The General Data Protection Regulation or GDPR imposes new and arduous burdens on business and other organisations across Europe from May 2018. Behaviours will have to change and companies have to make sure they are ready for the deadline or face fines up to 20 M euro. This primer summarises some aspects of the GDPR which will impact businesses – a regulation which will significantly overhaul Europe’s data protection legislation at a time when information systems and digital business underpin most business growth strategy.
The draft GDPR legislation started in January 2012 and took four years to wind its way through the commission and the parliament. Four years of intensive debate, negotiation and lobbying, resulted in a very detailed 88-page regulation which will become law across Europe on the 25th of May 2018 (Article 99 (2)).
GDPR is one of the most wide-ranging pieces of legislation passed by the EU in recent years, and introduces new concepts such as the ‘right to be forgotten’, data portability, data breach notification and accountability and many others will place new burdens on European businesses and business trading in Europe.
Outside of the European Union, it is expected that the GDPR will, via the Brussels Effect become the de-facto standard for data privacy in many other countries.
In the preamble to the regulations is a bald statement “Everyone has the right to the protection of personal data concerning him or her”. This is a very different philosophy from what applies in other jurisdictions. For example, in the US there isn’t a single Federal over-arching data protection Law as they have a sectoral’ approach to data protection legislation. In effect this means that Data protection measures are buried within numerous laws and regulations such as United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act at Federal level. It should not be forgotten that the American system also has state level legislation where California and Massachusetts stand out as having the most stringent requirements.
When taking about personal data, it is important to note that this sweeping term covers traditional items like name and address and medical information, but also stretches to identifiers like IP addresses, RFID tags. Even when data gathered by an EU entity is outside the EU it is still covered by the European regulations. While anonymous data is probably excluded (Recital 26), pseudonymous data is explicitly included.
New rights for users are explicitly created by GDR, both when the data is gathered and as long as the data is preserved. For example, during data gathering there are two major rights to consent and information about the data controller. A person’s consent must be active and auditable – (Article 7 (1)) So pre-ticking boxes or assuming that people consent if they don’t object are no longer permitted as means of consent. Also when a person is suppling data (Article 13(1)) the receiving organisation must supply contact information about who the relevant data controller.
For as long as long as an organistion retains data about an individual the individual retains certain rights. These rights can be exercised by the individual at any time until the data is destroyed and organisations will have to be prepared to deal with them. So retaining data may have an ongoing cost beyond the cost of storage.
An individual has the right to gain access to their information held by an organisation, so the organisation has an obligation to supply that data if requested (Article 15(1)) by the subject. This ties in neatly with the right to data portability which means a person can take his/her data to another organisation. (Article 20). If a person doesn’t agree with the data about them they have a right to rectification (Article 16). The regulation is silent on exactly how the definition of accurate is to be developed. Going further there is now a Right to Erasure (Article 17). Where by an individual can insist on all information being deleted. Besides focusing on the actual data, people have a new right about refusing automated decision making (Article 21) in their cases.
Each of these rights for the consumer naturally place obligations in the data holding organisation. Obligations which may incur costs for technology, staff and new processes. Besides the cost of vindicated the various specific consumer’s rights, organisation also have new generic obligations in terms of staffing and processes.
There is now an explicit requirement for a Data Protection officer (Article 37) who has a specific role laid down in the regulation, including monitoring compliance with the GDPR. As part of everyday business and process enhancement, the organisation is obliged to perform risk assessments (Article 35). If something goes wrong the organisation must report data braches in 72 hours to national authorities (Article 33). Plus, the organisation must contact the person whose data was compromised (Article 34). Each of these steps places a burden on the organisation and especially on management who need to be prepared for the inevitable mistakes.
Naturally the various levels of EU wide State Administrations inserted a carve-out for their own requirements, with exemptions for Defence, Public Safety & National Security (Article 23)
Besides the terrible publicity for an organisation for mishandling customers data as has been seen in so many cases before now. The GDPR contains penalties, in the worst-case these penalties are could rise to 20 Million euro or 4% of worldwide annual turnover whichever is higher (Article 83 (5)).