EU Data Protection rules are set to change

appeared in Connect Jersey, April 2017

David Carney, PwC - Director, Risk Assurance

After four long years of political negotiations and lobbying, the EU agreed the wording of the "General Data Protection Regulation" (GDPR) in December 2015. This will impact every entity that holds or uses European personal data both inside and outside Europe. The GDPR will have a profound effect on how personal data is obtained, processed, stored and disposed of when it’s implemented in May 2018.

Significantly, unlike the current regime, the GDPR extends to any organisation located anywhere in the world if your business is offering goods or services into the EU or if you’re capturing personal data on EU citizens, irrespective of whether you’ve a presence in Europe. 

Jersey is a trusted location for international data and it’s important that our data protection regulations remain appropriate and robust to remain competitive. The Island has therefore committed to enact equivalent legislation in line with the GDPR to ensure that it maintains its ‘adequacy’ status.

The key changes that GDPR introduces

The GDPR will give individuals an increased level of control over their information. Key issues businesses need to be aware of:

  • Usage controls – Personal data will be subject to strict new usage controls. These include “data minimisation”, “data portability” and “right to be forgotten” principles, which will require organisations to limit the use of data, to enable individuals to take their data with them at the end of a relationship and to delete and destroy data on request.
  • Data protection by design – Businesses must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the individual by design.
  • Consent – Obtaining consent to use personal data will be much harder to achieve and prove.
  • Potential for brand damage – With a 72 hour timeframe, firms must disclose high risk data breaches, exposing them to potential embarrassment and brand damage.
  • Supervision – Regulators will have increased powers to carry out audits and inspections of businesses. 
  • Fines – The consequences for businesses of not complying are significant – potentially involving fines up to the higher of €20m or 4% of total worldwide turnover.

How this impacts your business

You need to understand the type of data that your business is collecting and processing and the associated risks. We advise that you firstly conduct a review over what data is held by your business, including where it’s held and how it’s processed. In fact, PwC’s expertise in this area covers the legal, consulting and assurance aspects of the GDPR, in order to provide a one-stop service relevant to your organisation. Those who consider their future strategic plans when determining their response will benefit most from the new regulations.

The bigger picture

Whilst many individuals freely share personal data on social media, there’s a growing awareness surrounding data privacy, particularly in relation to more valuable data like identity, financial and medical records. Customers expect you to have strong controls and good data hygiene and it only takes one incident to create long-lasting reputational damage. The GDPR will accelerate this movement as individuals gain greater control over their privacy.

The GDPR raises fresh challenges for Jersey, but also provides an opportunity to react effectively and develop it as a competitive strength. An effective response to the GDPR will take time and it’s vital that businesses are engaged and fully prepared.

Contact us

Nick Vermeulen

Territory Senior Partner, PwC Channel Islands

Tel: +44 7781 111526

Neil Howlett

Advisory Partner, PwC Channel Islands

Tel: +44 7700 838349

David O'Brien

Advisory Director, PwC Channel Islands

Tel: +44 7700 838228

Follow us