M&E Journal: Preparing for the EU’s General Data Protection Regulation

By Chris Johnson, CEO and Director; Phil Herbert, Director; and Stephanie Iyayi, Director, Convergent Risks

The General Data Protection Regulation (GDPR) went into force on May 25, 2018. In addition to being the most discussed and most important piece of legislation ever produced by the European Union, the GDPR is also the most far-reaching in terms of potential territorial scope, affecting businesses and their operations all around the world.

GDPR will soon impact everything from your people to processes and technology. As GDPR launches, how ready is your business?

The race Is on. Here’s what you need to know:

* Territorial application: The GDPR applies not only to EU businesses, but to non-EU organizations if they: 1. Offer goods or services to EU residents, or 2. Monitor the behavior of EU residents. Many organizations that are not subject to existing EU data protection law will be subject to the GDPR.

* Increased accountability: The GDPR imposes new and increased compliance obligations on controllers such as implementing appropriate policies and procedures, keeping records of processing activities, conducting privacy impact assessments, privacy by design and by default, conducting regular privacy training, etc.

* Remedies and sanctions: The consequences of breaching EU data protection law escalate dramatically under the GDPR, which sets the maximum fine for a single breach at the greater of €20 million, or 4 percent of annual worldwide turnover.

* 72-hour data breach notification: The GDPR requires businesses to report data breaches to the relevant Data Protection Agency (DPA) within 72 hours of detection, and in certain cases, to notify individuals directly. For many organizations, radical changes to internal reporting structures will be needed.

* Security measures: The GDPR requires that an appropriate level of security is implemented, and that privacy is included in systems and processes by design i.e., throughout the entire lifecycle of a product or process, not merely as an afterthought. This means that software, systems and processes must consider compliance with the principles of data protection.

* Processor liability: Existing data protection law generally does not impose direct legal compliance obligations on processors. However, under the GDPR, processors do have direct legal compliance obligations such as the implementation of security measures and cross border transfer mechanisms, notifying controllers of breaches, keeping inventories and co-operating with DPAs.

* Appointing a Data Protection Officer (DPO): Appointing a DPO is mandatory where processing involves the monitoring of individuals on a large scale, or the large-scale processing of sensitive personal data. The number of employees is irrelevant. The DPO must be a senior position and report to the highest level of management.

* Consent and transparency: Consent becomes harder for organizations to obtain and rely on. Consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes, and will not be valid if there is a clear “imbalance” between the parties. No more pre-ticked boxes! Organizations must also review their privacy notices to comply with the GDPR’s transparency requirements.

* Rights of data subjects: Some rights of data subjects are strengthened by the GDPR (e.g., the right of access and to object) and some new rights are created, such as the right to data portability and a right to be forgotten (which essentially applies when the processing does not or no longer complies with the GDPR or relates to children’s data in the online context).

* Cross-Border Data Transfers: The GDPR does not make radical changes regarding cross-border data transfers. However, organizations should map all of their data transfers and examine each to ascertain: 1. If the receiving country is deemed “adequate”; 2. If not, whether any “appropriate safeguards” are in place; 3. If not, whether any specific derogations apply.

How will GDPR impact M&E companies?

Entertainment and media will be among the industries most affected by GDPR. In this sector, companies increasingly build their business models around collecting personal customer data to tailor consumer propositions and create a competitive advantage.

They are continuously exploring how they can monetize this data and develop new products and forums to share them, by making the most of evolving technologies.

In some cases, these companies inadvertently or deliberately cross, or balance on, the privacy boundaries.

The main purposes of the GDPR are to uplift data protection standards in and outside the EU and to deliver greater legal harmonization of data protection regulations within the region. This should make it easier for individuals to understand how their data is being used and to raise any complaints, even if they are not in the country where their data is located.

The GDPR requires organizations to carry out a root and branch review of how they collect and use personal data, which will invariably require a cultural change within that business as they address the impact of their processes for personal data protection, privacy and cybersecurity. Doing nothing is not an option, and the sooner you start the better.

Use of “historical data”

Historical data refers to EU personal data collected up through May 24, 2018, premised on “broad based consent” — i.e., consent that does not satisfy new heightened requirements for specificity and unambiguity under the GDPR. Processing of “historical data” is no longer lawful as of May 25, 2018 and the GDPR has no “grandfather provision” or “exemptions” allowing use of data collected without GDPR-compliant consent. In many cases, historic consents will not be compliant with the requirements of the GDPR and in such cases, it will be necessary to collect fresh consents. For some organizations, this will be an onerous task and can be extremely complicated.

The benefits of GDPR compliance

Whilst at first glance the apparent time spent and disruption of a GDPR implementation program may appear onerous, those companies that embrace the data governance benefits of the regime will not only be able to advertise their compliance, thus giving a commercial advantage over rival corporations, but in changing internal culture will allow greater access to and more financially beneficial use of the data in their possession.

On the flip side, the reputational consequences of non-compliance are obvious as is apparent from the growing list of reported high profile corporate data breaches. The GDPR should be embraced by business as an opportunity for both operational improvement and commercial success.

Convergent GDPR Toolkit

Under the GDPR, not only do businesses have to comply with the new rules, they also must be able to actively demonstrate compliance. This includes keeping up-to-date records of processing activities and sharing these records with data protection authorities upon request. Compliance records are invaluable in the event of a breach and will provide a form of mitigation against sanctions.

The Convergent GDPR Toolkit is designed and developed by expert GDPR practitioners and provides all the templates, worksheets and policies required to comply with documented aspects of the GDPR.

The benefits of GDPR compliance will be felt across the business.


Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring/Summer 2018 M&E Journal