GDPR: How will it affect you?
DLA Piper lawyers Patrick Van Eecke and Peter Craddock discuss the data protection landscape in advance of Data Protection Day on January 28th
Privacy is a hot topic today. Through the Snowden revelations, we were faced with the fact that wherever we may be, someone may be listening in.
When the EU Court of Justice allowed a man to be "forgotten" online, we realised that we, too, might want to avoid the case where everyone knows everything about us. Large-scale hacks were also featured regularly in the news, and it seemed like data security takes the back seat in many instances.
And when certain social networks started to show adverts from websites we visited just minutes before, we discovered that we were being tracked. To many, the right to privacy is now an illusion.
Fortunately for individuals, the law is changing. The EU has adopted a wide-ranging General Data Protection Regulation (GDPR), which will enter into effect in May 2018, and has published a proposal for an E-Privacy Regulation that will notably change the way Internet of Things devices and internet-based communications are allowed to function and to use data.
The EU and USA came to an agreement on a new data protection self-certification scheme, the Privacy Shield, meant to replace the Safe Harbor framework that was struck down as a result of the Snowden revelations and a long court battle. Countries around the world are going in a similar direction: Brazil has a draft Data Protection Bill pending, Argentina has adopted new rules on international data transfers, Singapore has been ramping up its enforcement efforts, etc.
For companies and organizations, this can present both challenges and opportunities. Understanding the exact way in which the GDPR will affect you may seem difficult, but an impact assessment followed by a gap analysis can give you a good idea of how mature your organization is in data protection terms, what your goal for May 2018 should be and which actions you need to follow through to reach that goal.
DLA Piper launched its Data Privacy Scorebox a year ago to give companies all over the world the chance to assess their data protection maturity. To date over 250 organisations have responded and the responses so far have been encouraging: almost all companies are aware of this as a priority issue, and are well on their way to meeting the requirements of the GDPR.
This week we will be releasing a report based on our analysis of the Scorebox responses so far, in advance of International Data Protection day (Data Privacy Day in the US) on January 28th. The principle recommendations are firstly that this is an issue affecting all sectors, and secondly that companies need to invest in a data protection strategy now, for the long term.
Taking measures to safeguard personal data confidentiality and security and putting in place a data breach notification system may seem expensive and demanding in terms of time and resources, but those amounts will likely pale in significance next to the reputational impact of data theft, coupled with forthcoming fines under the GDPR. Bear in mind that in the eyes of consumers and employees, privacy is the new green, and businesses are already turning data protection measures into a commercial argument.
2017 has barely started, and May 2018 may seem a long way away. Consider, however, that while the principles of data protection do not take long to read, creating awareness and implementing change within an organization takes longer - and adapting processes where necessary is no easy task. So saddle up, dust off your old privacy policies and embark on your data protection journey. Implement forward-looking measures today to avoid fines and reputational loss tomorrow.
After all, whatever your role, your organisation processes your own data. How would you like it to be processed?
Patrick Van Eecke is a partner and global co-chair of the DLA Piper e-business practice. Peter Craddock is a lawyer specialising in technology and based in Brussels, also with DLA Piper.