In December 2015, the European Parliament and Council agreed on a General Data Protection Regulation (GDPR) in order to update and harmonize data protection laws throughout the European Union, replacing the current EU legal framework in its entirety.
While much attention has been focused on the Safe Harbor’s invalidation and the new EU-U.S. Privacy Shield agreement, the new GDPR rules portend a more far-reaching impact for companies doing business in Europe.
Five GDPR requirements stand out:
1) Mandatory data-breach notification. Starting in 2018, companies that experience data breaches will need to notify regulators and individuals whose personal data was compromised. Companies will most likely want to avoid the negative publicity of these disclosures. As a result, we expect to see multinationals gradually ramp up comprehensive risk assessments, end-to-end security enhancements, and outsourced managed security services similar to what was experienced in the United States following mandatory data-breach notification.
2) Right to be forgotten. A new so-called “right to be forgotten” or right to erasure could impose a significant burden on companies with personal data stored across multiple systems. The new requirement gives individuals, in certain circumstances a right to request that data stored about them be erased. If these types of requests only trickle in, companies may escape a large operational impact by processing these requests manually. But if the new right proves popular, companies may need to maintain comprehensive data inventories, accelerate data-governance strategies, and potentially re-architect key systems in order to more efficiently process these requests.
3) Privacy impact assessments. The GDPR will require companies to conduct data protection impact assessments (DPIAs) where their data processing operations are highly invasive. E.U. regulators will create a list of operations that are subject to the rule, and we expect this to include marketing activities based on advanced profiling and analytics. To meet this new requirement, privacy operations may need to extend outside the legal office, where it has traditionally resided, and into the day-to-day processes of European businesses.
4) Privacy by design and default. Up until now, European businesses generally deployed privacy by design on a limited basis within some parts of their operations. Going forward, European regulators will expect that the most privacy-friendly settings or postures—such as those that collect, retain, and share personal information – will be built into new products, devices, and business processes. The flip-side of DPIAs, privacy-design requirements may give rise to a need for privacy engineers to embed privacy features throughout the daily operations of their businesses.
5) Mandatory Data Protection Officers. The GDPR will require large companies to appoint data protection officers (DPOs), if their core activities consist of large-scale, systematic monitoring of people. These can be staffed either by employees or contracted talent. The experience of data protection in the European Union is that the DPO role has been an attorney. The broad impact of the GDPR on technology and business processes, however, will effectively require DPOs to exhibit expertise in these other areas as well as project and program management, such as risk assessment and compliance monitoring skills. Senior executives boasting this type of resume are in short supply in Europe, portending a privacy talent grab over the next two years.
As the fining capacity for egregious violations of the GDPR bumps up to four percent of global annual revenues in early 2018, companies with operations in Europe should already be initiating their GDPR readiness assessments in order to complete their gap remediation before the deadline.