General Data Protection Regulation (GDPR) has occurred due to the need for reform of the 1995 Data Protection Directive – which since its inception, has resulted in an enforcement regime that’s differed significantly from EU country to country and, in some cases, even within the same country.
GDPR - aims and impacts
Essentially, GDPR aims to put people back in control of their personal data, enhance and build trust in social media and online shopping, and upgrade the protection of personal data processed by police and judicial authorities. The regulations will apply unilaterally in all EU member states, with the official compliance date being 25th May 2018. There are four ‘pillars’ of the new regulation:
Pillar One: one continent, one law with effective sanctions
The regulation will apply uniformly throughout individual EU member states without the requirement for any national implementing legislation to give it legal effect. This brings a much-needed harmonisation of data protection law across the single European market and provides a level playing field for business through one single law applicable to any business across the EU. This is expected to save businesses up to €2.3 billion per year.
There are significant fines for breaches of the regulations. These fines are presented in two tiers: Tier one - Up to €10 million or up to 2 per cent of annual worldwide turnover, whichever is higher. This level of fine will be imposed for infringements of the regulations where, for example; no written contract is in place between the controller and the processor of data.
It is now the responsibility of organisations that possess and control a subject’s personal or sensitive data to have a clear and concise written contract in place if passing to a third party (a Data Processor).
Tier two – Up to €20 million or up to 4 per cent of annual worldwide turnover, whichever is higher. This level will apply where, for example; a company doesn’t obtain explicit consent from a data subject for the processing of sensitive personal data.
Pillar two: Non-European companies will have to stick to European data protection law if they operate on the European market
This provides for wider territorial scope as the regulation will apply to organisations outside the EU. If organisations outside the EU process personal data in connection with the provision of services to, or monitoring of, individuals located in the EU, they’re in scope. Individuals will have the right to refer all cases to their home country national data protection authority, even if the data is processed outside of their home country.
Pillar three: The right to be forgotten/ the right to erasure
When an individual no longer wishes their data to be processed and there are no legitimate grounds for retaining it, the data must be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press. More specifically: ‘Right to be forgotten’ is now being referred to as a ‘right to erasure’. This means the onus will be on data controllers to prove that they need to keep the data, not on the data subject.
There are more clarifications - where a particular type of storage technology does not allow for erasure, then the data subject has a right to have the data “restricted” as opposed to erased. To strengthen the right to be forgotten - every individual will have the right not to be profiled. Profiling - any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour.
Pillar Four: a “one-stop-shop” for businesses and citizens
The concept of a one-stop shop has been discussed. The idea is that organisations would have a single supervisory/regulatory authority overseeing their data processing activities across all EU Member States. However, this is now likely to be a “lead authority” which would be required to consult with all other competent authorities. It’s likely there will be significant further discussion on this point in order to clarify specific supervisory requirements.
What this means for individuals
The primary aim of the data protection reforms is to strengthen citizens’ rights. Enhanced data protection rules will strengthen the control an individual has over their personal data. The following elements will be significantly improved for the data subject:
Freely given consent
Putting the data subject in control when consent is required to process personal data, the subject must be asked to give it explicitly. It cannot be assumed. Businesses and organisations will also need to inform the data subject without undue delay about data breaches that could adversely affect them.
Easier access to data
A right to data portability will make it easier for the data subject to transfer their personal data between service providers.
Disclosure to third party authorities
Data subjects will have the right to know if his/her personal data has been disclosed to a public authority at the authority’s request. Such transfer of personal data required by a third country court decision or by an administrative authority will be (mostly) prohibited. This will change the current exemptions in place for frequent or large-scale data transfer and use of traffic and location data by public authorities for national security and law enforcement activities.
‘Privacy by design’ and ‘privacy by default’
These will become essential principles in EU data protection rules. This means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks.
Privacy settings are set at a high level by default. Data protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and a prior approval of the DPA for high risks.
There are a number of significant changes that businesses should start to prepare for now.
Mandatory notification of data breach
Under the new regulations, there are mandatory notification requirements to data subjects and other relevant authorities. This may potentially lead to the requirement for notification within 72 hours
As any business unfortunate enough to have suffered a data breach can attest, in a crisis situation, being organised enough to provide a detailed notification to affected customers (or indeed regulators) is a difficult task on its own. When this is combined with required incident response processes, identifying the cause of the breach and attempting to close the vulnerability that allowed the breach to happen, all while determining the extent of the damage, it becomes exponentially more difficult.
