The EU’s General Data Protection Regulations explained

The EU’s General Data Protection Regulations (GDPR) may not be the most exciting topic on your agenda (!) but it is important as new rules to be published shortly will replace current laws on protecting personal data.

A draft was published earlier this year; it is still being discussed but it should be agreed in early 2016. It will then pass directly into law although it will be 2 years before you have to comply with it. This means you don’t have to panic until 2018. (But you should start thinking about it now.)

The rules are designed to give people control over of their personal data and to simplify the regulatory environment for business.

By the way, there is also a Network Information Security Directive aimed at curbing cyber crime. This is different: don’t get them confused!

The GDPR draft is still under discussion so the following information may change; however, the important points are likely to be as shown below.

  • Definitions:
    • Personal data is defined as ‘any information relating to a data subject’ (that’s you or me). The ICO defines it more helpfully as ‘any detail about a living individual that can be used on its own, or with other data, to identify them’. This can include photos, email addresses and perhaps even computer IP addresses
    • Processing data means pretty much anything – collecting it, storing it, analysing it, sharing it…
    • A data controller is the person who decides what can be done with personal data; often they are the people who have collected the data; they will appoint a data processor, sometimes in their organisation but often outside it
    • A data processor processes the data  on behalf of the controller; the new rules will increase responsibility on these people
  • Geography: The regulations will apply if the data controller or the data processor or the data subject is in the EU; so it applies to, say, US companies processing UK data
  • Employment data is excluded and member states can create their own rules for this
  • Fines for non-compliance will increase. The current draft proposes a maximum of Euro 1million or 2% of global turnover although there has been discussion of a higher level of Euro 100 million of 5% of global turnover. Ouch.
  • Existing data protection principles remain and these include:
    • Data processing must be fair to the person concerned, lawful (i.e. with their consent or to fulfill a contract with them) and transparent (i.e. they are able to see its results)
    • Data processing can only be for the purpose specified when the data was collected
    • Only data relevant to purpose specified can be collected
    • Data must be accurate and up to date as far as possible
    • Data can only be held as long as needed for the purpose specified, although if the data is needed for legal purposes it can be kept as long as any further processing is “limited” (i.e. you can’t carry on using it)
    • Data must be secure
  • Certain organisations must appoint a Data Protection Officer (DPO); these include:
    • Public bodies; organisations processing data from more than 5000 people; organisations employing over 250 people that process personal data; and organisations where data processing involving systematic monitoring of people is the core activity
    • DPOs will advise organisations about the rules and monitor compliance with them; they must be free to operate as they think fit (“independent”) and will need a range of skills beyond compliance monitoring: they must be able to manage IT processes (e.g. controlling access to data, retaining data), data security (including dealing with cyber-attacks) and other critical business continuity issues
    • DPOs must be offered a minimum 2 year contract term – so you can’t get rid of them if you don’t like what they are doing, unless they prove unable to perform their duties
  • When high risk activities are proposed e.g. the processing of data that could result in financial loss, identity theft, discrimination, damage to reputation, and loss of professional confidentiality, Data Protection Impact Assessments (DPIA) must be conducted
    • The DPIA must contain a description of the data and the processes used, an evaluation of any risks to the data, and description of how you propose to manage those risks
    • The local data protection authority (DPA), which in the UK would be the Information Commissioner’s Office, must authorise (or forbid) high risk data processing after reviewing the DPIA (this requirement is contentious and may be removed)
  • Data collection requires consent; consent must be opt in (“clear affirmative action”) which means you can’t have a ready-ticked opt-in box; and the opt in must be specific (not part of a wider agreement)
    • Data about minors (up to 13 years old) can only happen with the parent’s consent
    • Sensitive data (e.g. about religion, ethnicity, etc) cannot be processed
    • Consent for the use of data for “direct marketing” must be explicitly obtained; this doesn’t appear to rule out highly targeted mass marketing where people are not addressed by name – but see the next point
    • Automated profiling that could have some form of “legal effect” and which is based on (or which will predict) personal characteristics such as performance at work, economic situation, location, health, personal preferences, reliability or behaviour is forbidden unless specifically requested by the person concerned
  • Data breaches must be reported to the Data Protection Authority (the ICO) and also to the victims (unless the data was encrypted)
  • Data transfer out of the EU is only allowed under certain conditions. This means that the use of cloud computing services (such as Google Docs, Dropbox and Gmail) is likely to be problematic if personal data is involved as the data may not be secure, may not be held in the EU, or may be shared by the cloud service owner; remember this applies to “informal” cloud computing use by employees – whether or not you know about it

There are a number of things that organisations need to start thinking about in order to ensure they are compliant. Talk to a lawyer when the final wording is approved but in the meantime consider the following:

  • Identify any personal data that you hold
  • Think about how you can timestamp and put time limits on holding personal data
  • If you want to hold data for analysis purposes after you have used it for its original purpose, think about how you can anonymise it, so that it remains legal to hold (“pseudonomysing” data, e.g. by hiding personal details, so that it can be “re-personalised” at a later date won’t help)
  • Develop a system that enables you to pull off any personal data if it is requested by the relevant person
  • Formalise your data protection policies and processes – and keep records
  • Think about how you are going to manage cloud computing, and also the use of home computers, smartphones and tablets by employees: if you don’t do this then your employees may create compliance failures for you
  • Be aware of the potential of Big Data analysis techniques to create new personal data – even accidentally; for instance an anonymous record of a disability or a first name linked to a postcode could result in new personal data
  • Ensure appropriate security so that unlawful destruction or processing, such as unauthorised disclosure or access, is prevented

Take the protection of personal data privacy seriously. Compliance with the GDPR shouldn’t be a tick-box exercise. Privacy needs to be designed into your business processes for legal and ethical reasons.

