EU data protection revamp is an opportunity — not a threat
Many businesses and bodies may be worried about the prospect of fines but we should embrace law change, writes Ardi Kolah
THE General Data Protection Regulation (GDPR) requires a re-boot in our thinking about data protection, privacy and security for the digital age. It represents the biggest shake-up in European data protection and privacy laws for over two decades. The genesis of the GDPR is the 2012 proposal by the European Commission for a modern legal framework for the world’s largest digital single market of 500 million consumers.
Since that time, the pendulum has swung in the other direction and there’s now an obsessive focus on data protection, privacy and security in the wake of an exponential increase in cybercrime and the misuse of personal data on a global scale.
Although this is extremely important, it has clouded judgment on seeing the GDPR as a significant opportunity, not a regulatory threat.
The open competition aspects of the GDPR remain in place, and the European Commission is actively leading the effort to encourage companies and organisations to create a deeper level of digital trust in order to do more, not less, with personal data.
Replacing an earlier data protection directive and other member state legislation, the GDPR is fully enforceable across all 28 EU member states from May 25 and aims to deliver a high degree of consistency, certainty and harmonisation in the application of data protection, privacy and security laws across the EU. Within this new landscape, there’s limited ‘wriggle room’ for member states to pass laws that impact the processing of personal data seen only through the lens of national self-interest.
Many commentators have pointed to this as evidence of a lack of harmonisation of data protection, privacy and security laws applying across the EU, given the differences in the way some aspects of the GDPR will work on a country-by-country basis. However, the reality is that such differences are largely confined to a relatively small number of operational areas for companies and organisations within the EU.
Companies and organisations that conduct cross-border personal data processing will be primarily regulated by the local supervisory authority in the jurisdiction in which they has their main establishment.
Data protection principles The GDPR retains the core principles of the Data Protection Directive 95/46/EC but has beefed them up. The core rules may look familiar to experienced privacy practitioners, but this is a trap for the unwary as there are many important new obligations as well as a tougher regime of sanctions for getting this wrong. There are seven data protection principles and the data controller and data processor must ensure that it complies with all of them:
1 Lawfulness, fairness and transparency — personal data must be processed lawfully, fairly and in a transparent manner.
2 Purpose limitation — personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that’s incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
3 Data minimisation — personal data must be adequate, relevant and limited to what’s necessary in relation to purposes for which it is processed.
4 Accuracy — personal data must be accurate and where necessary, kept up-to-date. Inaccurate personal data should be corrected or deleted.
5 Retention — personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
6 Integrity and confidentiality — personal data should be kept secure.
7 Accountability — the data controller should be able to demonstrate and in some cases, verify compliance with the GDPR. Businesses and organisations should check that all policies, processes and procedures are in place and that this delivers the seven data protection principles.
They should ensure that the board supports company and organisation-wide awareness and training programmes that should be short, informative (not boring!) and that all of this is recordable and logged.
Security of processing The GDPR requires the Data Controller and the Data Processor to keep personal data secure. This obligation is expressed in general terms but does indicate that some enhanced measures, such as encryption and pseudonymising may be required.
The Data Controller must report data breaches to their Supervisory Authority within 72 hours of discovering this has happened, unless the personal data breach doesn’t cause high or very risk to the rights and freedoms of individuals.
Businesses and organisations should undertake a full review of technical security measures that are appropriate for the type of personal data processing being carried out at the Data Controller and Data Processor and seek expert guidance and support.
Role of the Data Protection Officer (DPO) A Data Controller, Joint Data Controller and a Data Processor may be required to appoint a Data Protection Officer (DPO).
This depends on what processing of personal data is being carried out. Certain private and most public-sector organisations will be required to appoint a DPO to oversee their data-processing operations.
A DPO will be required where the processing is carried out by a public authority or body; the core activities of the Data Controller or Data Processor consist of processing which requires regular and systematic monitoring of Data Subjects on a large scale; the core activities consist of processing special categories of personal data on a large scale and required by member state law.
The DPO must be involved in all data protection and security issues and can’t be dismissed or penalised for performing their role.
The DPO must report directly to the highest level of management within the company or organisation but doesn’t have to physically report to the CEO.
The report they write must be considered by the board. Businesses and organisations need to ensure that a suitable senior manager within the company and organisation has been identified and can be trained independently to fulfil the duties and responsibilities of the DPO.
She or he needs to be adequately resourced, otherwise this in itself is a breach of the GDPR. Other alternatives include using a consultant as a DPO or an outsourced DPO service.
Ardi Kolah is executive fellow and programme director of GDPR Transition Programme at Henley Business School, University of Reading. He is one of the speakers at Dublin Data Sec 2018, Ireland’s GDPR conference that takes place tomorrow (April 9) at the RDS. Dublin Data Sec 2018 is an Independent News & Media event. Please visitindependent. ie/datasec2018 for further information. Kolah’s GDPR handbook is published on June 3.