With the introduction of the GDPR under a year away, how can finance directors prepare their organisations to take advantage of the new regulation? Sarah Pearce, Ann Bevitt and Jane Elphick, of law firm Cooley LLP, discuss the key issues.
Many finance directors will likely already be feeling the burden of the General Data Protection Regulation (GDPR), a new EU law coming into force in May next year that will revamp the way the collection and use of personal data is regulated. The GDPR will be come into force in the UK regardless of Brexit and will affect organisations of all shapes and sizes across the globe that process EU personal data.
Since the release of the final text last year, much commentary on the GDPR has been focused on the substantial increase in the cost of non-compliance: the greater of up to 4% of global annual turnover or €20m.
The reality, however, is not as stark as many commentators would suggest and the regulation even presents significant opportunities for those organisations willing and capable of seizing them.
Organisations will no longer be required to register with a data protection authority in each Member State in which they are established, a formality that has become not much more than that. Instead, they will only have to interact with the data protection authority in the Member State they select as their main establishment.
Through its very nature of being a regulation (i.e. directly applicable in all Member States) instead of a directive (i.e. Member States have flexibility when incorporating the law into their own national laws), the plan is that the principles underpinning the GDPR will be applied and enforced consistently throughout the EU.
The not so bad
Given that the EU consists of 28 Member States (ignoring Brexit for now), the idea of harmonisation across them all is clearly attractive. In addition, the level of standardisation that the GDPR is intended to provide will, in theory, allow organisations to follow one set of rules no matter where they are. That said, in practice there may be still quite a few “local differences”, such as processing in the context of employment, which will still be regulated at individual Member State level, either by local law and/or collective bargaining agreements.
Cross-border data transfers
The implications of the GDPR are broadly good for organisations. Firstly, binding corporate rules and codes of conduct are finally expressly confirmed as valid methods of legitimising otherwise invalid transfers of personal data outside the EEA (European Economic Area). There is also the availability of legitimate interests as a basis for smaller, ad hoc data transfers.
The GDPR will require a wholesale review of data handling and processing procedures. This presents a great opportunity to review and map data flows, and restructure or reorganise them not only for compliance, but also for business efficiency.
The GDPR has gone some way to clarifying certain key concepts such as anonymisation and pseudonymisation. The regulation confirms that the principles of data protection do not apply to anonymous information (i.e. information that does not relate to an identified or identifiable natural person or to personal data that does not identify an individual). Pseudonymisation (which means processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information (such as a code or a token)) is encouraged by the GDPR and categorised as an “appropriate safeguard” (along with encryption) for processing personal data.
For companies willing to think outside the box, new(ish) concepts such as privacy by design, profiling and data portability present the opportunity not only to innovate, but also to build customer trust. Further, organisations capable of taking advantage of pseudonymisation, encryption or even better, anonymising personal data will be able to reduce their risk of non-compliance. As well as its people, data is often now the most valuable asset that a company holds; the GDPR recognises this and is attempting to bring the law up to date with the real world as far as possible.
So, in a nutshell, the benefits of the GDPR are multiple: a reduced regulatory/compliance burden for companies not undertaking risky processing or those that employ appropriate safeguards, and an increased clarity of the obligations on all organisations. The regulation also provides an opportunity for companies to take control of their own compliance, rather than register with the applicable data protection authorities which, for those organisations that work across multiple borders, is very time consuming and expensive.
Yes, the penalties have ratcheted up to a far higher level but companies that “get their house in order” and behave properly won’t be affected by them. Nevertheless, there is no room for complacency. May 2018 is not far away and there will be considerable work to be done in many organisations, much of which will need to be led by finance directors.
Sarah Pearce and Ann Bevitt are partners, and Jane Elphick is associate, at law firm Cooley LLP.