The GDPR will thus make it easier for both European and non-European companies to comply with data protection requirements. In addition to giving a common approach to privacy, unlike the existing Directive, the new Regulation covers both cloud computing and social media, and provides common levels of fines for breaches. It also covers all organisations operating in Europe irrespective of where the data is stored. As proposed, organisations will have to:
• Collect explicit consent to collect data from data subjects (the data subjects must 'opt-in') and facilitate the subject's wish to withdraw that consent
• Be able to delete all customer data at the request of the data subject, a provision known as "Right to Erasure", unless there is a legitimate reason for its retention
• Provide data subjects with a clear privacy policy
• On request, provide data subjects with a copy of their personal data in a format that can be transmitted electronically to another system
• Undertake an annual risk management/analysis, detailing both the risks identified for data breach/loss and steps taken to alleviate those risks
• Establish which is to be the Single Data Protection Authority (DPA) for the organisation. This may be in any member state (it is expected that the UK and Ireland will be most popular because of the use of English language)
• Appoint a lead authority Data Controller to be responsible for all processing operations across Europe
• For public bodies and organisations processing more than 5,000 data subjects, appoint a Data Protection Officer within 12 months of the Regulation being adopted
• Document fully any breach, and notify the appropriate authority 'without undue delay'. It is expected that the authority will decide whether the organisation should notify data subjects if any 'adverse impact' has been determined
Huge penalties
For a 'negligent breach' privacy or loss of data it is proposed that a company can be fined up to 5% of annual revenues to a maximum of €100 million (£79 million). It is the potential severity of these fines that make the Regulation so significant.
The implications of failing to comply are so strong that organisations will do everything within their power to ensure that they do so. It has been proposed that the data controller (i.e. the organisation) and cloud provider will take joint responsibility should any breach occur, giving yet further incentive to remain compliant.
All of which means, cloud providers have a real opportunity to prove their ability to keep data safe. The ones that do this best will surely flourish once GDPR comes into force.
- Mike Davis is Principal Analyst at msmd advisors and wrote a recent AIIM white paper on the European General Data Protection Regulations.
