EU General Data Protection Regulations: The gathering storm heading to Sri Lanka

Friday, 20 April 2018 00:01 -     - {{hitsCtrl.values.hits}}

By Ian Ramsden

There’s a large clock ticking away in Brussels, Belgium and it’s due to stop on 25 May.

On that day new regulations will come into force that will affect any Sri Lankan company who exports to or imports from Europe or receives money from someone in Europe. Think hotels. Think tea. Think garments, think banks – and any other industry who does business with a European.

These regulations are called The General Data Protection Regulations – or GDPR for short – and they’re going to have a profound effect on the way we do business with either a company or individual in Europe.

What’s the purpose 

of GDPR?

First, it’s a Regulation not a Directive as was the previous case of the ’95 Data Protection Act. This is the Act that Sri Lanka currently adheres to but after 25 May it will no longer be valid. 

GDPR will be valid right across the European Union and will embrace every country in the world who does business with an identifiable individual within the Union. All 500 million+ of them.

Its overall goal is to protect individuals rather than the data itself and, as such, it defines the rights of the individual and what can be done with their data. And by whom.

Should a company decide not to comply, there are some pretty draconian sanctions that each country can apply.  So, if we want to do business with Europe, we have to comply with Europe.

And, if you don’t comply with them there’s the threat of a fine of up to €20,000,000 or 4% of your worldwide turnover. (That’s Rs. 3.5 billion to you and I).

Europe is very serious about these Regulations, but even I will admit that a fine of this level is unlikely to be levied on any company here. But if you ran a call centre making millions of calls a year that angered a lot of people you would definitely be in line.

What is likely to happen is that business will be withdrawn because a refusal to comply is seen as a withdrawal of trust. GSP+ won’t mean anything if there’s no business to apply it to. 

How do European Regulations affect 

Sri Lanka?

There are six Principles to be adhered to. 

1.Fair, lawful and transparent processing: You can now only use the data for the original purpose. So no more sending emails about something not connected with your business. You also have to inform the data subject WHY you’re collecting the data and get their consent to do so. This means their explicit consent. They’ll have to tick a “yes” box or verbally inform you and you’ll have to keep a recording of that call.

2.Accurate and maintained up to date: You’ll have to ensure that the data you hold is as up-to-date as possible. 

3.Retained only as long as necessary: No longer can you keep data for as long as you want. You now have to tell the person how long you intend keeping it and how you will destroy it. So, no more asking hotel guests if they would like a return visit after two years. The only reason to keep the paper trail is for legal purposes such as accounting.

4.Processed lawfully: You must have obtained explicit consent for each data action you intend to use the data for. So, if you’re a bank and you have to share the person’s name with another bank you’ll have to get permission to do that. If you’re an hotel and you have to share the name with, say, a safari operator, you have to get permission to do that also. If you do not get consent and anything happens to the data (say someone steals it), you’ll be responsible and risk both Authority and Civil legal action if it gets into the wrong hand.

5.Processed securely: The more people have access to the data, the higher the risk of a data breach. It’s very much in your interests to keep access to a minimum – especially with the worldwide increase in hacking. If the person wants to know how you are dealing with their data, you have to tell them – in writing. And prove it. It would be in your interest to encrypt the data and, in fact, the Regulations make this a mandatary.

6.Processed adequately: Only data can be processed that is needed for the required activity. So, no more asking for the type of food people prefer as that can disclose their religious beliefs. (Think Kosher). No more asking for a job title to send someone an e-document if it has no bearing on what’s being ordered. No more can you ask for information that may not be useful now but in the future.

How will you deal with the New Europe?

These are but the basic Principles. Within them are more regulations and sub clauses than you can shake a stick at.

For instance, if you have a subsidiary company in a European state, you’ll have to install Binding Corporate Rules; a legally binding contract between the two companies even though they are part of the same group.

If you undertake business with, say, a travel agent or tea broker, you’ll have to create “Model Clauses” that clearly show how you will process their data. 

If you don’t create and install these the chances are that company will cease doing business with you because they are open to legal claims even though it’s you who are processing the data.  

There’s now less than six weeks before these Regulations come into force.

If you haven’t heard of GDPR, you need to. Your legal team, your compliance team and your IT team all need to be aware their new responsibilities.

They must take them seriously.

Remember the clock stops ticking on 25 May.

(The writer is a Fellow of the UK’s Institute of Direct & Digital Marketing and Director of Strategy at Direct Solutions Int Ltd. in Colombo.)