So GDPR is a hot topic right now in Europe and its no surprise that there’s a lot of confusion and mis-information floating around. The GDPR or General Data Protection Regulation is a regulation from the European Parliament which intends to strengthen and unify data protection legislation across the European Union (EU).
Why does data protection need reform?
The legislation that we currently have in place, known as the Data Protection Directive, dates back over 20 years and was adopted way back in 1995.
This is the same year that the original Playstation 1 was released in Europe, and the same year that early DVD technology hit the market. Back then, there was no social networking, no online banking and no online shopping. In fact, the internet was a very different place.
The chart above shows us that less than 1 in 5 homes had internet access in 1997. It’s safe to say then that the technological environment has changed beyond all recognition over the past 20 years. As a consequence, the law needed to play a little bit of a catch up.
In 2011 the European Commission put forward a proposal for a new piece of data protection legislation. The official draft was released in January 2012 and has been under ongoing negotiation now for the last 4 years.
It’s widely reported to have been the most heavily lobbied piece of European legislation ever, with over 3,000 amendments during the course of its passage. It was effectively re-written at various points.
So what do you really need to know?
In this article we’ve boiled the legislation down into the 10 most important things that we feel you need to know before the legislation comes into effect in 2018.
1. It’s a regulation not a directive
So what’s the difference?
Directives are pieces of European legislation which are implemented at a national level, which introduces regional variations in both the interpretation and implementation of the legislation.
- Applicable to all Member States
- Sets certain aims, requirements and concrete results that must be achieved in every Member State
- Sets a process for it to be implemented by Member States
- National authorities must create or adapt their legislation to meet these aims by the date specified in each given Directive
Regulations are passed in Europe and automatically becomes legally binding upon each member state. This means there are very few differences in the implementation and interpretation since the law is binding on every member state.
- Immediately applicable and enforceable by law in all Member States
- As good practice, Member States issue national legislation that defines the competent national authorities, inspection and sanctions on the subject matter.
2. It captures a LOT of personal data
It may come as no surprise that data protection legislation only applies to data which is personal. According to the legislation it’s not personal then it falls outside the scope of the law. As a result there’s been a long running debate regarding which data should be considered to be personal.
European lawyers will often refer to indirect identification, for example where you have a person’s credit card number but not their name, or their IP address but not their devices Unique Device Identifier (UDID), and there’s been a long running debate about whether this information is actually considered to be personal.
Ten years ago it was easy to argue that a family of 4 sharing a home computer was not really personally identifying. However today we often own multiple personal devices that are totally unique to us.
This combined with the introduction of IPv6 makes it become a much harder argument to make that data such as IP address information is not personally identifiable.
The new GDPR has aimed to put this debate to bed and explicitly states that personal data includes online identifiers such as IP addresses and UDIDs. The GDPR also introduces the concept of pseudonymous data which means data that has been hashed or scrubbed in some way so that it is no longer identifiable to a particular individual.
To encourage organisations to pseudonymise their data GDPR introduces more relaxed rules. These rules provide greater leniency when it comes to reporting a breach, both to regulators and the affected individuals, and provides some relaxations around subject access.
The main take away is this new GDPR is effectively going to apply to all the types of data that you collect
3. It has extra-territoriality
So what does this mean?
Well current data protection legislation only applies if you have an establishment or equipment inside the EU. The new legislation expands this definition.
Under the GDPR the legislation applies if you: –
- Have an establishment in the EU
- Offer goods and services to EU residents
- Monitor the behaviour of EU residents
Interestingly, these goods and services do not even have to be paid and could also include free goods and services. This ultimately means that companies without an EU presence may need to comply.
This sends a clear message: If you want to benefit from the EU market, then you need to play by EU rules. Oh, and in case you’re wondering what monitoring behaviour means, this is aimed towards the targeted ad industry.
4. It applies to data processors
Current EU legislation only applies to data controllers and does not affect data processors. Currently, the only way that data processors are bound by the current legislation is when the rules are imposed upon them contractually.
This has resulted in businesses classifying themselves as data processors as a means to avoid any liability under existing EU data protection law.
The new law recognises that the complexity of modern data processing relationships has moved on. The GDPR says it’s not right for example for cloud hosting providers to remain exempt from data protection law.
Particularly since lots of modern businesses run their operations on cloud infrastructure. The new law is making it clear that data processors play a critical role in protecting European citizens data, and so introduces specific rules to support this.
