By Olly Jackson, EMEA
The General Data Protection Regulation
(GDPR) may not be as punitive as some suggest but businesses
need to spend big to comply, particularly if they were one step
behind the previous regulations.
GDPR will come into effect in May 2018 and
aims to harmonise data protection rules across Europe. Some
changes have attracted a lot of attention: the huge potential
increase in fines, which could be as high as €20 million
($23.6 million) or four percent of the company’s
annual global turnover; the right to be forgotten and the new
legal requirement to report data breaches within 72 hours.
These changes appear to be taking
businesses by surprise. In a YouGov poll in May, 71% of UK
companies surveyed said they were unaware of the fines enforced
under the GDPR, and 40% admitted they would have to cut staff
or go out of business if they suffered the maximum fine. Even
more troublesome is the news that 62% of businesses had not
heard of the regulation at all.
As we move in to December,
Herbert Smith Freehills' head of data protection and
privacy Miriam Everett is more optimistic of
firm’s preparedness, but anticipates that progress
still needs to be made. "I think companies are well along the
track but there is still work to do," she said.
This progress could be put down to the
huge increase in expenditure in an attempt to become compliant.
A PwC report released only last month revealed that 40% of
firms that have finished preparations for the GDPR have spent
more than $10 million.
While the new regulation opens up the
possibility of significantly higher fines and the addition of a
new legal requirement to report breaches, there is scepticism
about the extent of the changes it makes from the previous
"There is a lot of scaremongering from
people, but I don’t subscribe to this", she said.
"GDPR is creating a lot of challenges but it’s not
wildly different from the current law, it just takes everything
and tightens it a bit."
But what does concern her is the
regulation could be left open to interpretation, leaving
business owners to work out for themselves how to be compliant.
This has led to a big recruiting drive from firms across the UK
with reports that some UK small and medium businesses have
employed new staff members specifically to prepare for
- GDPR will force
companies to change the way they deal with data breaches and
means companies must have clear systems in
- The changes are
costly. In a recent survey 40% of firms considered to be
fully compliant have spent more than $10
- The new regulation
aims to harmonise data protection regulation across
Everett insists that the most challenging aspect of the GDPR
is that it demands a cultural shift from organisations. "The
law wants privacy to be at the heart of everything. That may
not be technically challenging but culturally, a change is
needed," she commented.
In recent months data privacy has been
particularly under the spotlight. Uber’s data
breach that resulted in the theft of 57 million
people’s information, and the resulting decision
to pay a $100,000 ransom rather than disclose the incident
publicly, has highlighted the importance of strong data
regulation. The well-publicised Equifax data breach, that saw
an estimated 143 million US customers affected, also brought
the issue right to the forefront of public attention. The right
to be forgotten, allowing individuals the right to have their
data deleted, is included under article 17 of the GDPR and may
help alleviate these issues.
But former deputy data commissioner and
Allen & Overy special adviser
David Smith says the right to be forgotten is sort of a
misnomer that does not truly exist in the new regulation.
"If the organisation has good reasons for
keeping your data and can justify it, they can continue to do
so," he said. Exceptions apply to the rule providing the data
processing is necessary for exercising the right of freedom of
expression, compliance with a legal obligation, public interest
reasons, archiving purposes in the public interest, scientific
or historical research purposes, or for legal claims; a rather
sizable and wide-ranging list. Smith says the right to be
forgotten is targeted more at social media companies rather
than financial services firms.
While Smith believes the changes build on
the existing regime rather than revolutionising it, he
envisages that companies a few steps behind the current
regulation will have a lot of work to do to catch up.
"It is a wake-up call for firms for what
they should be doing," he said. "If you’re a step
behind the field then it may take a while to step back up. It
is important to look at where the risks lie."
Smith does not expect the regulator to
demand perfect compliance immediately however, but will expect
a programme in place that could deliver compliance. The same
spirit seems to apply with the new Markets in Financial
Instruments Directive (Mifid II) – the Financial
Conduct Authority has said it will be lenient with firms which
don’t necessarily fully comply by January 3, but
have taken obvious steps to do so.
Regulators have, as yet, not given too
many clues about their intentions. Information commissioner
Elizabeth Denham said in a blog post in August that despite the
ability to impose fines above the current £500,000
($670,000) limit, "it’s scaremongering to suggest
that we’ll be making early examples of
organisations for minor infringements or that the maximum fine
will become the norm". The Information
Commissioner’s Office has published a 12-step
guide to complying with the GDPR that highlights the importance
of documenting the data businesses hold, checking procedures
for data deletion and having an action plan in place in the
event of data breaches.
"It is a wake-up call for
firms for what they should be doing"
The big change to come from the GDPR will be introducing
accountability and not just complying with data protection but
showing that you do so. The addition of a data protection
officer and having data retention policies and impact
procedures in place are expected to be big signals to the
regulator that businesses are taking the regulations on board;
but these could be very costly changes.
"It depends where you were in the first
place but inevitably there will be costs involved," Smith said.
"The bigger the business is and the more data is central to the
business, the higher the cost is likely to be."
But it’s not all bad news for
businesses. "Businesses with some justification asked how could
they follow the rules of all 27 nations, but GDPR harmonises
the rules across the entire continent," Smith said. "It gives a
bit more freedom for companies to reach the desired
The GDPR will understandably elicit
frustration from the business community, demanding sizable
expenditure and time-consuming policy changes to comply at a
time when Mifid II and Brexit are also occupying business
minds. But if firms can review data protection requirements,
appoint a data protection officer and have impact procedures in
place, businesses can make healthy progress ahead of the May
PRIMER: General Data Protection
Cyber Security and Risk
The shock of the new