EU GDPR: What businesses really need to know

On 14th April 2016, the European Parliament voted to pass ‘The regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data’ or, as it is more commonly known, EU General Data Protection Regulation (GDPR). Following the publishing of the official texts on 4th May 2016, businesses now have until 25th May 2018 to ensure compliance. As part of a two part series, below is an overview of what businesses need to know about the EU GDPR, followed by our action guide for IT.

Regulation overview

Considered a major update to the EU Data Protection Directive that was published in 1995 – which required individual states to proactively implement aspects into their own laws – the EU GDPR was developed to harmonise the patchwork of data regulations that exist across the region. This includes clarifying areas that were previously interpreted differently in different countries and ensuring that regulation enforcement is standardised.

While the full regulation covers many areas, there are a number of aspects that stand out.

  • Fines for non-compliance have increased to four per cent of global turnover or €20 million, whichever is higher, and member states can add their own criminal penalties on top
  • The definition of ‘personal data’ has been widened to include any information that can be used to identify a living person, either by itself or in conjunction with other data
  • The regulation’s scope has been increased to include any organisation that collects (controller) or stores and processes (processor) data on EU citizens
  • Data controllers and processors share joint liability for any data loss incidents
  • Collective redress – citizens are encouraged to work together to sue using class action lawsuits

The user is in the driving seat

One of the main intentions of the EU GDPR is to give control back to EU citizens (data subjects). They have been awarded a new right of action that enables them to make demands of data controllers, and controllers must respond within one month. Subjects can demand access to all of the information that a controller has stored, discover how it was initially sourced and how long it will be kept, and they have the right to data portability. This allows them to confirm that the data is correct, has been collected via consented methods, and to pass the information to another controller if they wish. For example, if a person has had a bank account for many years but wanted to open one with a competitor, they may want all the relevant transactional data to pass on, as such, all requested data must be made available in an open machine-readable format.

If the subject deems the information held on them to be incorrect they can request errors to be rectified. If they believe that the data is no longer necessary in relation to the initial purpose of collection, they can demand its deletion. Businesses must then ensure its removal from any databases to prevent future processing by either themselves or by partner data processors.

In the event of data loss, EU citizens have also been provided with more ability to claim compensation. Alarmingly for businesses, the wording doesn’t restrict compensation strictly to financial loss, meaning subjects can seek returns for impact on time or reputation, or distress caused, a fact that has already been highlighted in the Google vs Vidal-Hall case.

There’s also an increase in class action lawsuits being used in European courts. If data controllers and processors are challenged by subjects over the misuse of information, it may no longer be a one-on-one fight. While not called out specifically in the regulation, a recent example is the ongoing fallout from Morrison’s 2014 data breach; 6000 current and former employees have signed up for a joint lawsuit against the company. It’s a trend that is only going to become more common.

Supervisory authorities and their responsibilities

Each country has its own data regulator – referred to as a ‘supervisory authority’ within the regulation – which is responsible for enforcing the rulings, advising organisations on the requirements and administering fines where necessary. Subjects may complain to their supervisory authority if they feel that data controllers are not meeting standards and, if the regulator does not investigate a concern, subjects can force them to do so. In the UK, the Information Commissioner's Office (ICO) is the EU GDPR data regulator.

Member states already have their individual regulators promoting and enforcing the current Directive, however, the interpretation has differed between countries. Some have enforced the current laws strongly, issuing relatively large fines and naming and shaming penalised organisations; while others have taken a more advisory role, placing a large emphasis on education and training. The differences in approach is a large reason for the variation in awareness and concern around data protection across the region.

In order to standardise how the EU GDPR is enforced, a large section of the regulation has been dedicated to supervisory authorities and how they should work with the EU Data Protection Board. Cooperation between regulators is encouraged, ensuring that those which have so far taken a more laissez-faire approach will become more rigorous, leading to an increase in fines and enforcement.

It’s often the case that potential fines are the only thing that will make businesses sit up and take notice of new rulings. The 1995 Directive left the decision regarding fines to the individual states, which created a spectrum of fine amounts across the region. While the amounts have gradually increased over time – for example, in 1998 the maximum fine the ICO could impose was £50,000 but in February 2016 a company was hit with a fine for £350,000 – the EU GDPR’s upper fine limit is substantially greater, at four percent of global turnover or €20 million.

Time to act

While the full regulation will slide very slowly towards the May 2018 enforcement deadline, there is every chance that individual states may introduce their own laws with equivalent rulings. For instance, France has published the new ‘Digital Republic Bill’, which was agreed by the National Assembly on 29th January 2016. It contains many of the same clauses as the EU GDPR including the maximum fine and, if accepted by the Senate, will come into force by late 2016. Any of the other member states could choose to implement their own variant of the EU GDPR, meaning companies really have no time to lose and must begin adopting the measures that will ensure compliance.

Nigel Hawthorn, Skyhigh Networks' European spokesperson