the rules, but it is then up to courts, supervising authorities, companies and citizens to translate these into practice. And this requires a social debate, research and time.
Initially, there will be court cases, trial cases and verdicts regarding the big players, which will further determine the concrete interpretation of the legislation. It is unlikely that the supervising authorities will pro-actively start fining a medium-sized web shop, rental company or catering business as of May 2018.
If indeed a major data leak occurs that compromises the personal data of citizens, the size of the organisation is obviously irrelevant. However, that does not necessarily mean that the maximum fine will be imposed. For the European legislator and the Data Protection Authorities, it is important that companies handle the data as carefully as possible. Keyword in the GDPR is "accountability": a "data controller" must at all times demonstrate that it has taken appropriate technical and organisational measures to ensure the data processing required by the GDPR.
The second keyword is "appropriate": appropriate within the context of the company and the data processing that takes place. Even if appropriate measures have been taken, a data leak can still happen to any company. After all, we cannot arm our company as Fort Knox, completely sealed off from the outside world. When it goes wrong, the circumstances of the specific case will always be considered. If you can demonstrate that your company has taken appropriate administrative, technical and organisational measures, both preventive and reactive, this will have a mitigating effect.
The implementation of a new law implies looking for a balance between the various players. This requires a level of crystallising; not only for those who must comply with it, but also for the judiciary and the supervisory bodies. In my view, and contrary to some panic reports in the media, the Supervisory Data Protection Authority is not an upcoming police force, which is ready to write out fines to the entire business community as of May 2018. Yes, it will enforce the GDPR, however, not with the objective to raise as much money as possible. It will do so to give shape to a new social balance regarding privacy.
We are on the eve of a new chapter in how we deal with privacy. The outlines are there, but we are still waiting for them to be filled in. Should SMEs simply rest on their laurels? Definitely not. Use this sense of urgency to make your company future-proof. But do not panic because there is no need for that at this very moment.
Marion Bout, Head Legal & Compliance at Graydon, is a certified Information Privacy Manager, FIP member and Dutch chair of the IAPP, the International Association of Privacy Professionals.