A 72-hour data breach reporting window will prove enormously challenging for organisations. Without ready-prepared response and communications plans and procedures, it may prove impossible for organisations to notify within a compliant timeframe.
Mandatory appointment of a Data Protection Officer
Organisations will be required to appoint a dedicated Data Protection Officer (DPO) if their core activities involve regular and systematic monitoring of data or processing of data. This relates to sensitive personal data, including biometric or genetic data or data relating to criminal convictions or criminal records.
Additionally, any public authority or body, will also be expected to appoint someone to the role. In the above circumstances, the following conditions must be met when hiring or appointing to the position. The Data Protection Officer must demonstrate professional competency and experience. The Data Protection Officer must be appointed for a minimum term and must also have certain minimum qualifications. DPO must be independent and monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors.
Appointment of a suitably qualified and experienced individual will be a challenge for most organisations. The pool of adequately experienced data protection professionals is currently small. Even those currently employed in the area may not have the required or appropriate certifications to meet the regulatory expectations.
Many organisations may plan on appointing an existing staff member to the role. However, the DPO must be demonstrably independent of the organisation (“in the company, but not of the company”), and will be answerable externally to the Lead Authority. Management of any perceived conflict of interest will be difficult. As a result, it is expected that an outsourced model will be employed by many organisations to address the above concerns.
Sanctions with more teeth
The increased financial impact of fines and the expected frequency of their enforcement will be a concern for most organisations. While the cost of implementing data protection / privacy measures may be a significant outlay, they must be considered justifiable in respect of the potential cost that may be accrued in their absence or in the event of a data breach.
Initial cost of compliance
Some of the new requirements will require organisations to refresh or realign their practices. The impact of this may be costly. Changes to how consent is explicitly obtained will require changes at a business level, particularly for companies that engage in direct marketing or plan on continued engagement with their customers.
Technical measures to ensure consent is explicitly obtained will also result in development cost. For example, updating web-based forms, cookie pop-ups and marketing emails will all require some measure of development to become compliant.
Organisations that rely on analysis of personal data, user activity tracking or monitoring may, in a worst case scenario, lose fundamental capability in the event that the data subjects analysed refuse consent to be profiled. As a result, the business model may need to be refined to remain viable. It will have to ensure new portability of data measures are met, some organisations may need to fundamentally change their approach to how data is structured to ensure swift response to any data movement requests received.
Responding to data subject requests may incur both time and financial expense. The process by which data subjects can engage with and request modification /removal of their data will be made simpler; organisations can expect to see an increase in the requests made by data subjects. Providing subject access responses already take time – responding to right to erasure measures, for example, will also be a drain on company resources.
Where the right to be forgotten is enacted by a data subject, organisations will need to fully demonstrate that this has been completed at a defensible technical level. Ensuring removal of data across systems to meet that level will often be time consuming and costly.
For the many businesses that must comply with GDPR, the best way to prepare is to implement a solid data protection strategy and process that ideally should include best practice security controls. The legislation does not require any specific type of technical controls. However, best practice would be to implement state of the art technical controls to render personal data unintelligible to users not explicitly authorised to access it. Controls could include: user access control mechanisms, encryption and redacting data where full access is not required.
It should be noted that the data protection reforms are not entirely bad news for organisations. Whilst not necessarily wholly self-evident, there are many benefits to compliance with the new reforms. By reducing the likelihood of a breach means avoidance of fines associated with non-compliance and reputational damage from adverse publicity.
Other ‘wins’ could be reinforcement of customer focus and governance rigour amongst stakeholders and reassurance to both customers and regulators that best practice has been followed. Also, completion of privacy impact assessments can help ensure that problems are identified at an early stage: addressing them early will often be simpler and less costly
The new compliance requirements may also be a driver for business process re-engineering. An organisation may take the opportunity to save money and reduce compliance cost by minimising the amount of information being collected or used where this is possible. This may result in more straightforward processes for staff.
The bottom-line message is that, organisations that want to be ready for the Data Protection Regulation reform, should immediately start developing and implementing a data protection programme.
Sean Hanford, information governance consultant, bluesource
Image source: Shutterstock/Wright Studio
Check out the rest of our GDPR coverage on this link.