The draft of the General Data Protection Regulation (GDPR) has now been signed off by the trilogue of the EU government – the Commission, the Parliament and the Council of Ministers. The Regulation contains many of the key elements which we have already flagged in the past. Overall, the legislation is straightforward, accessible and reflects concerns regarding the increasing threat of intrusion into the private lives of EU citizens.
The GDPR sets out to give EU citizens more control over their personal data and to provide greater protection to their right to privacy. Different to previous implementation of privacy legislation, however, this Regulation will take effect on the same date for all 28 EU Member States.
On the basis of the recent publication, we can expect that this date will be early in 2018, two years from the date the final text is formally published in the Official Journal of the European Union.
The Regulation aims to achieve harmony across the Member States by:
- Placing EU-wide requirements on organisations which control and/or process personal data.
- Granting national authorities the power to impose clearly defined sanctions, including significant administrative fines and penalties, on organisations which fail to meet the requirements set out in the Regulation.
The Regulation introduces a number of new, defined terms which indicate the focus and concerns of the legislators in terms of the protection of privacy. These include:
- Profiling – automated processing to evaluate and predict individual behaviours and preferences
- Pseudonymisation – Preventing the identification of an individual by separating some data items from a set
- Data Recipient – an organisation in receipt of personal data outside the jurisdiction of EU legislation
- Genetic data – data relating to the inherited or acquired characteristics of an individual
- Biometric data – data resulting from technical processing of individual characteristics to allow confirmation of an individual’s unique identification
- Establishment – the location of central administration of a Data Controller, especially the location of key decision-making with regard to processing of personal data
- Information Society Services – effectively, services which offer social media processing
The well-known eight Rules of the 1995 EU Directive have not gone away, but they have received a re-vamp, and are articulated in a new way in the Regulation. They are now listed in terms of the principles, derived from the OECD Guidelines of 1980, which the rule will seek to enforce:
- Transparency – processing should be lawful, fair and done in a transparent manner
- Purpose Limitation – data should only be collected for a specified, explicit and legitimate purpose, and any processing should not be incompatible with that purpose
- Data Minimisation – Processing of the data should be limited to only what is necessary to achieve the purpose
- Accuracy – Inaccurate or incorrect personal data should be corrected or erased as soon as possible
- Storage Limitation – data should be held in a form which allows identification of the individual only for as short a time as possible, and should then be anonymised or erased
- Integrity and Confidentiality – the security and integrity of the data should be protected through both technological and organisational structures
- Accountability – the Data Controller must be able to actively demonstrate compliance with the Regulation.
We can see the eight Rules in there amongst those principles, and I am sure that we will become familiar with this re-sequencing in time. Perhaps the most important shift here is the focus on the obligation for the Data Controller, who must now be pro-active in documenting and logging DP incidents. Under the new Regulation, the focus will be on the Controller to be able to demonstrate the steps taken to ensure compliance – including provision of training, resolution of data security incidents, risk analysis of new processes and procedures, etc.
Controllers and Processors are actively encouraged to seek certification with recognised international standards, (ISO 27001, for example) and the Supervisory Authorities in individual Member States are encouraged to define Codes of Conduct against which Controllers and Processors in particular sectors and industries can be assessed.
The following are what we at PrivacyEngine/Sytorus believe are the key changes for Data Controllers and Processors contained within the GDPR (in no order of priority):
- Accountability – While the Data Controller is still primarily responsible for compliance, the Data Processor can be held equally liable in some circumstances. The Regulation also recognises the possibility of two or more Controllers sharing liability where they share the processing of the data;
- Privacy by Design – Data Controllers are required to consider the privacy implications of any substantial change to data processing, and to build privacy-friendly structures into their solutions;
- Privacy Impact Assessments - the Regulation introduces an obligation to conduct risk-based assessment of projects to ensure that any processing of personal data anticipates and mitigates risks.
- Increased Fines – Controllers and Processors prosecuted for being in breach of the legislation face fines of up to €20m or 4% of annual turnover – details on these penalties still need to be fully defined;
- Data Protection Officers – organisations which meet defined criteria will be obliged to appoint a DPO as the ‘go-to’ person within the organisation with responsibility for DP compliance. The criteria include public authorities, organisations processing large volumes of Sensitive Personal Data, and processing which involves systematic monitoring of large groups of people;
- Data Portability – Data Subjects should be able to move their data freely and efficiently from one organisation to another, e.g. when changing service providers, etc.;
- Age of Consent - Controllers offering social media services to children (those under the age of 16) will have to demonstrate that they have parental consent before processing. Individual EU Member States may however individually lower the age requiring parental consent to at least 13 years old.
- Nominated Representative – organisations based outside the EU must have a representative based in any EU jurisdiction in which they operate or in which they process the personal data of EU citizens.
- Territory - The Regulation will apply to any organisation based outside the EU which processes the personal data of EU citizens – a major change and one which is of particular interest to international organisations doing business in the EU.
- “One-Stop Shop” – Since there will be one Regulation in effect across the 28 Member States of the EU, the supervisory authority (DP Commissioner) of the State where the Data Controller has their main establishment will have authority to determine their compliance with the Regulation;
- The Right to be Forgotten – Unless Data Controllers have a lawful justification for keeping their data, the Data Subject is entitled to demand that their data be removed and no longer processed;
- Data Breach Notification – Data Controllers must maintain a log of data breach incidents, and must notify the Supervisory Authority within 72 hours of becoming aware of the breach. When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the Controller must also notify them of the personal data breach “without undue delay”.
- Privacy as a Vendor Selection Criterion - the Controller should use only Processors who can provide sufficient guarantees in terms of their expert knowledge, reliability and sufficient resources to guarantee the security of processing;
- Clear and Affirmed Consent– the data subject must give clear consent to the processing of private data, thus giving individuals more control over the processing of their own personal data, especially for direct marketing purposes. Silence, pre-ticked boxes or inactivity will not constitute consent. Finally, the data subject will have the right to withdraw his/her consent at any time.
- Secondary Purposes for processing - organisations will not be allowed to collect data for one stated purpose and then use it for another without first notifying the Data Subjects.
- Plain Language: Information about intended processing should be given in clear language before the data is collected. Substantial, overly-technical and inaccessible “small print” privacy policies which confuse Data Subjects will not be permitted.
- Registration – There is no longer a requirement to register with the Supervisory Authority in the jurisdiction in which the Data Controller is established – this is replaced by the obligation to keep and maintain logs of PIA’s, data breach incidents and any other aspect of data management.
The published rationale mentions that, now that the Regulation has been set out, the Supervisory Authorities in each EU Member State will soon be assessing DP issues and breaches by looking for evidence of a ‘forward-thinking attitude’. This means that organisations would do well to start putting structures in place as soon as possible which adhere with the new rules.
The estimated time-line remains in place – that the approved text of the legislation will be published by the Parliament by March, 2016, and will come into effect across the 28 EU Member States two years later, in early 2018.
PrivacyEngine/Sytorus continues to work with our clients to help them to prepare for the new Regulations. For many, this will include organisational, system and procedural changes, as well as staff training.
For some, who were already struggling with compliance under the ‘old’ legislation, this will be a slightly sharper hill to climb, but we have two years!
Over the coming weeks we will publish further analysis on the GDPR, with particular focus on the impact for Data Controllers, Data Processors and Data Subjects.