Some of the new obligations on data processors include keeping records, in some cases appointing a data protection officer and being required to report breaches of data protection.
The new legislation also introduces some additional mandatory terms that have to go into contracts between data controllers and data processors.
Currently if you are a data controller and you engage a data processor there are two things which you must say in every contract: –
- Your data processor must act only on your instructions
- They must have in place appropriate technical and organisational security
These requirements are pretty lightweight. The new law add some new provisions to them as well, including: –
- Staff will keep confidential any data they have access to
- Specific controls around sub-contracting
These changes are going to have the biggest impact on the cloud industry. If you happens to be a SaaS based service provider hosting your infrastructure on Amazon’s Web Services or Microsoft’s Azure then you’re going to have to flow those terms down and will be limited by what they will agree to.
5. Accountability is King!
Accountability comes up in many places within the legislation. There is a requirement to take appropriate measures to show compliance with the legislation to demonstrate accountability.
These measures include: –
1. The adoption of detailed data processing records
- Exempt for businesses with < 250 employees
2. The implementation of appropriate security measures
- Including security awareness training for staff
3. Privacy Impact Assessments
- Where there is deemed to be a high risk
- Where new technology is involved in the processing
4. Privacy By Design / Privacy By Default Measures
- Refers to natively building privacy into product and services
- Includes minimisation of collection, processing and storage of data
5. Appointment of a Data Protection Officer (DPO)
With the new Regulation, certain private sector organisations must appoint DPOs in Europe, irrespective of their size and whether they are processing personal data in the capacity of a controller or a processor.
6. Individual’s rights are strengthened
Under current EU legislation individuls have the right to access, correct, delete and block their own data. This right still exists under the new law. The right to opt out of marketing is also retained in the new legislation.
The new law does however introduce some new concepts: –
The requirement for marketers to obtain “unambiguous” consent is less onerous than “explicit” consent, as previous drafts specified, but it still rests on a “clear affirmative action” by consumers.
Enhances individual access and objection rights
Consumer rights under the GDPR include: –
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Legislates the ‘Right to be forgotten’
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
Adds a ‘Right to data portability’
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. Data breaches must be notified
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to: –
- Data controllers
- Affected individuals (unless there is a low risk of harm)
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.
8. You’ll need a Data Protection Officer (DPO)
There is currently no requirement to appoint a DPO under current legislation. The new legislation makes it a requirement for both data controllers and data processors that meet the following criteria: –
- Are a public authority
- Perform ‘large scale’ monitoring of individuals, i.e. targeted ad companies
- Perform ‘large scale’ processing of sensitive data
Your DPO can be an appointed employee or can be outsourced.
To clarify, large scale processing of data must be your core business activity, e.g. if you’re a large multi-national that stores sensitive data about your thousands of employees then it’s not a requirement to appoint a DPO – although may still be a good idea, there is no requirement in legislation.
Your DPO must report directly to the highest levels of management – so there needs to be a direct or indirect line up to the board. The goal here is to ensure that data privacy is on the board agenda to increase visibility of data protection issues.
9. Data exports aren’t getting any easier
Under the Directive, the bottom line is that businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection.
The European Commission has the power to approve particular countries as providing an adequate level of data protection, taking into consideration the data protection laws in force in that country and its international commitments.
Approved countries include: –
- New Zealand
10. There are massive fines
Finally, there are huge fines for falling foul of the legislation. There are different thresholds for fines, which can be up to 4% of global annual turnover for the most serious data breaches.
There are also mandatory audit rights for Data Protection Authorities (DPAs) – such as the UKs Information Commissioners Office (ICO). This means that regulators have a mandatory right to go into a private organisation and audit them.
Using the 2016 Tesco Bank data breach as an example, had GDPR been in effect at the time of the breach, Tesco could have potentially been liable for fines up to £1.9bn.
The GDPR legislation comes into effect in may 2018 and is going to completely change the way that organisations across Europe view both their cyber security and data protection responsibilities.
I’m currently working with organisations across Europe to provide them with online cyber security and data protection training to bring their staff up to speed on their responsibilities in preparation for 2018.
If you’d like to learn more about what that training can do for your organisation then I encourage you to contact me on firstname.lastname@example.org or visit www.ultimatesecuritycourse.com to register your interest for a free demo.