EU Data Protection rules set to change
The harmonisation of data protection rules in the EU, under the GDPR, is aimed at giving individuals control over their personal data writes Oliver Irwin. He says that companies need to act now to ensure they are ready for the May 2018 implementation date and don't risk the significantly raised penalties for breaches under the regulation.
The EU General Data Protection Regulation (GDPR) is a new regulation harmonising all existing regulations on data protection in the EU and updating them for the digital age. It will come into force in May 2018 and affect every organisation that processes EU residents’ personally identifiable information. EU GDPR is seeking to put people back in control of their personal data and improve the protections for personal data within organisations. Under EU GDPR:

• more entities will be regulated, including non-EU entities;
• compliance duties will be extended to evidence privacy impact assessments, privacy by design; data minimisation, right to be forgotten and data portability;
• greater transparency is required such as explicit consent and breach disclosure; and
• Litigation risk is increased due to expanded enforcement powers such as higher fines, class action lawsuits and increased compensations claims.

The EU GDPR significantly raises the bar and for serious breaches, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher).
Oliver Irwin
Oliver Irwin

Key aspects of EU GDPR
One of the new ambitions that the GDPR promotes is to give data subjects an increased level of control over their information. It aims to improve the control environment by ensuring that data controllers and processors are safe custodians of data through promoting behavioural change and monitoring the data lifecycle. Organisations will need to consider:

• Transparency: consent for processing personal data must be clear and explicit
• Right to be forgotten: all relevant personal data has to be removed from all systems upon request
• Data portability: the timely transfer of an individual’s personal data completed upon request
• Mandatory Breach Notification: all breaches must be disclosed within 72 hours to the regulators
• Storage: organisations must be able to demonstrate that they know where all personal data resides
• Privacy by design: organisations should minimise the use and collection of personal data and safeguards are expected to be built into new products at design stages
• Accountability: a Data Protection Officer must be appointed in certain cases

In order to be ready for the GDPR, entities will need to (1) set their vision for data, (2) agree their strategy and (3) constitute their structures for achieving data protection compliance via operational change. These are not simply legal questions. Getting ready for the GDPR requires multi-disciplinary skill sets. The emphasis should be on utilising a risk based approach to manage data through its lifecycle and to leverage technology to gain consistency, repeatability and scale.

Organisations should be in a position to answer what data is held, both within the organisation and third parties, as well as demonstrating the monitoring and management of data from creation through to data retirement and disposition. At a minimum, organisations should understand:
• What data is collected, stored and processed;
• Has consent been obtained from the data subject;
• Where the data resides throughout the entire data lifecycle;
• Who has access to personal data; and
• How to appropriately process the data according to EU GDPR regulations.
Oliver Irwin is a manager at PwC Risk Assurance Solutions.
This article appeared in the April 2017 edition.