What are the GDPR?
New regulations that are presently expected to come in to force in 2018, governing how companies operating in the EU deal with the personal data of EU residents.
What is personal data?
Any information that may be used to single out an individual. This is a broader definition than the one in current UK law.
Will they affect me?
Yes, if you control or process personal data relating to EU residents. This includes employees. New to the GDPR is the extension of liability to data processors – so even if you’re just processing data on behalf of a customer, you are still directly regulated.
Should I care?
The GDPR provides for fines up to 4% of global turnover, or €20m, whichever is the higher. This is at least 41 times higher than the highest fine ever levied by the UK’s data protection regulator, the ICO. So, yes, you should care.
What are the main changes?
As above – fines up to 4% of global turnover or €20m. A much clearer remit to enforce these regulations, too.
If your business’s main centre of operations is in the EU, or you offer services directly to EU citizens (which is deemed to mean, amongst other things, addressing them in their local language or selling in their local currency), or you do behavioural tracking of EU citizens, this applies to you.
[There’s also a provision for it to apply to ex-EU data processors where an EU member state’s law applies by virtue of international public law. I know. Ask a lawyer.]
3. Definition of personal data
This is much broader. It’s anything that allows you to single out an individual from a group, whether directly or indirectly. Unless you properly and thoroughly anonymise all data you hold about private citizens, you can assume the new regulations apply to you.
At present, liability rests with Data Controllers – effectively the organisation to whom the data belongs. Under the new rules, Data Processors are also liable to regulation, and therefore to financial penalties.
Controllers are required to have contracts with Processors that stipulate the controls to be used to protect data, and are required to verify that these controls are being enforced.
5. Data Protection Officer
If you employ more than 250 people, or your main activity is the processing of personal data, you will need to appoint a Data Protection Officer. You can contract this in – and groups can share one DPO – but you have to tell the regulator and the public who the DPO is, and appoint them for a minimum two-year term.
6. Explicit consent
This is one of the big ones. You have to get the explicit consent of the data subject for the use of their data for the specific purposes for which you want to use it. You can’t use it for anything for which you do not have consent, you can’t treat silence as implied consent, and you can’t consider the consent to be perpetual. It seems likely that trying for a “we can use you data for whatever we like” umbrella consent will not fly. This is going to be really tricky for the big data people, and will introduce some significant friction in general user interaction with digital services.
Another big one. Until we get some test cases, it’s hard to know exactly what the regulations intend, but the implication is that a great deal of profile-based pricing, behavioural marketing and service differentiation will be illegal. Here’s paragraph 1 of article 20:
“Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or predict in particular the natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour.”
There are exceptions: you can do this if you have a contract with the data subject – so you’ll need to build something into your employment contracts, and your Ts&Cs of trading – or you can get explicit consent (but good luck with that).
[Or it can be expressly authorised by the law of an EU member state, but good luck with that too.]
A lot is going to hang on local interpretations of the word “significantly”.
8. Impact assessments
Shiny new paperwork, not unexpectedly. Before undertaking most kinds of data processing you will need to complete an impact assessment – not unlike the current Health & Safety risk assessment regime. The key point is that the burden of proof now lies with the Controller to demonstrate that they are compliant with the regulations and taking due care over the security of personal data; impact assessments are a part of that demonstration.
9. Subject Access Requests
Data subjects now have a stronger right to review their data – you have to provide more context, specify the purposes for which the data is being stored and processed, indicate how long you will store it and explain the consequences of the data processing.
And you can’t charge for this any more.
10. Rights of rectification and erasure
This is not the existing “right to be forgotten” – which is mis-named (it’s a right to ask nicely to be forgotten if the data controller agrees). This is an explicit right to obtain the erasure of data if it’s not longer necessary for the purposes for which it was obtained, or if the data subject withdraws consent. It is also a right to have incorrect data amended. The regulations place a duty on the Controller to transmit the request to any other third parties to whom it has passed the data. So you’d better keep track.
12. Breach notification
If you suffer a data breach – negligent or hostile – you have 72 hours from when you become aware of it to inform your local regulator. This will come down to 24 hours over time. You also have to notify every individual who has been, or may have been, affected “without undue delay”. This matches the US requirements, but is wholly new to EU businesses, and will add significantly to the cost of data breaches. So a good incentive to work hard to avoid them, eh?
You can’t keep data forever. You have to be clear about how long you will keep it, and that has to be necessary to your operations. When you no longer require the data, you have to erase it effectively. So if you don’t have a data retention policy, or you don’t enforce the one you do have, time to start.
Is this new law inevitable?
Pretty much. The final text has been agreed. The next step is ratification by the Council and (EU) Parliament. Once that’s done, it’s a regulation, so it automatically takes effect and has precedence over local laws. There will be room for interpretation by local data protection regulators, but only in detail, not on fundamental points.
What does this mean for Safe Harbour / Privacy Shield?
Good question. EU Privacy Shield (the eleventh-hour replacement for Safe Harbour) has not been ratified and is presently just some fairly high-level political statements of intent. It’s not at all clear that it will work in the first place, and even less clear that it will meet the requirements of the GDPR. Right now there’s conflicting advice: a general view that Binding Corporate Rules and/or EU Model Clauses allow you to carry on exporting data to the US, provided you implement them properly, set against a clear statement by the ULD that you can’t rely on either of these methods, and a current evaluation of Privacy Shield, BCRs and Model Clauses by the Article 29 Working Party which isn’t expecting to report back until April 2016.
What should I do?
Right now, if you export data to the States, get some legal advice, implement EU Model Clauses (unless BCR applies to you, which it probably doesn’t) and cross your fingers that EU Privacy Shield actually gets signed off in some usable fashion. Or repatriate your data, which would be my preference.
When you’ve got through that, start thinking about how the GDPR will impact your business. There’s a lot of change, so the more time you give yourself to adapt your business practices, the less likely you are to end up €20m worse off…
I am not a lawyer. This is my interpretation of the Regulations, but you should not rely on it. Get your own legal advice. This does not cover (by any means) all of the changes in the Regulations – there may well be things I have not covered that could have significant effects on you. Read them yourself, or get your own legal advice. The text I have worked from in this summary has not been ratified by the Council of Europe or the European Parliament and could change; there may also be changes based on local jurisdictional interpretation of the Regulations.