GDPR General Data Protection Regulation - Will it be a friend of foe?
2018 is just around the corner and the EU GDPR ruling comes into force on May 25th 2018. The countdown is on. But should we be living in fear of this new law? Is it actually something to fear or is it really a natural evolvement in data privacy?
It was of course inevitable that the laws on data protection and privacy would change, it is the nature of the beast; we live in a globalised society where technology has opened up a whole raft of uninvited guests into people’s private information. And let’s face it; it’s been a decade now since the first enactment? Time for change.
As with all things in life we have to find the balance between the good and the bad, technology, social media and digital platforms have opened up a realm of opportunities for businesses and individuals. The cost of this is what some may feel is an invasion to their privacy rights.
The GDPR may feel like a looming weight on businesses but as individuals it provides a layer of protection that patches up the previous loopholes in its predecessors form of the DPA. But we must remember that we are all consumers and individuals affected by this too.
If we reflect back in time to 1998, didn’t we all feel this weight when the DPA came into force and then the Mail Preference Service and Telephone Preference Service followed? It means a change in process and implementing better due diligence, but as a business these are things that you would ideally like to advertise to your customers anyway.
The big shift change here is the emphasis on accountability, which in the main is being put on to businesses but also in some part to individuals. The key is in owning the responsibility for what is essentially the key to people’s lives and to not abuse your responsibility in handling people’s crown jewels.
If you think about it, one’s personal data is so precious and personal ie: theirs to own, in terms of what it is utilised for in daily life, it isn’t before time that the powers that be come up with some form of protection against misuse.
So it’s time to stop groaning and climb on board the GDPR gravy train – do not get left behind this time.
The headline stuff…
• The GDPR is a regulation not a directive, which makes it immediately enforceable by law in every member state and does not require legislation.
• Territories – the GDPR will apply to all organisations that have EU "establishments" where personal data is processed. Business organisations that have EU offices or subsidiaries which promote or market products and services to EU residents will fall into the GDPR category of use. There are certain exemptions known as "derogations"
• Privacy by design – whilst this exists within the current EU directive, under GDPR it will become explicit and is linked to enforcement. It puts the accountability on ensuring you have policies and procedures in place before you begin any new projects - you cannot implement retrospectively.
• Data minimisation – this is about minimising the collection of personal data that is “limited to what is necessary” and relevant to purpose.
• Regulated data – the previous definitions for “personal data” and “sensitive data” have been expanded somewhat and SD now includes biometric and genetic data.
• Data Protection Officer (DPO) – each European institution/business or group of businesses must appoint at least one person as “DPO”.
• Data Controller – any institution or organisation that is handling personal data is deemed as a “data controller” and must ensure that the handling process of data is correct and controlled – compliant with GDPR.
• The right to be forgotten or right to data erasure – every data subject will have the right to request that the data controller erase his/her personal data and cease with any further dissemination of the data.
• Right of rectification – every data subject will be able to request that the data controller updates any errors in the data held.
• Right of data portability – every data subject can request that their personal data be transferred from one data controller to another – this can be seen as a burden or an opportunity – in essence the customer has the right to move their data from one company to another and it is the accountability of the business /data controller to enact this.
• The right to restrict data processing – under GDPR the range of restrictions in which a subject can object to with the regard to the use of their data is much broader – organisations will need to be abreast of these restrictions and under what circumstances the subject can object.
• Right of access/Subject access right – the data subject is entitled to request access to the details that the data controller has that concerns them.
• Pseudonymisation – a technique for processing personal data whereby the data subject is no longer identifiable.
• Consent –
- consent must be termed “valid consent” this is deemed as clear and affirmative action from the data subject
- consent must be “freely given” that is to be of the subjects own free will and under no pressure or bribery
- consent must be specific and explicit – the use of the data must be specified clearly and transparently to the data subject and only used for the specific purpose that the subject agrees to/signs up for
- consent must be “informed” – that is to say that the data subject must fully understand the terms under which the data will be used and what they are agreeing to
- the DC must be able to demonstrate consent – GDPR puts the burden of proof squarely on the shoulders of the DC
- existing consent may no longer be acceptable under GDPR therefore all existing consent agreements may need to be re-obtained to re-qualify under the GDPR rules
• Personal data breach – the GDPR implements a new security breach communication law.
