The EU’s General Data Protection Regulations (GDPR) may not be the most exciting topic on your agenda (!) but it is important as new rules to be published shortly will replace current laws on protecting personal data.
A draft was published earlier this year; it is still being discussed but it should be agreed in early 2016. It will then pass directly into law although it will be 2 years before you have to comply with it. This means you don’t have to panic until 2018. (But you should start thinking about it now.)
The rules are designed to give people control over of their personal data and to simplify the regulatory environment for business.
By the way, there is also a Network Information Security Directive aimed at curbing cyber crime. This is different: don’t get them confused!
The GDPR draft is still under discussion so the following information may change; however, the important points are likely to be as shown below.
- Personal data is defined as ‘any information relating to a data subject’ (that’s you or me). The ICO defines it more helpfully as ‘any detail about a living individual that can be used on its own, or with other data, to identify them’. This can include photos, email addresses and perhaps even computer IP addresses
- Processing data means pretty much anything – collecting it, storing it, analysing it, sharing it…
- A data controller is the person who decides what can be done with personal data; often they are the people who have collected the data; they will appoint a data processor, sometimes in their organisation but often outside it
- A data processor processes the data on behalf of the controller; the new rules will increase responsibility on these people
- Geography: The regulations will apply if the data controller or the data processor or the data subject is in the EU; so it applies to, say, US companies processing UK data
- Employment data is excluded and member states can create their own rules for this
- Fines for non-compliance will increase. The current draft proposes a maximum of Euro 1million or 2% of global turnover although there has been discussion of a higher level of Euro 100 million of 5% of global turnover. Ouch.
- Existing data protection principles remain and these include:
- Data processing must be fair to the person concerned, lawful (i.e. with their consent or to fulfill a contract with them) and transparent (i.e. they are able to see its results)
- Data processing can only be for the purpose specified when the data was collected
- Only data relevant to purpose specified can be collected
- Data must be accurate and up to date as far as possible
- Data can only be held as long as needed for the purpose specified, although if the data is needed for legal purposes it can be kept as long as any further processing is “limited” (i.e. you can’t carry on using it)
- Data must be secure
- Certain organisations must appoint a Data Protection Officer (DPO); these include:
- Public bodies; organisations processing data from more than 5000 people; organisations employing over 250 people that process personal data; and organisations where data processing involving systematic monitoring of people is the core activity
- DPOs will advise organisations about the rules and monitor compliance with them; they must be free to operate as they think fit (“independent”) and will need a range of skills beyond compliance monitoring: they must be able to manage IT processes (e.g. controlling access to data, retaining data), data security (including dealing with cyber-attacks) and other critical business continuity issues
- DPOs must be offered a minimum 2 year contract term – so you can’t get rid of them if you don’t like what they are doing, unless they prove unable to perform their duties
- When high risk activities are proposed e.g. the processing of data that could result in financial loss, identity theft, discrimination, damage to reputation, and loss of professional confidentiality, Data Protection Impact Assessments (DPIA) must be conducted
- The DPIA must contain a description of the data and the processes used, an evaluation of any risks to the data, and description of how you propose to manage those risks
- The local data protection authority (DPA), which in the UK would be the Information Commissioner’s Office, must authorise (or forbid) high risk data processing after reviewing the DPIA (this requirement is contentious and may be removed)
- Data collection requires consent; consent must be opt in (“clear affirmative action”) which means you can’t have a ready-ticked opt-in box; and the opt in must be specific (not part of a wider agreement)
- Data about minors (up to 13 years old) can only happen with the parent’s consent
- Sensitive data (e.g. about religion, ethnicity, etc) cannot be processed
- Consent for the use of data for “direct marketing” must be explicitly obtained; this doesn’t appear to rule out highly targeted mass marketing where people are not addressed by name – but see the next point
- Automated profiling that could have some form of “legal effect” and which is based on (or which will predict) personal characteristics such as performance at work, economic situation, location, health, personal preferences, reliability or behaviour is forbidden unless specifically requested by the person concerned
- Data breaches must be reported to the Data Protection Authority (the ICO) and also to the victims (unless the data was encrypted)
- Data transfer out of the EU is only allowed under certain conditions. This means that the use of cloud computing services (such as Google Docs, Dropbox and Gmail) is likely to be problematic if personal data is involved as the data may not be secure, may not be held in the EU, or may be shared by the cloud service owner; remember this applies to “informal” cloud computing use by employees – whether or not you know about it
There are a number of things that organisations need to start thinking about in order to ensure they are compliant. Talk to a lawyer when the final wording is approved but in the meantime consider the following:
- Identify any personal data that you hold
- Think about how you can timestamp and put time limits on holding personal data
- If you want to hold data for analysis purposes after you have used it for its original purpose, think about how you can anonymise it, so that it remains legal to hold (“pseudonomysing” data, e.g. by hiding personal details, so that it can be “re-personalised” at a later date won’t help)
- Develop a system that enables you to pull off any personal data if it is requested by the relevant person
- Formalise your data protection policies and processes – and keep records
- Think about how you are going to manage cloud computing, and also the use of home computers, smartphones and tablets by employees: if you don’t do this then your employees may create compliance failures for you
- Be aware of the potential of Big Data analysis techniques to create new personal data – even accidentally; for instance an anonymous record of a disability or a first name linked to a postcode could result in new personal data
- Ensure appropriate security so that unlawful destruction or processing, such as unauthorised disclosure or access, is prevented
Take the protection of personal data privacy seriously. Compliance with the GDPR shouldn’t be a tick-box exercise. Privacy needs to be designed into your business processes for legal and ethical reasons.