Six months and counting: what does GDPR spell for European businesses?

by
Agata Pavia

On Monday 27th November, FleishmanHillard Fishburn hosted a panel discussion on GDPR, the biggest and most significant reform to data privacy regulation in 20 years. Whether European, British or global in outlook, all businesses will be affected. And with six months to go before it comes into effect, we all need to be aware of what is on the horizon.

Listen to our expert speakers discuss and explain what GDPR is, why and how it came about, current media attitudes towards it, what impact it will have and, crucially, what all organisations need to do to ready themselves ahead of 25th May 2018.

A guide to the podcast

Panel discussion host

  • Nick Andrews, SVP & Senior Partner, FleishmanHillard Fishburn

Speakers

  • Agata Pavia, Head of Technology, FleishmanHillard, Brussels
  • Peter Meikle, Head of News, FleishmanHillard Fishburn
  • Dyann Heward-Mills, Head of Data Protection and Cyber Security, Baker McKenzie

GDPR is real. Ignore it at your peril

An introduction to GDPR, by Nick Andrews (0.00 mins to 5.21 mins)

It has been said data is the oil and gas of the 21st century. Data is driving economic growth and innovation in practically every sector. We all need it, we all use it. It has become a precious resource.

As our data-driven world grows around us, so does the possibility and likelihood of security breaches and misuse of that data. It follows then that the way in which it is stored, kept, used and shared should be scrutinized, reviewed and, ultimately revised.

That revision comes in the form of GDPR – General Data Protection Regulation – and will take effect from 25th May 2018. It will be a game-changer for any company that processes and handles customer data and the sanctions for those who don’t comply will be significant.

Sanctions will be game-changing, even earth-shattering

A brief history of GDPR, how it came about and what the implications are, by Agata Pavia (5.22 mins to 14.39 mins)

  • GDPR will have a truly global impact affecting all companies which process the data of EU citizens around the world regardless of where they are established
  • The handling of data will become more harmonized and unified – one set of rules across EU will make it easier for companies to comply
  • In case of cross-border processing of data, businesses will only have to deal with one DPA, based in their main establishment.
  • GDPR establishes clear definitions on key terms such as personal data and consent
  • It establishes internal requirements
    • Privacy by design and default
    • The need to notify the DPA of a data breach within 72 hours
    • Obligation to conduct a Data Protection Impact Assessment and appoint a Data Protection officer under certain circumstances
  • Data protection impact assessments will give more data protection rights to individuals, including:
    • The right to be forgotten
    • The right to object, in particular, to profiling under certain circumstances
    • The right to data portability

Companies who fall short of GDPR will face severe penalties of up to €20m or 4% of worldwide revenue (whichever is greater).

The media may not care about it now but they are biding their time until an example is made

The UK media’s current attitudes to GDPR and what will pique their interest, by Pete Meikle (14.40 mins to 21.06 mins)

An audit of senior ranking broadcasters and journalists from BBC Radio 4, Channel 4 news and the Evening Standard reveal limited to no current appetite for stories on GDPR. Do not be lulled into a false sense of security, however, as interest will grow the closer we get to 25th May, when data protection will become front of mind, particularly when examples are made of companies who don’t comply to the new legislation. Stories likely to gain momentum and traction over the coming weeks and months include:

  • January 2018 – new year trends, predictions and analysis
  • One month to go (25th April 2018) – countdown to GDPR
  • Making an example – the first big breach post GDPR: who is it and how much will it cost them?
  • Life after GDPR – what consumer stories are emerging?

It’s tempting to see GDPR as a curse. We need to treat it as an opportunity

The legal implications of non-compliance and guidance on best practice, by Dyann Heward-Mills (21.07 mins to 30.40 mins)

Many companies are already taking great steps to ready themselves ahead of 25th May, while others have a long way to go. It’s imperative that measures are put in place sooner rather than later, including:

  • An overarching data protection governance policy or code of compliance
  • Written procedures for protecting data
  • Roll out training and relevant policies such as a data breach policy
  • Remedial procedures (if and when something goes wrong)
  • Contractual obligations and liability clauses (especially for 3rd parties and suppliers)

Data protection and security are only going to increase in importance. Add to this a talent and skills shortage, and the issue of where the responsibility for data and overall accountability lies within any given organisation only grows in complexity.

There is, however, a considerable opportunity for companies who get it right. By taking GDPR seriously and investing in governance, the returns can be huge. Companies who do this will benefit from increased trust from employees and customers. And they will ultimately gain a competitive advantage by being able to get better insights into their data.

Q&A from the audience (30.41 mins to end)