Protecting yourself online

We may have a right to online privacy according to the recent European Court of Justice judgement. But don’t expect that it will be easy to become anonymous online just because of that. It is still very important to protect yourself from danger online. Especially if you are a prominent person like a company director. Here are some simple but important things you should do.

Review your security

Review whether you have existing security risks by checking your social media privacy settings. Who can see your posts?

  • If you use Twitter, check whether you are exposing yourself to danger on Twitter using the free service at myprivacyaudit.com.
  • And to tighten up your privacy on Facebook, YouTube, LinkedIn and Google use the free privacyfix.com service (with this service take care not to “deactivate” your Facebook account completely as this is an option).

If you need to make yourself findable online for business purposes, then run two profiles: a private personal profile and a public business profile. But do follow the guidelines below on both your public and private profiles. Check your current “findability” status regularly. Google yourself, together with data that criminals might use to steal your information. (If you are doing this on a mobile device make sure your clear your search history afterwards in case your phone gets stolen.) It is also sensible to conduct regular searches for the profile image you use on social media sites using Google image search.

Don’t tip burglars the wink

Don’t post content or a picture on Twitter and Facebook that tells people you are away from home. For instance, if you are an overseas conference then use the company Twitter account rather than your own. Post holiday photos when you get back home. (Follow this rule even if you are sure of your social media privacy settings: your friends might forward content on to third parties, or their security settings might be vulnerable allowing people to see your posts.)

Avoid using services like Foursquare or TripIt that can tell people where you are or when you are going away. If you are going to use them then set up your account with a pseudonym. And disable any geo-location functionality when using social media (e.g. under the Twitter accounts/security tab).

Protect yourself from impersonation

Don’t post any information that could be used to steal your identity. This includes:

  • Your birthday (I have an “internet birthday” which I use; because it is always the same then it is easy to remember if I need it to log onto a site)
  • Your place of birth
  • Any middle names
  • Information that banks or ecommerce sites typically use to establish identity (e.g. pet names, primary school, mother’s maiden name)
  • Information relating to regular payments you make (for instance if you tell people you go to the gym it is possible that this means you have a regular payment to the gym and criminals could use this information)

Protect your social media accounts

If your social media accounts get hacked then people can use them to contact your friends and potentially extract confidential or risky information from them.

Most of the time people who hack your social media or email accounts will be spammers: embarrassing but not a disaster. But, especially if you are prominent individual, such as the director of a large company, you will be at risk of someone trying to steal your identity.

There are some basic precautions you can take. The most important is to use a strong password: at least 8 characters including lower and uppercase letters and numbers. Make sure you use different passwords for each site. It’s easy to do this with a simple trick:

  • Start with the same password for each site: make up a phrase that means something to you like “I love my two boys Caspar and Tarquin” and then use the first letters to create a password: Ilm2bC&T
  • Decide on a rule like using the first letter of the site in lowercase and the third letter of the site in uppercase in the second and third position within the password.

So if I chose the password Ilm2bC&T my Facebook password would be IfClm2bC&T and my Twitter password would be ItIlm2bC&T (those are not my passwords by the way!) You can get some more hints about avoiding getting your social media sites hacked in this earlier blog post.

Protect your family

Don’t tell people when you are away from home, especially if there are young or old people at home who might be vulnerable without you.

Don’t post pictures of your children; if you really must then never tag them with their name and avoid anything that might give away their birthday (such as saying that the photo is of their birthday party). And ask your friends not to as well (explain why and tell them they should be protecting their children too).

Make sure your children know not to post personal information about themselves including:

  • Name and photograph: make them use avatars instead – even when they think they are talking to friends (no one knows you are a dog on the internet…)
  • Address and home phone number
  • Personal information like birthdays and the name of their school
  • Any “home alone” status on social networks.

At least up to the age of 16, monitor what they post and who they communicate with. I believe it is your duty to care for them in this way, even if it seems like spying (after all you wouldn’t let them talk to that creepy man in the park would you).

What to do if the information is “out there”

Some risky information will probably be out there. Your Friends may have posted it. You may have posted it in the past and be unable to delete it. Your mother’s maiden name may be available on a genealogy site. And if you are a company director your birthday and home address are probably going to be available.

Or the information could leak out. You may have set your privacy settings on Facebook so only your friends can see your posts but what if their account gets hacked or they forget to log out of Facebook when using a publicly accessible computer e.g. at a library, or their mobile phone gets stolen?

If you know what is out there you can increase your safety. So do that search. Once you know the risks you can try to take action. You could for instance ask your bank to change your mother’s maiden name to a codeword. And if your birthday is available then posting an alternative birthday on Facebook may give you some protection as that is where thieves will look first.

You will never be able to protect yourself completely. But you can at least make yourself more secure than other people. After all, if you are camping in the woods and a hungry bear comes along you don’t need to run faster than the bear. You just need to run faster than the people you are with! Any suggestions to strengthen this information, then please do get in touch.