GDPR: will it be the global standard for data protection?
The EU’s landmark General Data Protection Regulation (GDPR) has the potential to set a new gold standard for data protection – considerably improving protections for consumers in the EU and internationally. With only 10 months to go before the GDPR comes into force, our advocacy experts consider the international opportunities and challenges that this may present.
The GDPR is an evolution from current EU laws, not a revolution. It enhances data subjects’ rights and the enforcement capabilities. One major change is that it will require all companies and organisations that process data from EU citizens to be compliant with the GDPR’s requirements. This alone will give the new regulation considerable international reach. However, add in companies’ desire for standardised systems and seamless cross border data management and there is an even stronger incentive to harmonise practices.
Key points of the GDPR
- Stronger proof of consent: unambiguous consent is now needed if the data collected is non-sensitive personal data. Whilst explicit consent is now needed when collecting sensitive personal data such as physical or mental health data. Unsurprisingly, there has been much debate over the difference between the terms ‘explicit’ and ‘unambiguous’. However, what is certain is that companies will need to work much harder to demonstrate that consumers have understood and agreed to their terms of use.
- Portability: the right to data portability allows individuals to obtain and reuse their personal data across different services. The idea is that this will make it easier for people to switch between services and reduce the problem of ‘lock-in’.
- The right to be forgotten officially called the ‘right to erasure’: individuals can now request that their personal data is erased or not used in specific circumstances. Despite there being several exceptions to this, it builds on the right to be forgotten established in ECJ case law in 2014.
- Mandatory breach notification: in the event of a personal data breach that is likely to have detrimental effects on an individual (for example damage to reputation, loss of confidentiality or financial loss) the organisation will need to report this breach to the affected individuals, as well as the relevant supervisory authority or face a fine.
- Direct representation by NGOs: consumers across the EU now have the right to ask a competent NGO to bring claims against data processors on their behalf. Countries may also give such NGOs the right to take collective action. . [Many commentators have suggested this will lead to a significant increase in the number of litigation class action suits soon after it comes into effect, as was the case in the US.]
- Fines: Penalties for companies who fail to meet the new requirements have increased to up to EUR20 million or 4% of annual global turnover whichever is higher.
- International implications: The processing location of EU citizens’ data is no longer relevant. Basically, it doesn’t matter what the rules are in the place a person’s data is processed, if organisations specifically target EU citizens or monitor their behaviour online, then the GDPR applies.
The challenge for businesses
According to a recent survey conducted by Dell, 97% of global businesses contacted did not have a plan in place to meet the requirements for GDPR and only one in nine IT and business professionals feel confident they will be ready once it arrives. Figures are slightly better within the EU; a study shows that 42% businesses in western Europe feel they will be GDPR ready once it arrives in 2018.
So what is the challenge? In some cases, it will require companies to rethink the very nature of their business models which have been based on broad consent to collecting a wide range of personal data for often undefined purposes. Thus, many aspects of the business operations from marketing to strategy, and privacy lawyers to technical infrastructure design will need to be involved.
It is also an investment challenge. Investment will be needed in all stages of preparation including for larger companies the appointment of a Data Protection Officer who will need expert knowledge of data protection law and practices.
Upgrading or starting from scratch?
The scale of the challenge facing businesses and organisations partly depends on whether they are already operating in jurisdictions with data protection legislation. Some countries already have extensive data protection legislation in place, although significant reviewing and upgrading may be needed for countries that want to be rated as ‘adequate’ by the EU for data transfer purposes. In other cases, data processors may be operating in countries without any robust data protection frameworks.
A forthcoming Consumers International study of 23 middle, lower-middle and low-income countries found that only 13 had legal frameworks for data protection in place - whilst seven had draft legislation which was progressing slowly. Members and experts told us that lack of political will and low understanding of the often-complex world of data protection is why the legislations can take years to implement.
The race for competitive advantage
Certain commentators have suggested that developing countries with educated workforces, a pro-business government and an efficient judiciary could benefit from the demands that the GDPR will create, however in many countries the judiciary and legislature will struggle to find the resources needed to support the monitoring, auditing and the processing of claims required by the GDPR. With concerns about the EU’s own capacity to fulfil the demand for Data Protection Officers and the legal knowledge required to enforce the GDPR, the challenge for countries with less experience in this field will be high.
Smaller firms may also struggle to compete with large US tech giants in the rush to appoint data protection officers and, initially at least, qualified personnel could be drawn to centres with the largest firms and highest salaries.
The challenge of different legal systems and approaches
International research and the existence of data protection laws in most regions suggests wide acceptance and support for data protection principles, so in many countries, the GDPR could be a valuable tool in strengthening national calls for improved data protection. However, with countries and region’s approaching issues of ‘privacy’, ‘security’, ‘data protection’ and even ‘rights’ in different ways, interpreting and meeting the requirements of the GDPR may not be so simple.
Discussions with digital rights experts have highlighted that the top-down implementation of data protection law may not catch on as quickly in some countries and regions. Changes will need to reflect local views and be supported by societal awareness and national advocacy.
Regulating a fast-moving global market
For the GDPR to raise the standard for data protection in the way many have proposed the first step will be successful implementation in the EU and adoption by all companies operating in the EU. If this is seen to be progressing well, the chances of it influencing international practice will be much higher.
This blog has highlighted some of the key opportunities and challenges inherent to the global adoption of GDPR - a good example of the much larger challenge of creating global rules, regulations and commitments to shared practice in a globalised digitalised world where practice and technology far outpace rules and regulation.