Say hello to the General Data Protection Regulation (GDPR)

In 1995, amid a rapid increase in computer use, the EU introduced a revolutionary piece of legislation called the Data Protection Directive 95/46/EC (DPD). The DPD aimed to protect the personal data of EU citizens from unnecessary data collection and misuse. The legislation was revolutionary at the time, replacing the tangled web of existing (and differing) local legislation with a providing a detailed framework for data processing for to be adopted across member states.

However, technology has developed at breakneck pace in the intervening twenty one years. In 1995, businesses and organisations collecting data were still reliant on paper, floppy disks and had limited storage options. Furthermore, Internet use was not widespread. In short, both the data volumes and the data sources were much more limited.

In the intervening twenty one years, technology has developed at breakneck pace with the advent of social media and Big Data creating gaps in the legislation. Equally, there has been growing public awareness and concern over data protection. A survey undertaken by the EU revealed that:

  • 74 per cent of Europeans see disclosing personal information as an increasing part of modern life
  • The most important reason for disclosure is to access an online service, for both social networking and sharing site users (61 per cent) and online shoppers (79 per cent)
  • Over half of Internet users are informed about the data collection conditions and the further uses of their data when joining a social networking site or registering for a service online (54 per cent)
  • Just over a quarter of social network users (26 per cent) and even fewer online shoppers (18 per cent) feel in complete control of their data

What’s different?

The new General Data Protection Regulation has been in development for the past three years and will shake up the current data protection regime significantly on a number of levels, including instituting the 'right to be forgotten', introducing new rules on data transfers outside of the EU, making data processors liable, implementing data breach notification requirements, increasing the scope of those organisations are covered by extending the reach of European data protection laws and instituting much higher fines based on a percentage of a company’s annual turnover.

With respect to the cancellation of the Safe Harbor regime allowing data to be transferred to the US, a suitable replacement of it is still uncertain. Although the proposed Privacy Shield was hailed as a breakthrough, the Article 29 Working Party have now given their view, whilst it has not been an outright rejection, they have and raised concerns regarding US intelligence services accessing data and the potential for mass collection of data and indiscriminate collection of data under it.

The main points of interest are:

  • Increased fines for breaches of the GDPR, up to 4 per cent of the annual global turnover
  • A 'privacy by design' provision requires that data protection is designed into business services. Ensure that you take measures to protect data from the start of the client engagement
  • Explicit consent must be obtained for the collection and processing of data. Your contracts with clients should include a section on consent
  • Multinational companies working across the EU will be required to appoint an independent Data Protection Office. This will be a challenging role to fulfil given the breadth of knowledge required to manage by both IT systems and be familiar with the legal aspects of the GDPR
  • International companies based outside the EU, but which hold data inside the EU, will be subject to these regulations
  • 'Right to erasure': a client has the right to request the erasing of personal data. Take steps to understand how you can comply with such a request
  • Data will be prohibited from being transferred outside the EU without approval from a supervisory body

I need to transfer data now, what should I do?

Collecting data in multiple jurisdictions and complying with local, EU and other laws is challenging at the best of times but is exacerbated in this post-Safe-Harbor, pre-GDPR world. Although the EU has set out alternatives such as standard contractual clauses and binding corporate rules as an interim measure, in many cases it is better to avoid transfer altogether. Thankfully, technology is once again ahead of the legislative game and e-discovery providers can offer a number of solutions to the problem of transfer.

For example, rather than transferring data across borders to a data centre, mobile e-discovery technology could be deployed, enabling onsite processing, filtering and data analysis. These technologies have become incredibly powerful over the years and can be used to process large volumes of data in a short timeframe.

Predictive coding technology, a machine learning tool where a human reviewer trains the computer to find data relevant to a case, can also assist in ensuring compliance with the ‘privacy by design’ requirement by segregating and filtering out personally identifiable or sensitive data and reducing the risk over-collection.

Finally, should a company receive large numbers of ‘right to erasure’ requests e-discovery platforms and predictive coding can ensure that relevant data is found quickly and deleted in a forensically sound manner.

In summary

Until the Privacy Shield and GDPR are fully-confirmed and enacted, transferring data across the Atlantic is still a challenging and complex legal procedure. Furthermore, even when they are both live, the legalisations are subject to change and upheaval. However, as the EU, US Department of Justice and privacy campaigners battle it out in the courts, technology can provide elegant and cost-effective solutions to processing essential data during this time of uncertainty.

Luke Aaron, Legal Consultant at Kroll Ontrack