On April 14, 2016, the European Parliament voted to adopt the General Data Protection Regulation (GDPR). The regulation will come into effect on May 25, 2018.
The purpose of the regulation is to further harmonise national data protection laws across the E.U., strengthen the obligations on those who use personal data and enhance the rights of individuals.
- Applies to every company processing personal data of individuals who are in the EU when their personal data is collected from them, not just companies domiciled inside the E.U.
- Enforces fines of up to €20 million or 2-4% of global turnover, whichever is greater
- Imposes a 72 hour window for companies to report a breach to the Data Protection Authority with limited exceptions
- Requires lawful processing of personal information, including requiring individuals to give unambiguous and informed consent for their data to be processed when using consent as their legal permission to process
- Affords individuals the ‘right to be forgotten’ and the right to access their personal data
- Implements ‘privacy by design’ – privacy can no longer be an afterthought when developing new products
- Sets up a ‘one stop shop’ – companies only have to register with one data protection agency
- Requires companies who systematically process data to appoint a Data Protection Officer (DPO)
What are some of the issues for tech, media and telecommunication (TMT) companies?
Customisation of the user experience
Preserving the integrity and security of customer data is a mainstream issue for TMT companies as they are increasingly collecting personal customer data to tailor their propositions and create a competitive advantage.
Much of this customisation relies on personal data. The definition of ‘personal data’ under GDPR is the same as the U.K. Data Protection Act; namely information that allows an individual to be identified, either directly or indirectly. However, what can be classified as an ‘identifier’ is more detailed and now includes online identifiers such as IP address, location data and genetic data.
Talent attraction and retention
Under the GDPR, TMT companies must appoint a DPO if they meet certain conditions.
At a minimum the DPO will need to:
- Inform and advise employees and organisations on their GDPR obligations
- Monitor compliance and manage data protection activities; including data protection impact assessments, staff training and audits
- Interact with authorities and individual data subjects
The Information Commissioner’s Office also recommends that the DPO reports at board level and is provided with adequate resources to meet all obligations. The GDPR further specifies that the DPO must have “expert knowledge of data protection law and practices.”
The role of the DPO should not be taken lightly. It’s not a nominal position to satisfy regulation and it must extend beyond the realm of IT. DPOs should be well-versed in data, risk, law and compliance, but also able to adapt to the ever-changing risk landscape of a modern digital world. At a time when many TMT companies are struggling to attract and retain top talent, finding a DPO will not be a simple ask. The International Association of Privacy Professionals estimates that at least 28,000 DPOs will be required in Europe alone; so competition will be fierce and a skills shortage may emerge.
Reputation in a fast-moving world
The financial price of getting GDPR wrong is well documented; a 4% of turnover would undoubtedly be a board-level issue. Mandatory reporting requirements also add new elements of risk; reputational damage and class actions. It will now be easier for traditional and social media channels to publicise failings, so TMT companies must be prepared to face the stark glare of media and customer scrutiny if they’re noncompliant with GDPR.
When a telecoms company suffered a serious data breach in 2015, around 200,000 tweets were sent on the subject in just one week. The overall cost was 101,000 customers lost. In the fiercely competitive telecom industry, if customers lose trust in an organisation’s ability to protect their data they can, and will, find other providers.
‘Privacy by design’ requirements now mean that following a breach, regulators will examine the measures an organisation took to safeguard personal data in order to determine fines. The activities of the DPO and the breach response solution are therefore critical. Data breaches can and will happen; but if an organisation has implemented proactive risk management they may be looked on favourably by regulators.
Using GDPR for competitive advantage
The GDPR is a piece of legislation which aims to help citizens and organisations safely and confidently navigate their way through an increasingly complex digital world. While it may be easy to think of the GDPR as yet another compliance burden, it should be viewed as a means by which to bring organisations up to speed with the modern digital world. To harness GDPR for business advantage organisations should:
- Manage obligations and take bold privacy decisions to set themselves apart from the competition
- Enhance brand trust by engaging customers in the data protection process
- Use increased knowledge of data to optimise its power
- Implement proactive risk management to minimise potential financial loss.
Learn more about comprehensive cybersecurity from Willis Towers Watson.
The post was co-written by Jamie Monck-Mason. Jamie is the Executive Director of Cyber and TMT at Willis Towers Watson. Jamie has a particular specialism in Cyber and Technology E&O wordings, related coverage issues and claims. He has drafted a successful suite of U.K. Cyber and Technology policies for U.S. insurers. He therefore brings to the team a legal expertise to reinforce their already formidable technical capability.