Andrea Danti - Fotolia

GDPR likely to affect internal processes heavily, warns lawyer

Businesses should not overlook the fact that the EU’s new data protection laws may require fundamental changes to internal business processes, warns a data protection lawyer

The General Data Protection Regulation (GDPR) means that most businesses that deal with the personal data of European Union (EU) citizens will have to change the way they think about data protection, according to Tim Maiorino, a data protection lawyer at Osborne Clarke based in Germany.

“This is the view of the UK’s information commissioner Elizabeth Denham, and it’s true because the impact that the GDPR will have on businesses is so deep and will affect internal processes to comply with some of the requirements,” he told Consumer Identity World Europe 2017 in Paris.

The GDPR will also potentially affect the internal structures of businesses and the way responsibilities relating to data protection are allocated, such as the need for some organisations to appoint a data protection officer (DPO).

Although German companies have been required to have data protection officers since 1988, Maiorino said appointing a DPO will be entirely new for many companies outside Germany.

It will be interesting to see how companies will handle this new role and adapt their processes, he said, because under the GDPR, DPOs are required to be free in executing this role.

“DPOs are not allowed to take any directions from company management and they cannot be fired for doing their jobs, which is completely different from the usual situation where employees are required to follow the directions of their managers and do not typically take their employers to task.”

The GDPR principle of privacy by design is another area where the regulation is likely to have a deep impact on internal business processes, according to Maiorino.

“Under the GDPR, products and services will be required to have basic data protection principles such as data minimisation implemented into their structure and into their design, unlike in the past, when the priorities have typically been scalability, user experience and profitability,” he said.

“Data protection was considered and the legal department consulted usually only at the end of the development process, and then legal was often overruled if any obstacles were raised, but this approach will not work under the GDPR.”

Read more about GDPR

The principle of data minimisation alone, said Maiorino, will enforce changes to many of the current design approaches that, in an era of big data, tend to be aimed at collecting as much personal data as possible.

“To be GDPR compliant, businesses may collect only the data that is absolutely necessary to provide the product or service, and it will be a real challenge for many companies to implement these processes right from the design phase,” he said.

However, Maiorino said the principle of data minimisation could also help reduce the amount of data that organisations will have worry about keeping secure.

To illustrate this point, he quoted Julian Box, CEO of cloud service provider Calligo, as saying: “There is little point in putting a ring of steel around data you shouldn’t have.” This means organisations need to reflect and think before they collect data they are not entitled to collect and handle.

Seeking data consent

The need to obtain consent is also something new for companies outside Germany, said Maiorino, because they will have to introduce processes to ensure that consent is given freely, that it is informed and that is given expressly for specific purposes.

But GDPR will necessarily require additional steps to meet the requirements around consent because obtaining broad consent through asking customers to agree to general terms and conditions is no longer considered legal.

“This is something businesses are likely to struggle with because many are reluctant to introduce extra steps into transactions with customers, with some claiming up to 30% loss of potential customers with each step,” he said.

“The need for express consent will have a deep impact on how subscription processes are designed, because it will have to be a separate action by the user for each purpose that data is being collected.

“The need for consent to be informed requires organisations to provide detailed information about what data they are collecting, how it will be used, and what third parties it will be shared with.”

Organisations need to be aware of the potentially deep process changes that GDPR compliance may require, said Maiorino.

However, he said organisations should view compliance as an opportunity to build consumer trust and to get on top of data protection, which is an increasingly sensitive topic among consumers.

If organisations are still not convinced of the business value of GDPR compliance, Maiorino said the fines of up to €20m or 4% of annual global turnover should be reason enough to take compliance seriously, adding that data protection authorities are unlikely to tolerate non-compliance after the two-year grace period expires on 25 May 2018.

“Even for companies in Germany, the fines under the GDPR are a revolution, not just an evolution of what they have been used to,” added Maiorino.

Read more on Privacy and data protection