We are witnessing history in the making.
On the 25 May 2018 the EU General Data Protection Regulation (GDPR) comes into force across all 28 Member States. The GDPR introduces new accountability obligations, stronger Data Subject rights to protect our digital existence and ongoing restrictions on international personal data flows.
The new framework is ambitious, complex, rigorous and workable if you’re prepared to shift the way you do business now in the world’s biggest digital single market.
The GDPR is a ‘risk based’ approach to data protection and privacy, requiring organisations and accountable individuals to demonstrate and verify compliance – and extending this obligation to data processors for the first time. It will also be necessary to map the GDPR into your organisation’s existing operational risk management process, which may also highlight essential process improvements for other risks.
Under this new framework, all Supervisory Authorities will be empowered to use their powers to ensure that organisations – public and private – work hard to comply with the world’s highest standards of data protection and privacy or face sanctions and fines of up to 4% of global turnover or €100m.
Oversight of the GDPR will be the job of the newly created European Data Protection Board (EDPB), a representative body of Supervisory Authorities drawn from all 28 Member States and this will go a long way to helping create a fair and equitable approach to the regulation of personal data and protecting the privacy of over 500m citizens within the EU.
This is perhaps one of the most significant milestones achieved in data protection in our lifetime and the democratisation of the world’s biggest single digital market is now complete. On a personal note, I’m very honoured to have played a pivotal role within the European Parliament and the European Commission to help make this a reality.
I’m also personally delighted to be writing this foreword to the inaugural issue of the Journal of Data Protection and Privacy – founded by its Editor-in-Chief Ardi Kolah and published globally by Henry Stewart Publications. I congratulate them both on this achievement.
I had the pleasure of debating the finer points of the GDPR with Ardi when we were both invited on a panel at the recent FT Cyber Security Summit Europe 2016. That event and the launch of the Journal of Data Protection and Privacy forms part of a much wider conversation that we are having not just in Europe but across the world. Data protection is no longer an afterthought but a critical component in the production of any product, service or business process if organisations want to build and maintain trust with their customers, clients, supporters and employees.
The journey to this point has taken over four years and hasn’t always been that easy or smooth. Certainly the GDPR has its critics and as every other law it would be unrealistic to pretend that it’s perfect.
But failure wasn’t an option.
European citizens deserve much better in the way their personal data and privacy is protected and in keeping pace with rapid technological developments it was essential that the EU found a way to create a level playing field where new entrants to the world’s biggest single digital market had an opportunity to grow and prosper by offering their products and services to European consumers in the face of larger and more established competitors.
Another driving force behind the GDPR was the need to reform a highly complex and bureaucratic system of 28 EU legal jurisdictions all purporting to regulate the rights and freedoms of 500m citizens within a single digital market but which lacked any coherence and consistency in its application.
Under the GDPR, Member States have very limited and exceptional circumstances in which to deviate from the GDPR and as a result the regulation creates a level of consistency and harmonisation never before achieved in the history of the EU. Areas such as media and press laws, provisions in the public interest or national security and defence remain within the domain of Member States.
In many ways, the GDPR is a fair and balanced approach to the need to protect basic human rights as well as encourage greater competition and choice.
For example, prior notification of personal data processing to the Data Protection Authority has been replaced by the accountability principle in the GDPR and at a stroke has reduced an unnecessary burden for companies.
The introduction of several provisions for greater transparency and a simplified data privacy notice in understandable language is paramount to ensure control by consumers and provide for meaningful consent.
New innovative concepts, such as the right to data portability, standardized privacy icons and data protection by design and default all encourage a deeper level of customer innovation and build value for those organisations that can seize these opportunities to grow a sustainable business for the future.
And learning from past mistakes and embedding a culture of continuous improvement has created a need for organisations to make data protection training and development the first line of defence in protecting business continuity and avoiding sanctions and fines for infringements of the GDPR.
The Journal of Data Protection and Privacy has a very important role to play in this regard and provides an excellent platform for learning, analysis and debate over the coming years where data protection, the need to protect business continuity and compliance with the GDPR is a significant boardroom issue.
Jan Philipp Albrecht LL.M. is Member of the European Parliament and Vice-Chair of its Civil liberties, home affairs and Justice Committee