General Data Processing Regulations
The EU’s General Data Protection Regulations have been signed into existence
These are draconian in impact and broad in reach and will apply to the UK in 2 years time with no further legislation required to be signed off.
Aimed at returning control of personal data to the individuals concerned and ensuring a common approach across the EU, these will impose obligations for all organisations that process personal data (as defined within) as follows:
- Penalties: Potential fines up to 4% global turnover of the organisation in breach (current UK maximum potential fine is £500,000)
- Application: applies if the organisation or the person whose data is being considered is in the EU (so no shifting operations overseas to avoid this)
- Scope: Personal data can relate to private or professional or public life and consists of anything from name, photo, email address, bank details, comments on social media site, postal address, medical records, computer IP address, physiological data, genetic information etc etc.
- Consent: must be obtained before collecting any private data explicit as to the data collected and the purposes for which it shall be used. The consent for personal data of children under 16 can only be given by a parent or guardian.
- Accuracy: data collected must be reviewed periodically for accuracy and removed or rectified when inaccuracies determined
- Right to be forgotten: Individuals will have a right to permanent erasure of their personal data. (so individuals not liking their old posts on Facebook can get them erased – whoever is holding them so long as they can find out presumably).
- Data Portability: clauses allow individuals to demand transfer of the data held to another location in a commonly usable format. (Apparently intended for use when transferring to a different social media platform, but with definitions still to be discussed, some other areas could have major impacts: What cost to the NHS when everyone suddenly wants a copy of their own medical records?)
- Corporate Data Protection Officers: Organisations that carry out data processing operations based around monitoring their data subjects will have to appoint Data Protection Officers (DPO). (So presumably supermarkets that check what you buy so they can send you vouchers and propose new choices would fall within scope. Possibly mailing list organisations – those collecting them, selling them and/or using them would be affected.)
- Oversight of DPOs: They will be monitored by the SA and not, apparently, their own Board of Directors. The DPO’s remit will skills and proficiencies covering IT controls, data security (against cyber attacks) and other business continuity issues and stretches beyond plain understanding of the legislation. The DPO will potentially have their own team within the organisation and act as a mini-Regulator independent of but within the organisation.
- All Legal Breaches to be Reported: there is a legal requirement for DPO to report any breach (no de minimis) of the Regulations to the SA with 72 hours of detecting it.
- Controlling Bodies: Each member state will set up their Supervising Authority (SA) to oversee this legislation, and to liaise with other SAs across the EU. Where an organisation has operations in more than one member state, the key SA from one of those states will co-ordinate for all the relevant member states (so you might get the Hungarian SA determining how your operations in Ireland and Spain are to be handled).
- Exclusions: for security reasons and fighting of crime are written into the Regulations (so CCTV cameras run by the police would be allowable – not so clear how allowable CCTV cameras on private property would be)
- Scarce Supply of DPOs: The scarcity of resources will make the DPO posts hard to fill – they need a knowledge of IT, data security, linguistic capabilities, legal understanding, managerial responsibility and the capability to liaise between the board of the organisation that pays for them and the supervising authority that will be monitoring them. Further more, it is anticipated that many international companies might prefer to have their key SA in the UK or Ireland (to allow English as a common communication route) which will draw more heavily on demand in these countries for people with these scarce skill sets. This does not even begin to address the source of new staff for the SA operation where they are likely to be less well paid and face some very awkward roles in the future.
- Contention Issues: Definitions are not present in depth in the Regulations. They will need to be worked out as different countries adopting different approaches will cause problems… especially when more than one SA is involved.
Thinking that Brexit might solve this and avoid the issue – no, this will probably come into place anyway!
It IS going to happen. Are you even aware of this, let alone able to work out how to prepare for it?
While there will need to be more work on answering this question, it is already clear that certain skill sets and certain systems (Cyber Essentials, ISO 27001 Data Security, Cyber Essentials Plus, ISO 22301 Business Continuity) will be useful, if not necessary to allow organisations to ensure they can meet the needs of this legislation.
Plans you can start investigating:
- determine how you are likely to be impacted,
- what controls you can start to put in place now,
- how you can change how you operate so this impacts you less,
- what resources you will need to prepare to have to fund to support your legal compliance to this
- what will be needed to ensure you have consent for all the data you handle,
- what will you need to be able to delete data if requested to do so (hard and soft copies – yes, all those stored imperfectly catalogued records in warehouses are covered too),
- how will you handle data transfer requests – especially the international ones
- if you operate in several EU states, you will need to review which will be the key SA
It is not easy to see how this will evolve, but it will impact widely and deeply – not lest as these Regulations act contrary to the requirements of other legislation (from the EU and separate existing national legislations).
Carl Kruger
Qualitation
23/4/16