A high level introduction to the General Data Protection Regulation
*Disclaimer: the views in this post and any others following this one are entirely my own and not those of my employer.**
Welcome to the first in a series of blog posts that will each be exploring a different element of the new EU General Data Protection Regulation (GDPR). Without giving too much away too soon, after this introductory post, I’ll be tackling topics such as your rights and how you might flex your new-found muscles as a consumer, the hike in data breach penalty fines and the impact this may have on companies and industries as well as the challenges many organisations can expect to face on their journey to compliance. I’ll also touch on life after the GDPR compliance date, exploring new company and consumer behaviours the regulation might inspire.
With the biggest change to data privacy law in over 20 years being brand new to all of us, this series will be conducting a speculative analysis into the shock waves that are about to ripple through virtually every organisation in virtually every industry. I hope you find it useful and informative. Without further ado…
Introduction
The GDPR is a cross industry, cross border regulation that was put together by the EU to strengthen and unify data protection for EU citizens. This will be done by implementing a legislation framework for any company processing, storing or transferring EU citizen data. The legislation will ensure that your data is being used, processed and stored for the correct reasons and with your specific consent.
With the May 2018 deadline for organisational compliance fast approaching, this newcomer to the RegTech party is generating all kinds of buzz. I have no doubt we’ll all soon be expected to understand the why, the how, the when and, most importantly, what it means for our clients.
So, let’s get into it!
Quick Facts
- The GDPR replaces the Data Protection Act (DPA) of 1998
- It is a Regulation, not a Directive, so it’s application is standard across all member states unlike the DPA, which member states were free to transpose into their own national laws
- Its design gives more power to the individual and shifts the onus onto the organisation to ensure data protection and privacy protocol is watertight internally and in the operations of any third party companies working with/for them
- The financial penalty for non-compliance is up to €20m or 4% of global annual turnover — whichever is greater
The birth of the GDPR
In 2012, upon realising that the law was out of touch with the challenges of the online world in the 21st Century, the European Commission proposed an update to the 1998 Data Protection Act (DPA). It was understood that personal data was now more exposed than ever before to increasingly complex cyber security threats, that technology has evolved so much so that there were now many holes in the rules, and that many companies were (sometimes unknowingly) abusing these loopholes as part of their standard business practice.
After 2 years of deliberation, the European Commission, European Parliament and European Council finally reached an agreement. The GDPR was born on 24th May 2016 with a two-year implementation phase making the deadline for compliance May 25 2018.
Understanding the Terminology
Before we get into the juicy bits, it’s important to understand the terms used throughout the regulation and what they mean. This’ll be easy as there are only a couple that frequent the articles as you read. Below are the main ones:
Data Controller — this is the person or organisation who captures the personal data and determines the basis for processing it.
Data Processer — this is the person or organisation who ‘processes’ the data, usually on behalf of the Controller. It may be a third party IT company or customer service company who contacts the customer/user after.
Processing — this is any operation performed on personal data, whether or not by automated means, including collection, retrieval, use, organisation, storage, alteration etc.
Lawful processing — in order for the processing of personal data to be ‘lawful’, a legal basis for that processing needs to be established and at least one of six criteria needs to be met. Article 6 delves into more detail on these criteria.
Personal Data — any piece or pieces of information that can be used to identify any living person. You might sometimes see this written as Personally Identifiable Information (or PII).
Data Subject — the individual who’s personal data is in question.
Briefly Summarising the GDPR
Although a replacement of the DPA, many of the principles found in the existing DPA can also be found in the GDPR. The best description I’ve heard so far is “it’s the DPA, but on steroids” — the rules are stricter, the tests are broader, the penalty is higher and Big Brother’s watchful eye is always open.
Firstly, the meaning of ‘personal data’ has been expanded and this category now includes location data, online identifiers such as an IP address and genetic data. ‘Sensitive’ personal data now also extends to biometric data.
The GDPR also demystifies ‘Consent’ and stipulates that this must be explicit, unambiguous and freely given via an affirmative action. The request for consent must also be provided in an intelligible and easily accessible form, using clear and plain language. So, gone are the days of automatic opt-ins, sneaky ‘tick here if you would not like to receive XYZ’ boxes and hiding information as to how your personal data will be treated on page 17 of the T&Cs. Additionally, it must be just as easy to withdraw consent as it is to give it.
Supply of a service can also no longer be contingent on consent to the capturing and processing of personal data if said data is not required to provide that service. So, you know when you want to use the free wifi in the airport and you’re allowed to do so on the condition that you hand over a piece of your personal data in the form of an email address? Come May 2018, companies will find themselves on the GDPR naughty step for doing that.
When capturing personal data, companies are to capture only what is needed for the purpose determined. This data cannot then be taken and re-used for a secondary purpose without informing the data subject and obtaining consent. Finally, the GDPR makes it the controller’s responsibility to make sure this data is deleted from the system once it is no longer required.
With regards to data transfer, the GDPR is smarter than the DPA in that it understands that companies will sometimes have a need to transfer data to other organisations and across borders. Where this needs to happen, companies must ensure adequate safeguards, such as encryption, are in place to secure this information in transit.
Which companies / industries are affected?
Any company offering a product or service to, or holding any personal data about, any EU Resident must comply. It doesn’t matter if they’re headquartered in Manila with operations in Shanghai. For added clarity, any UK company under the impression that Brexit has given them a get out of jail free card should return to the drawing board and start mapping out that journey to compliance — and they better do it fast.
What does it mean for businesses?
The GDPR places a greater deal of accountability on the organisations that need to capture, handle and store personal data in order to operate. The marketing and HR departments of many organisations may now find they have a lot of process-skeletons to dig out of the closet, given that these teams will hold and handle a lot of customer and employee personal data. Pub chain JD Wetherspoon responded to news of the GDPR by deleting its entire customer email database, opting to now market via their social media channels. This may seem a little bit extreme but, hey, in eliminating all the personal data they hold, they’ve eliminated the root of the potential problem.
Navigating the digital single market is about to become a touch trickier for many organisations too, with one major change being that it’ll become much harder to sell or share customer information for digital marketing purposes without first gaining consent. And, if asked, who here’s response to that question would be “why yes of course you may pass my details on to Tom, Dick, Harry and whoever else you please”? Certainly not I!
The hefty penalty imposed by the Information Commissioners Office and where this money eventually ends up once companies pay out is a question to be tackled another day. But could the GDPR inadvertently carve an even bigger market gap for more specialist claims management companies?
Remember the ‘have you been mis-sold PPI’ fiasco?
For consumers seeking their own compensation following a personal data breach, will the GDPR now birth a new flock of compensation claim vigilantes, a la PPI days, promising to fight for our justice in exchange for a cut of the winnings? It’s one very likely scenario I am personally keeping an eye out for.
What does it mean for us as individuals and consumers?
The GDPR vests a lot more power into the hands of the individual, giving you more control than its predecessor over exactly how your personal data can be processed and who by. In my next post we’ll be taking a deep dive and examining these subject rights, as they’re called, in greater detail. If you’re just itching to know more about these but you can’t wait, then having a read of Articles 15–22 should tide you over until the next post… see you there!
