The EU Data Protection Regulation - So What??!

Firstly as a citizen when it comes to my personal data, it’s self-evident that some of those organisations holding my data have got it wrong. We have all come to expect that breaches will happen without those not working "in IT" really understanding the implications in the wider context.
I'm pleased that as a consumer very soon I will again have an element of control over my own personal data.
Before I go any further I must also clearly outline that I'm not a lawyer, so my personal opinion is just that, my opinion. The Regulation is pretty big, so this is my first post addressing what I'm sure will be an area of intense interest in the years ahead.

In recent years countless business leaders have published statements to the media downplaying the risks to us all for losing our personal information, and I'm sure limiting the scope of disclosure to minimise the damage to their share price. A new low this month has been the blatant attempt by an organisation to make any breach of their information security and applications the customers’ problem;  Amending terms of use so fundamentally, and hoping it will pass unnoticed really isn't very professional. Guess what, it didn't go unnoticed for very long!

A change is coming

Since 2012 the EU has been working on a new Regulation for the management and processing of personal information. The final agreement between the EU Commission, Parliament and Council will see a standardisation of rules relating to the handling of personal data across the entire EU. The regulation will become law at some point in 2016 (spring is the current estimate), but is not expected to be enforced until 2018.

Due to the fundamental changes within the Regulation known as the GDPR there really isn't long for business holding personal data to review the risks and implement fully complaint business practices, processes and technology solutions.

So What! I hear you say?

Put simply – Big Fines for breaching the Regulation. The current expectation is in the region of 20 Million Euros, or up to 4% of global turnover for a serious breach.

This Regulation has far more specific controls and obligations on businesses than the current Data Protection Act (DPA). If you hold personal data relating to EU citizens then you are defined as being in-scope of this new Regulation. This is regardless of where the company conducting the business is based. So any organisation public or private that holds either employee or customer personal information needs to understand the Regulation.

The Regulation clearly defines the following roles:

• Controller – The legal owner of the personal data
• Processor – Any organisation processing the personal data, either internally or third party
• Data Subject – The EU citizen whose data is held
• Statutory Authority – In the UK this is the Information Commissioners Office (ICO)

So - for example: A company established in the U.S. that markets its products directly to EU residents but has no physical presence in the EU. Currently they are not subject to the requirements of the Data Protection Act, but will be subject to the requirements of the new Regulation.

Note: If a statutory authority perceives the controller to be soliciting business from EU Citizens then they are deemed to be operating under the Regulation. For example a US company that offers or sells products or services on-line in an EU currency such as Sterling or Euros; or has an EU members language option, such as German, or French.

So now I hope you can see the scope to impact every sector of business in the UK and internationally.

 What do I need to know?

 If your company has more than 250 staff, or processes more than 5,000 records per year (of personal data), you must appoint an independent Data Protection Office (DPO). The role of the DPO is clearly defined, and won't be just another hat for the compliance manager to put on, so beware…

• Personal Data has been defined, so any data that can be used to identify an EU Citizen. This includes email address, IP address, cookies, device fingerprints, home address, Geo-location data…etc.
• Explicit consent must be gained by every data subject relating to the specific use of their personal data, and why it’s being processed. This includes revealing the source of any personal data, and any personal data you have passed to other 3rd parties.
• Compensation – All data subjects have the right to obtain compensation from the relevant controller or processor of their data for any damage suffered for processing carried out in breach of the regulation (see the point above).
• A data breach must be reported to the Statutory Authority, which in the UK is the Information Commissioners Office (ICO), within 72 hours. This must include a range of details.
• The Statutory Authority (ICO) has the power to, amongst other things:

1. Compel a Controller or Processor to provide information
2. Impose a ban on data processing
3. Impose a fine
4. All of the above!

• Privacy by design and by default. The Controller must implement appropriate technical and organisational measures to protect the rights of data subjects and ensure compliance with the Regulation. Businesses must ensure that, by default, data processing activities are limited to the minimum necessary purposes.
• Profiling of data is strictly controlled and restricted.
• Additional safeguards for processing sensitive data, including that of children. A company must carefully consider if they have a lawful requirement to process sensitive data. Consent to process the data must be explicitly granted, not assumed.
• 'Anonymous data' is not personal data and as such is not subject to the requirements of EU data protection law. BUT – if it is possible to identify the user retrospectively then it is not able to be classified as Anonymous.
• Sensitive Data has again been classified and includes medical information, criminal history, financial data, genetic data, any personal data relating to children etc.

So let's focus on one small part of the Regulation. Consider what would happen if a data breach occurred?

Under the current DPA the ICO state:

Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should
be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA.

Should is an interesting word in the context of the statement above and
‘Serious breaches’ are not defined. 

Under the GDPR

Under the Regulation reporting a breach becomes a legal requirement for the Business, and DPO. All data breaches must be reported to the relevant Statutory Authority (SA) without undue delay, in practice this is expected to be less
than 72 hours (48 hours has been discussed as the normal) after being discovered. If it is not possible to notify the SA within 72 hours, this delay must be justified.

The report should include at least:
? A description of the nature of the data breach (including the number and categories of data subjects and volume of data affected);
? The name and contact details of the DPO or other contact point;
? A recommendation for measures to mitigate potential adverse effects;
? A description of consequences of the breach;
? A description of the measures proposed or taken to address the breach
The Controller is also obliged to notify the Data Subject if there is likely to be an adverse impact.

If you are a business leader and reading this, let me ask you to consider if you could respond to a reported breach in 48-72 hours, with this level of information and certainty? There are a growing number of organisations who could honestly say yes, but my feeling is that the great majority would really struggle.

I for one plan on using my "Right to be forgotten" on a regular basis once 2018 comes around.