Remember when the information commissioner was first established and the holy principles of the rights of data subjects were pronounced? Back then it felt like a watershed moment in computer security.
Fast forward to January 2016, with a new Act adopted by the EU that (almost) brings together the fragmented implementation across the member states.
If you are asking yourself whether you really should care, because there is already enough on your plate, the answer is ‘yes’, you probably do need to know about the changes for two reasons. Firstly, the changes are significant, and if you were affected before then you should be concerned with these important updates. And secondly, the cost of getting it wrong could be (as your Financial Director might say) “a materially negative event”.
The purpose of this blog is to provide some facts and personal interpretation, and to do it concisely. It is not a complete reference, which would be redundant and self-defeating. The impact assessment working paper alone is 241 pages. I hope this is a useful starting place to launch into deeper reading in the areas that interest you.
Some aspects of the Act itself are unclear in how they may be implemented, and I’m not going to write in depth as the Act itself is available online along with notes that don’t need to be duplicated.
Highlights at a glance:
- Reform comprises two instruments – GDPR and Data Protection Directive
- Reform of the 2012 act, is adopted early 2016, and coming into enforcement 2 years later
- Individuals to be given more control over how their data is used
- Data must be portable between service providers
- More transparency, and easier to understand policies
- Act to be implemented in the same way across the EU
- A new risk-based approach
- Protection by design
- Breach notification window defined
- Much bigger fines
This isn’t the full list, but for many people these are the areas that they need to give the most consideration to.
The instrument we’re mainly focusing on is the General Data Protection Regulation (GDPR). The Data Protection Directive is aimed at EEA countries that export data outside the EU. It aims to ensure the same level of EU protection is offered on data that leaves the EEA. Of course the most notorious example of this is the now-defunct and debunked US Safe Harbour agreement, which is now being hastily replaced by the EU-US Privacy Shield, which is now (or is not) a legal requirement, depending on who you ask.
"My understanding is that [the European data authorities] are holding in abeyance enforcement actions while they undergo these evaluations," FTC Commissioner Julie Brill said late January 2016.
24 hours earlier a European senior official had the opposite view.
“If a company is using the former Safe Harbor, this company is in an illegal situation," Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Group — which comprises the data protection authorities of each of the 28 EU member states.
GDPR is thankfully more complete, although there are still areas that vex the lawyers. For example, while most areas of the act can be applied uniformly across all member states, there is no single definition on what age a child becomes an adult. In some countries a 14-year-old is a child, but not in others. The best advice I have heard a lawyer give is to ‘ride the least mangy horse’. In other words, do your best and hope they don’t feel like making an example if you get caught.
Who is Affected
If your company is in the EU this act applies to you. Some companies may inadvertently ‘drift’ into the regulation's grasp either through a lack of understanding on how data moves around their network, or through an outsourced provider.
SME Special Consideration
If you are an SME it is worth looking at the way the Act allows a reduction in the burden of compliance larger companies must adhere to. According to the Act, SME’s:
- Do not need to have a Data Protection Officer
- Do not need to keep records of data they are processing unless it is likely to result in a ‘risk for the rights and freedoms’ of the data subject
- Do not need to advise data subjects of a security breach unless it is likely to result in a ‘risk for the rights and freedoms’
- Do not need to carry out impact assessments unless there is a high risk involved
- Can charge a fee for excessive data requests
Anonymising Data is Key to Reducing Burden
Clause 23 of the act reminds us that Data Protection is largely concerned with the privacy and rights of an individual. If an individual is not identifiable, then the protections are not required. The clause is reprinted below.
“The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.”
The concept of anonymising or using pseudonymous data is covered in the ‘Secure by Design’ principle.
Two years is a long time
Let’s be honest, there are more urgent things that need fixing now, like patching the latest vulnerability and getting ready for the auditors' visit, so this can wait, can’t it?
Yes. Maybe. It depends. If you’ve got a straightforward business, without offices in and out of the EU, then maybe it’s not your top priority. If on the other hand you have bespoke systems, maybe databases that underpin your company’s marketing or customer management, then you should start reviewing the impact of this legislation now. I know some customers of mine who will certainly need to change their databases, their applications and their policies to meet the Protection by Design principle, and this cannot happen without a lot of planning.
More Power to Individuals
You will be required to provide more information to your data subjects on how you use and process their data. The information must be clear and understandable, and you should be able to action requests such as the ‘Right to be Forgotten’ principle, or the new Portability principle discussed below.
Data subjects must give organisations explicit consent under the new rules. Implicit consent is no longer considered acceptable.
Portability of Data
Individuals should be able to move data and all its ‘richness’ to a new service provider if they request it. The purpose of this principle seems at least in part to be aimed at stimulating competition by requiring large incumbent service providers (think Facebook) to make all the information they hold on a subject available (at that subject’s request) to a new service provider. The hope is that this will make new start-ups less disadvantaged from a lack of historical information on the subject.
Making Policy Clear
You will be expected to have a policy that is clear and understandable, and you are expected to keep the policy up to date in accordance with changes in your working practices.
The second part of this blog post focuses on how organisations should implement GDPR, and what steps they can take to ensure they will be compliant when it is enforced.