Data protection is shaping industries around the globe
The General Data Protection Regulation (GDPR) initiated by the EU sets the bar high for most global personal data protection laws and many governments. Country-specific derogation is viable, but companies should get ready to comply with increasingly strict requirements.
Data protection matters
The world is undergoing its fourth industrial revolution, one that is driven by radical social and economic connectivity. Digitalisation and data availability are the key enabling factors of this revolution, and the amount of information being processed is growing exponentially by the minute. Most activities nowadays result in the production of some form of data, starting from a simple phone call to buying groceries with your credit card. This bulk of data needs to be stored and managed by organisations that in turn have to become more complex to survive in the modern, digitalised world.
Given its importance, personal data processing has become a top priority on many government agendas around the world. The EU initiated a regulatory standard when it published the General Data Protection Regulation (GDPR), and it set the bar high for the update and review of most global personal data protection laws. After the GDPR, companies all over the world should expect a wave of new or updated regulations and should get ready to comply with increasingly strict requirements.
Any organisation, regardless of geographical location, that collects or processes personal data on EU residents needs to comply with the GDPR, including organisations that have no business facilities in the EU but that offer goods and services into the EU or that monitor European citizens. Non-compliance from such organisations has severe financial consequences, with fines either up to 4 percent of total global annual turnover or 20 million euros, depending on which is higher.
What’s behind the GDPR
The new European Union General Data Protection Regulation (EU GDPR) is the result of a need for stronger regulatory requirements regarding personal data protection. The GDPR needed to embrace a much wider scope of requirements compared to the previous Data Protection Directive 95/46/EU adopted in 1995 and was published on 24 May 2016 with a transposition period of two years until May 2018, when it came into force.
The articles of the EU GDPR include eight key topics that need to be covered operationally from three different perspectives: business (what data is processed), IT (where is personal data processed) and third parties (to whom is personal data transferred). The eight key topics are:
- data inventory
- data subject rights
- data processing records
- personal data breaches
- data protection officer
- data protection impact assessment
Many companies, both in the EU and in other countries such as Switzerland, have adopted a risk-based approach for the implementation of compliance measures with the GDPR. This has often resulted in a wave approach with certain measures being prioritised over others. While some companies did complete the implementation of compliance measures by the GDPR go-live date in May 2018, most organisations are working on the subsequent steps, including ensuring the efficacy of the implemented measures, automating the implemented processes, and reviewing data protection efforts from a strategic perspective.
Whether your company is based in Europe or in a remote region of China, you will have to deal with some form of personal data protection regulation – and things may become complicated for corporations with a global footprint. So much so that it may be more efficient for a US-based company to simply comply with the European GDPR in all of the locations in which it operates – as most other regulations would typically be equivalent to or possibly less strict than the GDPR.
The GDPR automatically universally applies in all EU member states without the need to transpose it into national laws. Nevertheless, the text allows for national derogations on specific sections, for example processing of special categories of personal data or data transfer.
To name but a few, in Germany, the new Federal Data Protection Act (FDPA) sets additional and stricter requirements for processing personal data. Austrian derogations are limited in scope, but mostly stricter than the respective requirements in the GDPR. As in Germany, for instance, specific requirements are set for the processing of video recordings. The Revised French Data Protection Act sets stricter rules regarding the processing of biometric information in the context of employment. Italian law is introducing stricter criminal sanctions for instances where personal data is unlawfully processed. UK derogations, too, set stricter conditions for the processing of special categories of personal data. However, with Brexit on the horizon, UK data protection law will be monitored closely, as it may pave the way for a UK-specific data protection law, which may make the GDPR no longer directly applicable.
While the EU GDPR is already enforced, other countries have begun to work on their own data protection laws – often trying to align them with the GDPR’s requirements. To strengthen data protection and to revise existing laws due to the Schengen Convention, Switzerland is aligning the Federal Act on Data Protection (FADP) to the GDPR. This alignment is also essential from an economic point of view, since data exchange with companies and state authorities from countries that do not have comparable protection of personal data can only be carried out with considerable difficulty. Detailed information on the FADP and its link to the GDPR can be found in our publication «What does the revision of the Swiss FADP entail, and how does it relate to the GDPR and the ePrivacy Regulation?»
In the USA, most states have implemented some form of privacy legislation, but California is miles ahead on data protection topics. The state has put multiple privacy laws into force, some of which have far-reaching effects at national level. Nationwide, a number of bills that would establish a national standard for data security breach notifications have been introduced in the U.S. Congress, but none have been passed so far.
PwC’s new report «The global footprint of data protection regulations» delivers a detailed analysis of the most important countries in the EU and worldwide.
What PwC Switzerland can do for your organisation
Some of the core data protection requirements have been set forth in the GDPR, but there are a number of other data protection regulations that companies in Europe and the world have to consider. Data protection is a complex topic, and even more so when your business is present in multiple countries and thus subject to a number of different laws. Organisations in this situation need to consider what regulations apply to them, when to act, and what processes to implement.
Our PwC-experts guide you through all the steps to comply with data protection rules:
- Readiness assessment and gap analysis
- Personal data inventory
- Action plan development
- Implementation of compliance actions
As a multi-disciplinary service provider, PwC is uniquely placed to help you to adjust to this new environment. Our data protection team includes lawyers, consultants, cybersecurity specialists, auditors, risk specialists, forensics experts and strategists. We are a global team offering innovative solutions with on-the-ground expertise in all major EU economies.