tashka2000 - Fotolia

International IT trade group urges firms to prepare for GDPR

Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers

An international IT trade group is urging US firms particularly to prepare for the European Union’s General Data Protection Regulation (GDPR), which comes into effect in 2018.

Thousands of US firms that do business in Europe directly or online with European customers will need to gear up to deal with the regulations, warns the International Association of Information Technology Asset Managers (IAITAM).

But the warning applies to companies in all other regions that do business in Europe, including European firms that have not begun preparing yet for the coming changes.

In particular, IT asset managers need to come to grips with the rules for data breach disclosures and data protection officers, the association said.

“These are sweeping changes to how personal and corporate data is to be handled. They have far-reaching implications for many aspects of US businesses, particularly in terms of how information security is addressed,” said IAITAM chief executive Barbara Rembiesa.

“The days are long past when US businesses could worry only about complying with laws and rules in the US. Companies that fail to start planning now to deal with the GDPR requirements are going to be in for a real shock,” she said.

No more alarm bells

Rembiesa’s comments echo the views of London-based legal experts, who said organisations worldwide that do business in or with Europe, but have waited until the official starting gun was fired on 14 April 2016 before taking action, may have left it too late.

“There are challenges ahead. A lot of companies will have their work cut out for them to be compliant in time,” said Bridget Treacy, partner at Hunton & Williams.

“All organisations that have not done so already, really have to start thinking in very pragmatic terms about what the GDPR means for the business and how they are going to handle their data assets, because two years is not much time,” she said.

The final alarm bell has been sounded, said Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC).

“There are no more alarm bells after this. There is no more pretending. All organisations that have not started preparing now need to start taking this seriously,” he said.

With just two years remaining, Room said any organisation that has not made some progress towards complying with the GDPR has effectively run out of time.

According to Room, the best plan of action for GDPR laggards is to act quickly to identify all the risks and address those they expect to be most urgent when the GDPR comes into effect.

The IAITAM has identified the top five impacts the EU regulations will have on any organisation, as outlined below.

1. Data breaches

The GDPR states that a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The changes the GDPR makes to the definition of a data breach are significant, the IAITAM said. If an organisation experiences a data breach, it must now be reported in 72 hours of the company becoming aware of the breach. 

Up until this point, a data breach is typically only announced in the US when word of the breach is leaked to the public or media, the association said.

2. Data protection officer requirement

The GDPR requires all organisations engaged in profiling of individuals to appoint a data protection officer (DPO).

This requirement could have a significant impact on organisations that will have to hire, appoint or contract a DPO for the first time with “expert knowledge of data protection law and practices and ability to fulfill its tasks”.

A study had revealed that this will mean that 28,000 DPOs will have to be appointed in Europe alone in the next two years.

3. Consent of those providing data

The GDPR states that the data controller bears the burden of proof for the data subject’s consent to the processing of their data for specified purposes. 

The IAITAM said this aspect of the GDPR requires active acceptance of the terms and conditions by the user.  Consequently, mere “use” by the user will no longer be sufficient acceptance of the terms and conditions. This means many firms will have to build consent mechanisms to meet GDPR requirements.

4. Special handling of data related to Europeans

The GDPR states that any transfer of personal data to a third country or to an international organisation may only take place if – subject to the provisions of the regulation – the conditions laid down are complied with by the controller or processor. This includes onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

This provision was created in the GDPR to specifically protect EU citizen’s data once it’s moved outside the EU.

The IAITAM said this means any organisation that is international in scope and handles personal information of EU citizens, such as phone numbers, addresses or any other identifying information, will be subject to the GDPR. Any organisation that received the information “third-hand” will also be subject to the regulation.

5. Potential for hefty fines and court penalties

The regulation will impose fines of up to €20 million or 4% of global annual turnover for breaches of specific provisions, such as a breach of the international transfer provisions. It will also enforce fines of up to €10 million or 2% of global annual turnover for administrative and security breaches, such as failure to maintain processing records in accordance with the GDPR.

In addition to these fines, the IAITAM warns the regulation allows EU member states to impose penalties for infringements of the GDPR that are not subject to administrative fines.

The GDPR states that such penalties shall be “effective, proportionate and dissuasive”. The IAITAM said that, subject to what would be referred to as a “tort” in the US, an organisation will be fined by the member states to ensure that the damage to an individual is made whole, in addition to penalties and fines meant to deter any additional infractions. 

“This type of enforcement can become increasingly potent and result in monetary penalties reaching into the billions,” the IAITAM said.

“What is important to take away here is that any organisation that processes or handles data from EU citizens must become familiar with this legislation and fully understand the impact it will have on daily business processes,” said the IAITAM’s Rembiesa. 

“Between the sweeping scope of the GDPR and the penalty structure, this is a piece of legislation that should be treated seriously and with an eye to what it will take to ensure full compliance,” she said.

The IAITAM recommends that businesses seeking to learn more about the GDPR consult the  European Union General Data Protection Regulation Portal and the International Association of Privacy Professionals’ Top 10 Operational Impacts of the GDPR.  

Read more about the GDPR

Read more on Privacy and data protection