Upcoming EU data protection regulations will have a global impact. The General Data Protection Regulation (GDPR) comes into effect in May 2018. This is European Regulation will pass straight into law in 28 European countries and will not be subject to the slower process of passing into individual country legislation as with European Directives. 

GDPR introduces key changes to data protection law that law firms and commercial enterprises must be aware of. One of the more important changes is the broadened definition of personal data. Under GDPR, any data that might identify an individual is now considered personal data. Biometric data, genetic data and data relating to the cultural or economic aspects of an individual now come within the remit of the law. 

The regulation will apply to any organisation, anywhere in the world that processes the personal data of European Union (EU) citizens. In effect, this makes the GDPR a global data protection compliance challenge and time is running out to meet it. GDPR will come into effect in the UK before Brexit, but it is unclear what will happen after the UK leaves the European Union. The UK and US may decide to establish a privacy shield framework to work under, similar to the Swiss-US privacy shield, so organisations with a toehold in the UK need to keep a close eye on developments.

Best Practice for mitigating risk

The ability to identify and find personal data will become critical. Organisations that contravene the new regulations face fines of up to €20 million or four per cent  of global annual turnover for the preceding financial year, whichever is greater. A best practice approach will mitigate the risks of GDPR breach:

• Conduct a privacy impact assessment (PIA). PIAs have always been good practice but the GDPR makes them mandatory. A PIA should provide a clear picture of the location of all the data in your organisation and map out every data flow. It is advisable to automate as much of this data discovery process as possible. The UK information Commissioner’s office has useful guidance on PIAs. Any investment in resource to automate data discovery ahead of GDPR will pay dividends later on in reducing discovery overhead cost. Map current data collection activities against the rights mandated by GDPR – including the rights of individuals to access their personal data and to be forgotten. GDPR extends the liabilities associated with processing data. Organisations that provide services based on processing data and even individuals with a data-processing role within organisations must be clear on their responsibilities and the rights of data subjects. 

• Make privacy matter at board level. The fines for transgressing GDPR are crippling and pose a major risk to any organisation.  Top management needs to take a lead on driving a ‘privacy by design’ approach within the organisation. This means that any initiatives to redesign business processes or collect new data must build in GDPR compliance from the start.

• Get the balance right between retaining data for discovery purposes and data minimisation. The GDPR principle of data minimisation is more stringent than previous European data protection regulation. Not only must organisations not keep data for any longer than necessary but also they must not alter the use of the data they have collected without requesting consent from the data subject for the new usage. Data subjects have a new ‘right to be forgotten’ and organisations must have in place clear processes for deleting data subjects on request. These rights supersede any requirements organisations might have for holding onto data for discovery purposes.

• Appoint a data processing officer (DPO). The GDPR mandates that public authorities – and organisations whose ‘core activities’ call for either ‘regular and systematic monitoring of data subjects on a large scale’ or ‘processing on a large scale of special categories of data’ – appoint a DPO. The International Association of Privacy Professionals estimates that this will result in the appointment of as many as 28,000 data protection officers (DPOs) in Europe and the US.

• Revisit consent mechanisms. Legal professionals and their clients will need to take account of more stringent requirements for obtaining the consent of the data subject for storing and processing their personal information. It is quite likely that previous mechanisms for obtaining consent won’t be up to the requirements of the new regulation. This may be an issue particularly when it comes to data that is then used in automated data processing systems, from customer relationship management systems through to discovery solutions.