Today, the European General Data Protection Regulation (Regulation 2016/679/EU, also known as GDPR), which will come into effect on 25 May 2018, is an important concern for business leaders and compliance professionals. This European regulation is going to turn the field of personal data protection upside down next year. In the future, companies will have to transition from a prior statement approach to an accountability approach to comply with the new legislation. This means that companies will have to be able to demonstrate their proper compliance at all times. The corollaries to this change are that more constraints for companies to respect will be imposed and individuals’ fundamental rights to privacy will be strengthened. Companies’ concerns are further heightened by the fact that the regulation newly enables the French National Commission on Information Technology and Civil Liberties (CNIL) and its European counterparts to impose administrative sanctions. In the event that a company is convicted, these commissions may take quite a toll on its financial results, with a maximum fine of 4% of the company’s global annual turnover.
However, getting caught up in this observation would mask the European GDPR’s potential.
The GDPR carries the seed of a new model and could lay the foundation for a new technical and operational standard for personal data protection adapted for regulating the digital world. The development of innovative Regtech software solutions proved to be an imperative for drawing out this standard’s potential. The objective of such a standard is simple: to enable the free movement without legal risk of data processing operations throughout the world.
- 1: The European GDPR represents a new foundation for a technical and operational standard for personal data protection.
The European regulation on personal data protection differs from legislation designed for the bygone pre-digital world. The text does not limit itself to imposing obligations and objectives to be achieved on pain of sanction. On the contrary, it defines and details an important and relatively precise set of rules to be followed to ensure compliance. In this sense, it lays the foundation for a technical and operational standard for personal data processing operations.
The credibility of this GDPR standard is ensured by the extent of its scope of application. Indeed, the European regulation applies not only to all European Union Member States, but also extraterritorially to all companies processing the personal data of a user located in the European Union. In other words, it is designed to apply to all companies worldwide performing personal data processing operations on the Internet. Thus the GDPR standard may eventually become a global standard.
- 2: This standard must be implemented effectively in companies’ information systems through Regtech solutions.
The new European GDPR is restrictive for companies inasmuch as there are many new rules to be followed. This incurs significant expenses and renders internal procedures more complex. My experiences have convinced me that achieving compliance using manual procedures alone and not using adapted Regtech software solutions proves complicated and prevents effective leverage of the GDPR standard.
These Regtech solutions offer multiple advantages. First and foremost, they enable personal data management to be automated, from obtaining consent to monitoring compliance. As a result, personal data management has become an automated operation adapting to the pace and volume of data processing made possible by current information systems. These Regtech software solutions also enable reliable, easily audited compliance. All these benefits help companies gain efficiency and manage costs.
- 3: The adoption of the GDPR standard represents a competitive edge through the free movement of data processing operations.
The objective of the GDPR standard is to arrive at a simple, reliable and strict system to enable the free movement of data processing operations. Comparing it to other legal systems reveals that, at present, there is no legislation with a level of global exigency as high as that provided for by the new European GDPR. This means that respect for the GDPR standard will ensure the compliance of data processing operations under all legal systems. Therefore, the GDPR standard enables the free movement of data processing operations without legal risk on a global scale.
Using innovative Regtech software solutions will enable companies to benefit from the GDPR standard worldwide and manage the compliance of their data processing operations in an automated fashion. Making use of innovations such as Regtech solutions also means having a forward-looking view of data processing operations, considering the growing place of data analysis in our connected businesses. Companies equipped with a Regtech software solution will be able to create and capture value, in compliance with regulations, and thus secure a competitive edge over their competitors outside of Europe. Ultimately, trust between companies and their users or clients will be heightened.
Pierre-Olivier Grenouiller, designer of BRAINYSister (www.brainysister.com), Executive Director of Strategy & Products at Legal IT Factory.