General Data Protection Regulation part I
9 March 2017 | 0
The General Data Protection Regulation, generally referred to by the unpronounceable acronym GDPR, conceals serious threats behind its bureaucratic and bland language. The first is the scale of the potential penalties, referred to almost benignly as ‘Administrative Fines’ which can be imposed by data protection authorities or commissioners rather than needing courts. Those fines can go up to €20 million or 4% of the previous year’s turnover — worldwide. Multinationals doing business in Europe are just as liable as EU organisations. The GDPR actually states that such fines must be “…effective, proportionate and dissuasive.” In other words, pour disencourager les autres or making an example of transgressing organisations.
Readers will be relieved to hear that those really big fines are for the top category of non-compliance. A second tier of Administrative Fines only goes up to €10 million or 2% of the total annual turnover. Yet in fairness this is a direct continuation of the principles of the Data Protection Directive which goes all the way back to 1995, so business — especially international trading entities — should not be taken by surprise. SMEs across the EU may be to some extent, because the GDPR imposes conditions they may not have taken all that seriously up to now.
The other threat is the deadline: GDPR comes unequivocally into force across the EU on 25 May 2018. Clearly, some organisations will just glide through. But many will have a lot of work to do and very probably too little time if significant re-design and re-architecting of IT systems is required. There is already, as TechPro readers know all too well, a serious set of skills shortages across many specialist areas in Irish IT. Another factor here, where most organisations now depend on consultants and managed services providers rather than in-house teams, is that many of those firms already have pretty full order books—and are also suffering from the skills shortage.
Colin Rooney, partner in law firm Arthur Cox, says that “The new General Data Protection Regulation, which represents the largest shake up in data privacy law for over 20 years, will come into force across Europe on 25 May 2018. In that sense it is not really new, because the countdown has already begun and the practical implications for organisations require that decisions be made as soon as possible.”
It is also not new in terms of the EU general policy towards data protection, which spans many elements of which the GDPR is focussed primarily on personal information. “It can be seen in two ways, both of which have implications for large corporates, such as many of our typical clients,” says Colin Rooney of Arthur Cox. “The main driver is in many ways the harmonisation of personal data protection across the EU while the second is the provision of a legal system of enforcement of the rules and penalties for transgressions. In many respects, the key change is that enforcement. It remains to be seen how strict it turns out to be in practice — and the actual penalties.”
Derogations and regulations
There are lots of derogations and where employment law is involved each state will retain its own regulations, he explains. Smaller companies are generally exempted for a lot of the obligations. But not if they are suppliers of what are deemed essential services or digital services.
A major concern of corporate clients, Rooney points out, is in what jurisdiction their ‘main place of establishment’ is or is deemed to be. “The criterion is where the data protection decisions are made in relation to personal information held by the enterprise. Now that may be assumed to be where senior management works and the board meets. But it may not be so. You could have your head office in Ireland and the relevant decision making in another EU country. Note that it is not the same as where that data is held or where the CIO or similar senior manager works. It’s where the decisions are made.”
“Why is this relevant? Simply, but importantly, because it will determine which data protection regulator your organisation comes under. Currently, for a variety of reasons, enterprises with an English language culture — American, as well as from these islands — would generally prefer Ireland or the Netherlands as opposed to, say, France or Germany. Germany has in fact still 17 regional regulators but no national or federal one.”
Rooney says business leaders should think of the coming GDPR regime in two ways: “From the enforcement perspective it is like competition or anti-trust law. But from a general business law and planning point of view, it is more like tax law, requiring a board-level understanding and strategic policy approach.”
Fujitsu’s Mark Stollery starts with a warning note: “There is a deadline looming in May of next year, yet many organisations are hardly even at first base with what could be a lot of work to comply with new obligations and changes in about 14 months. Some aspects of GDPR will in fact, be relatively easy but others may impose huge new changes in ways of working in order to comply.