The General Data Protection Regulation comes into force on the 25th of May 2018. It will completely revamp the data protection framework for companies not just in the EU but globally. It replaces the former regulation, the Data Protection Act 1998. In 1998, Facebook and Twitter didn’t exist, Google was to be founded later that year and Snapchat CEO Evan Spiegel was only 7 years old. Over the past 20 years tech companies have boomed and now hold unprecedented quantities of personal data. The amount of data that can be obtained from data breaches is now enormous, placing greater significance on data security than ever before. The legal framework simply wasn’t strict enough on companies, given the amount of data they hold. It is hoped that the GDPR will truly to bring our data protection legislative framework into the 21st century.
- GDPR is requiring companies to take more responsibility for the huge amount of data they hold. Companies are now obligated to have better procedures and security measures in place.
- The necessary measures are proportionate to risk. The more data/more significant data a company processes/retains, the higher the standard of security and procedure required of them.
- Companies must now gain explicit, positive consent to gather personal data
- Data subjects can request companies to provide information on all information they hold on them. They also have the right to erasure within 30 days of request.
- Companies can now face huge fines for breaches (up to 4% of global revenue). The ICO is however, unlikely to take a draconian approach during the early phases of implementation.
- The implementation of GDPR is not the finish line. It is a continuous process of assessment and protection.
What is it?
The GDPR is an EU regulation designed to give individuals more control over their personal data. It also aims to ensure companies ensure personal data is better protected and is not misappropriated. The regulation imposes new obligations on any company that processes data of EU nationals. This means multinational non-EU companies are required to adhere to this legislation for their EU based users. The GDPR also imposes harsher penalties on those who fall short of requirements.
What does it introduce?
It imposes new obligations on anyone holding personally identifiable information of EU nationals. Personal data includes anything that can be used to identify a person i.e. names, date of birth, email address, IP addresses even cookies. Sensitive personal data is also protected. This includes sexual orientation, religious and political views. Any person whose data is collected/processed is a data subject.
Controllers and Processors
The new regulations make a clear distinction between data controllers and data processors. Data controllers decide how and what data is collected and how this data is used. Processors facilitate data collection or provide the framework (i.e. cloud storage providers). Lawyers, accountants and professional advisors are considered data controllers as they exercise professional skill and judgement over the data they receive.
Controllers have the most significant obligations with regards to the GDPR. They must also ensure that the data processors they use to have sufficient data protection safeguards in place (i.e. encryption). Controllers will be legally responsible to protect all personal data it receives, even if it uses third parties process this data. Controllers must arrange for regular assessment of their data processors security. They must also have an agreed code of conduct, ideally in contract.
Consent is the cornerstone principle of the GDPR. Data can only be collected and/or processed where users explicitly consent. Data Controllers must obtain “freely given, specific, informed and unambiguous indication … either by a statement of clear affirmative action signifies agreement” to the use of personal data.“
Users must be told clearly (i.e. not buried in 4,000 pages of terms) what data is being collected and how it the data is being used. Controllers must have a clear and legitimate purpose for collecting the data. Companies must also explain how long they will retain the data for and have a legitimate reason for this length of time. Each user’s consent must be demonstrable, showing how and when consent was obtained. Users must also be able to withdraw their consent as easily as it was given.
Data Subject Access Requests
Individuals can now request companies to disclose the data they have collected on them. This should be available in a clear and understandable way. The request information should also provide details on the purposes for the data collection. The request must be executed without undue delay and latest within 30 days of the receipt of request. SME’s may charge fees for providing access where it is “manifestly unfounded or excessive”.
Right to erasure
Controllers must delete all data held on a data subject on request without undue delay where the legal basis for processing and retain data lapses. Meeting one of the following example criteria would oblige companies to erase data;
- The data was unlawfully collected
- Data is no longer necessary to retain for the purposes it was original collected.
- Data subject withdraws consent to processing on the original basis for processing.
Companies may however, reject the right to erasure if they have a legal basis for retaining the data. This may include retain data to; exercise freedom of expression, meet legal/regulatory obligations to retain the data, the extent that it is required in the interest of public health or to carry out a task in the public interest.
Under the GDPR, breaches of personal data include the “accidental or unlawful destruction, loss, alteration, authorised disclosure of, or access to, personal data transmitted, stored or otherwise process”. When a breach occurs, data processors must notify the data protection supervisory authority “without undue delay” no later than 72 hours of becoming aware of the breach, where feasible. Any longer than 72 hours requires a “reasoned justification” for the delay. In the UK, the Information Commissioners Office (ICO) is the relevant supervisory authority. If the breach poses a risk to the “rights and freedoms” of individuals then it must also be disclosed to all the relevant data subjects.
Companies will be exempted if they have implemented appropriate technical protection measures such as encryption or subsequent to the breach, taken appropriate measures to prevent risks to rights materialising. If notification to each data subject would “involve disproportionate effort” controllers may also be exempted from disclosure to each data subject.
Data Protection Officers
Public authorities and companies with over 250 employees must now have an appointed data protection officer. They will be responsible for the consistent monitoring of data within the organisation. They will also be responsible for communication with the Information Commissioner’s Officer.
Fines are huge under the GDPR. If a company breaches the regulation it can face fines of up €20 million or 4% of global annual turnover (whichever is higher). In 2015, TalkTalk saw the data of 157,000 customers unlawfully breached in a hack and the ICO fined them £400,000. Under GDPR they could be fined up to £71 million for a breach of this nature.
How businesses implement the GDPR
The new regulations require a risk based approach by every company. The obligations on Google or Facebook will be starkly vaster than those of a sole trader. Companies need to identify their risks of data breaches, analyse their current procedures and then take action accordingly.
While, the GDPR is a bit of quagmire for businesses, it is a cash cow for advisors as it overlaps so many different sectors. IT consultants, lawyers, management consultants and compliance advisors all have their own offerings. Lawyers can provide guidance on the legislative obligations. Consultants offer policy and procedural guidance and templates. It’s primarily IT companies who can provide the final implementation and system upgrades (if necessary) . At some point, most businesses will call on at least two of these advisors to help with process. Despite this, the implementation process across the board is relatively standard.
Companies will or have undertaken internal data audits. They will review what data they have, what data they collect and how it moves in and out of the organisation. Following this audit, companies produce a gap analysis report to identify any inadequacies in their data processing systems and procedures. Companies also review their terms and internal policies to ensure they are compliant. Once policies have been updated and technical/operational inadequacies have been addressed to meet the relevant standards, the foundation of implementation will be set. GDPR is however, a continuous process. Once implemented, procedures and systems will need to be regularly reviewed to ensure that data is as secure as possible and conduct remains compliant. While this sounds straightforward, the analysis of personal data flows in a company is a highly onerous process. For most business, there are a numerous unforeseen data issues that arise.
For example, many professions require all business calls to be recorded and retained. If personal data is disclosed in casual phone conversations on recorded lines, the company will be responsible for this data under GDPR. There are many avenues from which personal data can be obtained, so in some cases, employee conduct may need substantial overhaul.
Disclaimer: this article is a summary of the regulation and a general overview of current practice. Under no circumstances should this article be taken as advice of any nature. For the full legal text click here.