Boards need to get to grips with the General Data Protection Regulations, quickly.

Boards need to get to grips with the General Data Protection Regulations, quickly.

General Data Protection Regulations were published on the 4 May 2016. Boards need to get to grips with them and have reports on compliance quickly. Why?

The fines for non-compliance are up to 4% of global annual turnover or €20 million of the preceding years turnover whichever is higher.

The scope of the Regulations are extra-territorial. Irrespective therefore of where the data of an EU citizen is processed, about the goods or services they use (even if no payment is required) or any monitoring of their behaviour in the EU will now all come within the new controls.

The old concept of a Data Processor (the doers) and Data Controller (owners of the data) which was well-used by all outsourcing organisations to reduce compliance effort is now to be modified and direct regulations and supervision placed on the processor by the supervising authority.

The Data Controller needs the Data Processor to provide sufficient guarantees that it has the technical, security and organisational systems to meet the regulations.

Outsourcers will now be looking at their change of law clauses and coming back to their clients with claims for compliance. In return Clients will argue this regulation has taken four years to pass the Parliament, you as a competent provider must have known of its existence and compliance is your issue. Either way, I see a lot of interesting debates and negotiations between the parties. Assuming that not everything is won in a negotiation and that organisations will have to change some of their procedures and behaviours the Board should be looking at creating large compliance budgets in the next two years.

Consent from the individual who is the subject of the data is another area that will require careful management. It must be a “freely given, informed and unambiguous indication of the data subject’s wishes” it must also be in the form of a “statement or by a clear affirmative action”. Would the London health authority that shared their anonymised data have permission to do so under these regulations? I cannot say without looking at all the contracts and consent forms.

The Regulations having been published will apply effectively from the 25 of May 2018. It replaces the Data Protection Directive 95/46/EC. Wrekin Consulting is able to assist companies with a compliance review or negotiation of various agreements.

Leave a Reply