In response to high profile data privacy issues and the pace of technological change, the EU is set to introduce new Data Protection Regulation, which will bring with it new obligations, enhanced rights and restrictions on how businesses use data. There are, though, still questions about the scope of the law, and particularly what the new EU rules will mean for US organizations and others that provide goods and services to EU residents.

A few things are clear. As data controllers are increasingly held to account under the new regulations, the importance of the data privacy officer will only increase as businesses seek to avoid sanctions for non-compliance. The scope of the legislation is such that, according to a recent survey of IT decision-makers, over half of global companies expect to receive sanctions for non-compliance, with 70% saying they were planning to increase the amount they spend on data protection as a result. This post looks at five frequently asked questions about the EU’s General Data Protection Regulation (GDPR) and what steps your organization can take to future-proof your privacy practices.

Big Data

GDPR 1

Profiling and the granular analysis of people’s digital footprints have opened up real opportunities for businesses. Included in the draft Regulation are a number of restrictions on this the way businesses use profiling to analyze customer behavior and preferences.  In general, the Regulation seeks to prevent businesses from making decisions about customers based on profiling alone. To ensure your current practices are line with the Regulation, it’s important to determine whether your current data processes qualify as ‘profiling’ under the legislation.

Personal and Pseudonymous Data

One area where the Regulation brings useful clarification is in relation to the definition of personal data, with confirmation that location data and other identifying information qualifies as personal data. As well as personal and anonymous data, however, the new rules will introduce a third category, pseudonymous data, where information doesn’t disclose a subject’s identity, but may still be used to identify an individual when combined with additional data. This pseudonymous data is subject to protection; but, importantly, the rules are more flexible. This means it will be important to figure out if it is worth using pseudonymous data in any profiling to benefit from the less stringent rules.

Workforce Privacy

GDPR 2

One area of the Regulation that is often overlooked by businesses is its relevance to the workplace. Employers possess and process significant amounts of personal data relating to their employees, and this information is covered by the regime. An employee will rightfully have an interest in how their personal data are used, and this has to be balanced with the interests of employers who are understandably keen to monitor performance and improve productivity. Before the GDPR comes into force, data protection officers and HR departments will need to liaise to ensure practices are compliant with the new rules, and whether or not they need to be made more transparent.

Accountability and Non-Compliance

The scale of the changes, then, means that businesses should not underestimate the challenges involved in demonstrating compliance and in making data processes transparent. The carrot here is clearly the potential for organizations to build trust with customers and employees; the stick comes in the form of hefty sanctions for non-compliance. To ensure accountability, businesses may have to introduce a raft of new audits, processes and data security measures.

If your business hasn’t already, the thing to do now is to check whether the processes you currently have in place meet the new obligations, and to assess what new policies will have to be introduced.  With proposed penalties of up to 2% of global turnover for serious data protection breaches, the cost of non-compliance could be significant. It certainly looks as though there will be plenty to keep any recently appointed data protection officers occupied in their new roles.

Has your organization introduced new controls around data? Are you a recently appointed data protection officer? Let us know your thoughts on the GDPR by commenting below or on LinkedIn.

Images via Flickr: niksnut, steve_w