Getting ready for the EU General Data Protection Regulation

It is now expected that new EU General Data Protection Regulation ("GDPR") enters into force in April - May 2016. Following the entry into force, GDPR becomes applicable after a two (2) year transition period. During the transition period the data controllers, meaning practically all companies currently utilizing or processing personal data of some sort for their own account, must adopt and implement the new data processing rules and practices of the GDPR..

The latest available GDPR document contains i.a. the following practical data protection requirements for the companies (= data controllers):

  • A comprehensive duty to design and document data protection measures prior to the beginning of data processing;
  • Data subject's "right to be forgotten";
  • Rules concerning profiling the data subjects;
  • A duty to define the retention periods for personal data – in practice the deletion of personal data must be defined and planned already before the personal data is collected;
  • Designation and responsibilities of data protection officer;
  • Implementation of capabilities for:

o Conducting data protection impact assessments and providing them to authorities for prior consultation if necessary;
o Data breach notifications (short reaction times - 72 h);
o Responding to data subjects' requests in electronic form;

 Moreover, to assure effective and proper implementation of its requirements, GDPR introduces monetary administrative fines as a new category of consequences. At the maximum these fines can reach . even 4 % of the total global annual turnover of the data controller or 20 million euros, whichever figure is higher case by case.

What this means?
Proper implementation of the requirements of GDPR creates needs for practical measures concerning:

i)                 Organization and competencies;

ii)                Processes, guidelines and documentation;

iii)               IT systems and processing practices; as well as

iv)               Collected and processed personal data.

To make it even more challenging:all the necessary actions should be taken bearing in mind that in the future the customer data will be the fundamental source of the competitive advantage for any company. Therefore, the implementation work should be driven simultaneously by both business requirements and GDPR. To push this fundamental change through the whole organization in a short period of time will require a strategic approach and determinate business focus. Leaving the implementation as a responsibility of IT or legal function alone will simply not be enough.

Happy to tell you more about implementing this change professionally,

Erkka Pälä

Legentum Oy

Teemu Birkstedt