• Fines - up to 20 million Euros or 4% of company turnover can be enforced on the spot.
• Supervisory authorities will increase significantly and the EDPB will replace the current WP29.
...And this is just the headline stuff.
There is stacks of information out there about GDPR, with everybody doing a white paper on the subject, but the sheer wealth of information is somewhat overwhelming.
However in my next article we will look at the positive aspects for business and how best you can prepare for these changes. In the meantime why don’t you try one of the “GDPR readiness tests” to see where you are on the spectrum of readiness – there are links at the bottom of this article.
Data privacy timeline
1970 It would appear that as far back as 1970 Germany launched the first Data Protection Act* Germany Data Protection Act Bundesdatenschutzgesetz
1995 First EU Data Protection Directive launched Data protection directive text
1997 Mail Preference Service launched (regulated by the ASA and DMA) MPS
1998 Data Protection Act (DPA) UK implementation of directive
1999 Telecommunication (protection and privacy) Regulations launched TPS
2010 EC round table review of the European Union Data Protection Act
2012 EC Vice President Commissioner, Vivian Reding, makes proposals to reform European Data Protection Rules Vivian Reding European Commission Vice President
2013 Vote in European Parliaments on report for reform
• EDPS ( European Data Protection Supervisor ) publishes guidelines on the rights of individuals with regards to the processing of personal data EDPS Guidelines
• Q&A on EU DP inquiry proposed reform and Memorandum of Understanding between the US FTC and UK ICO is published EU news Q&A FTC and UK ICO MOU
• UK ICO publishes its corporate plan for 2014-2017 UK ICO 2014-2017 PLAN
• UK ICO presents plans on guidance for data controllers Iain Bourne presentation on the challenges and guidance for the new proposed GDPR
• Draft regulation and draft directive to become law
2016 Deadline for EU Member States (pre article 50 ) to bring draft regulation into effect and put into draft directives of each national law (member states have 2 years from the date of enactment to bring in to effect the draft regulation)
April 2016 The European Commission approved the GDPR
*this is the furthest back I could locate in data protection laws, there may be others but I could not find any.
** Between 2014 - 2016 there have been several stages of evolvement but I have tried to keep the timeline to the most relevant and pertinent events
CJEU – Court of Justice of the European Union
Draft Directive = the draft Directive on Personal data protection: processing of data for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, and free movement of data
Draft Regulation = the proposal for a Regulation on Personal data protection processing and free movement of data (which may also include the Draft Directive in some contexts)
DAPIX = Working Party on Information Exchange and Data Protection of the EU Council
EDPS = European Data Protection Supervisor
EESC = European Economic and Social Committee of the European Union
EMPL = European Parliament’s Committee on Employment and Social Affairs
Establishment = the recitals state that this implies the effective and real exercise of activity through stable arrangements.
EU Council = Council of the European Union
FRA = European Union Agency for Fundamental Rights
IMCO = European Parliament’s Committee on the Internal Market and Consumer Protection
ITRE= European Parliament’s Committee on Industry, Research and Energy
JURI = European Parliament’s Committee on Legal Affairs
LIBE Committee = European Parliament Committee on Civil Liberties, Justice and Home Affairs
Main Establishment = processor or place of central administration of data in EU
Member States = means a Member State of the European Union (i.e., Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom).
Police and Criminal Justice Directive = Directive on the processing of data for the Criminal Justice purposes of prevention, investigation, detection
UK ICO = UK Information Commissioner’s Office
WP29 – Article 29 working parties – EU level advisory body made up of representatives from the DPA and EDPB – this will be replaced by the EDPB under GDPR.
https://www.dlapiperdataprotection.com/ - Data protection around the world
Take the GDPR readiness test