With just days to go before the new EU General Data Protection Regulation (GDPR) comes into force on 25 May, your inbox has probably been inundated with messages from various firms asking you to confirm your consent for marketing their respective services and products. For many, this would have been the most visible and tangible impact of GDPR so far.
While the recipient might feel overwhelmed by the avalanche of emails, through this exercise firms are conducting themselves in a professional manner to ensure compliance with GDPR requirements. GDPR has become something of a buzzword in recent months, but what is GDPR exactly?
In broad terms, it can be described as an omnibus data protection law that builds on, expands and ultimately replaces the EU Data Protection Directive. The GDPR gives individuals new rights over their data and heightens the accountability of entities collecting, storing, analysing and managing personally identifiable information. This covers any information relating to an identified or identifiable natural person, such as name, identification number, location data or one of more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity on the nature of the person. It also includes online identifiers, such as the IP address. A data subject can be a customer, employee, contractor or third party.
Who will be affected by GDPR? The GDPR process itself will not have much effect on individuals. Their role will be limited to their decision, to opt-in or opt-out, from direct marketing, to electing to be in receipt, or otherwise, of a firm’s communications, as well as be aware of their power to exercise the GDPR data privacy rights.
The effect of GDPR on firms is, on the other hand, more impactful and wide-ranging. It will affect any organisation that processes the personal data of EU consumers and clients. GDPR will introduce stricter rules governing privacy, user content and the notification of data breaches. It will also put the onus of specific privacy requirements in the hands of entities collecting, storing, analysing and managing personally identifiable.
Broadly, firms will need to provide easier access to personal data with clear and understandable information on its processing, use and storage. In addition, it will call on companies to ensure that major requirements and concepts are in place, such as conducting data protection impact assessments; abiding with data privacy accountabilities; appointing a data protection officer; implementing the privacy by design concept; complying with the 72-hour breach notification; having adequate systems and procedures to comply with any rights on personal data raised by individuals, and providing appropriate consent options. Each requirement by itself is demanding, but in aggregate, the GDPR is very onerous.
How should you implement the GDPR?
GDPR should be viewed as an integrated exercise set within a firm’s overall privacy risk management framework. It touches on all aspects of an organisation, reaching across people, processes and technology. For this to work well, it is imperative that a cross-functional and cross-business team that supports the transformation of the firm is put in place.
The first step is assessing applicability: here, a risk-based (not just legalistic) assessment is strongly suggested. For firms impacted by GDPR, it is important that the right governance and program structure is up and running from the outset.
Secondly, a thorough GDPR gap assessment is needed – one that reaches across the swathe of affected businesses and functions. The assessment would focus on a review of the current working practices in relation to people, processes and technology resulting in the identification of GDPR gaps, and risks and recommendations to address such gaps.
EY has developed its own propriety framework which links risk management, compliance, privacy and governance with key privacy domains to place privacy in the context of a firm’s business and information technology strategy. The framework allows firms to set the privacy strategy within the context of the firm’s overall business and IT strategy, and focus on program effectiveness; privacy risk management; compliance and monitoring; data and breach management; people and culture.
GDPR will be one of the topics covered during a morning event titled UPTOSPEED on 24 May at the Westin Dragonara Resort. Interested parties can register by sending an email to [email protected].
Ms Sciortino is Associate Partner, Advisory, at EY Malta
[email protected]