Data is used by all businesses – from insurance firms and banks to social media sites and search engines. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore.
The Data Protection Regulation (Regulation (EU) 2016/679) will come into force across the EU on 25 May 2018 and internal auditors need to understand how this will affect their organisation.
How will this EU directive impact your organisation following the result of the UK's referendum to leave the EU?
There is a two year minimum period in which we remain a member of the EU while negotiating an exit. During this period the new regulation will become applicable in the UK without the need for domestic legislation whilst we remain part of the EU.
In addition, Article 3 of the Regulation provides for extra-territorial effect meaning that the Regulation will apply to businesses based outside of the EU where:
Given the above, many businesses with supply chains or customers in the EU will therefore need to ensure they are meeting the regulation, regardless of UK decisions on data protection law.
Personal data from the EU may only be transferred to jurisdictions which protect that data as per EU standards.
Whilst it is too soon to know any of the detail, we suggest that internal auditors in the UK should be advising their organisations to:
Consider which parts of the operations and which data sets may be affected by proposed changes where the organisation has key customers in the EU. It is likely that many organisations have started work on this given the significance of some of the changes. Based on the ICO’s statement, it is possible that some or all of the changes set out in the GDPR are adopted under UK law after Brexit.
Monitor the Information Commissioner’s Office for statements on Brexit, General Data Protection Regulation (GDPR) and guidance on remaining compliant.
Continue reviewing internal data processing and to aim to be compliant with the GDPR by May 2018.
Internal audit should also be looking out for news and updates and amend the audit plan accordingly as the position regarding GDPR and application in the UK becomes clearer.
We will publish further comment once Article 50 is invoked and we know more about timescales and the Brexit plan. Internal auditors in the Republic of Ireland should continue with their plans, and may find the Data Protection Commissioner useful.
This encompasses an organisations obligation to provide 'fair processing information', typically through a privacy notice. It emphasises the need for transparency over how organisations use personal data.
When processing is restricted, organisations are permitted to store the personal data, but not further process it. Organisations can retain just enough information about the individual to ensure that the restriction is respected in future.
Individuals have the right to object to:
Organisations must offer a way for individuals to object online.
They must do this if they:
A single data protection officer may be appointed to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Under the new regulations penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher, per incident. Previously the maximum was £500,000 and in practice, the ICO has never issued a penalty higher than £350,000.
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. People will be able to delete their data if there are no legitimate grounds for retaining it.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
If personal data is handled abroad, EU rules must apply by companies that are active in the EU market and offer their services to EU citizens.
Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home.
A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.
Information Commissioner's Office:
European Commission:Download PDF