What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
Why was the GDPR drafted?
There are two main factors behind the introduction of GDPR. The biggest one is the EU’s desire to bring data protection law in line with how people’s data is being used, especially considering that firms like Amazon, Google, Twitter and Facebook offer their services for free, as long as people offer their data to these tech giants. The dangers of granting such vast permissions can be illustrated by the ongoing Cambridge Analytica scandal, where 50 million Facebook profiles were harvested to influence the 2016 US election.
When will the GDPR apply?
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.
While the overwhelming majority of IT security professionals are aware of GDPR, just under half of them are preparing for its arrival, according to a snap survey of 170 cyber security staff by Imperva.
Just 43% are assessing GDPR’s impact on their company and changing their practices to stay in step with data protection legislation, Imperva found. While the respondents were mostly US-based, they would still be hit by GDPR if they handle – or contract another firm to handle – EU citizens’ personal data.
Despite this, nearly a third said they are not preparing for the incoming legislation, and 28% said they were ignorant of any preparations their company might be doing.
So who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What do you mean by ‘lawful’?
‘Lawfully’ has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is “essential for the life of” the subject; if processing the data is in the public interest; or if doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply in order to process data.
How do I get consent under the GDPR?
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
When can people access the data we store on them?
Under the aim of giving people more control over their information, GDPR ensures people can ask to access their data at “reasonable intervals”, with controllers having a month to comply with these requests. Both controllers and processors must make clear how they collect people’s information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to people: it’s time to wave goodbye to those confusing, dense terms and conditions.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.
They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
What’s the ‘right to be forgotten’?
GDPR makes it clear that people can have their data deleted at any time if it’s not relevant anymore – i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don’t want it collected anymore.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
What if they want to move their data elsewhere?
Then you have to let them – and swiftly: the legislation means citizens can expect you to honour such a request within four weeks. Controllers must ensure people’s data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.
What if we suffer a data breach?
It’s your responsibility to inform your data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. The UK authority is the Information Commissioner’s Office. Information commissioner Elizabeth Denham believes the authority needs more resources to cope with policing GDPR, and responding to organisations who notify it of breaches. In March 2017, she told the EU Home Affairs Sub-Committee that more funding was necessary to recruit and retain skilled people.
That deadline is tight enough to mean that you probably won’t know every detail of a breach after discovering it. However, your initial contact with your data protection authority should outline the nature of the data that’s affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you’ve already actioned or plan to action in response.
But even before you call the data protection authority, you should tell the people affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
If you don’t follow the basic principles for processing data, such as having a legal basis for doing so, ignore individuals’ rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
If you take recently issued fines issued by the ICO – which can hand out a maximum penalty of £500,000 – and scale them up under GDPR, you can see how much tougher the penalties for getting data protection wrong could soon become.
So under GDPR, TalkTalk’s record £400,000 fine would actually total £59 million – that’s a pretty big chunk of the telco’s third quarter 2016 revenue, which was £435 million. Meanwhile, the ICO’s total issued fines for 2016, which amounted to £880,500, would become £69 million from 25 May 2018, according to risk mitigation firm NCC Group – 79 times higher.
However, it’s important to note that while the maximum fines that can be issued will become much higher under GDPR, the legislation stipulates that they must remain “proportionate” to the breach. Also, if you can demonstrate that you work hard to ensure your organisation is compliant with GDPR, the ICO would likely not issue as high a fine in the event of a breach as it would otherwise.
But what about Brexit?
Yes, the UK is leaving the EU – but because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer), this means GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply.
A new Data Protection Bill, put forward by the UK government in August 2017, essentially replicates the requirements of GDPR into UK legislation, meaning those compliant with GDPR should be compliant with the new UK data protection law.
Much like the stipulations of GDPR, the bill sets out sanctions for non-compliant organisations, permitting the Information Commissioner’s Office (ICO) to issue fines of up to £17 million, or 4% of global turnover, whichever is highest (compared to €20 million or 4% of turnover under GDPR).
It also provides provisions for the right to be forgotten, adding the ability for data subjects to demand social media companies erase any posts they made during childhood, a good opportunity for embarrassed adults to delete things they said in their teenage years.
The bill also proposes to modernise current data protection regulations by expanding the definition of personal data to include IP addresses, internet cookies, and DNA.
By aligning with GDPR, the UK hopes to build an enhanced data protection mechanism that goes beyond the adequacy model the EU imposes on ‘third’ countries, allowing personal data to flow freely between the UK and EU.
Digital minister Matt Hancock said: “Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world.”
Tech industry bodies took it upon themselves to warn off government ministers from diverging from the EU’s data protection rules in an open letter published in February 2018.
The letter responded to ministers’ suggestions that the UK might gain a commercial advantage from taking a less stringent approach to data protection than that outlined under GDPR.
“UK tech companies are clear that this is not a view held by the sector, which sees the UK’s implementation of GDPR as a key pillar to the future success of the digital economy,” wrote TechUK CEO Julian David, whose lobby group represents hundreds of UK technology firms, in a letter addressed to international trade secretary Liam Fox.
David pointed out that with GDPR applying to any organisation processing or using EU residents’ personal data from 25 May 2018, companies are already busy preparing for the legislation.
“Disrupting GDPR implementation would not be welcomed by businesses,” he added. “There is no desire for another wholesale revision of data protection rules any time soon.”
Apart from explaining that GDPR puts people at the heart of data protection, David also argued that aligning with the legislation is an essential step in producing data protection legislation once Britain exits the EU.
The government is already working on a new Data Protection Bill that effectively replicates GDPR into UK law, and David said such a step is crucial for the UK’s economic success.
He added: “The tech sector is clear that diverging from EU data protection post-brexit is neither desirable nor helpful. The GDPR represents a high standard of protection for citizens’ information, which will help build trust in the digital economy.”
Is the Investigatory Powers Act compatible with GDPR?
However, what’s unclear is whether other new legislation will be deemed compatible with GDPR once the UK leaves the EU. For example, under the UK’s Investigatory Powers Act, ISPs are compelled to collect personal web histories and hold them for up to 12 months. The government is currently having to rewrite some of these laws after identical powers in old DRIPA legislation were found to be illegal.
But Hancock wrote in October 2017 that “UK national security legislation should not present a significant obstacle to data protection negotiations.”
Do we need a data protection officer?
Any public body carrying out data processing needs to employ a data protection officer, as do companies whose core activities involve data processing that requires they regularly monitor individuals “on a large scale”, according to the GDPR legislation, though public bodies are at an advantage, in that several can share the same data protection officer. Organisations should give the contact details of this person to their data protection authority.
The data protection officer’s job is to inform and advise the organisation about meeting GDPR requirements, and monitoring compliance. They’ll also act as the data protection authority’s primary point of contact, and will be expected to cooperate with the authority.
Alright, so how do we go about meeting the GDPR requirements?
The best advice is to start preparing for it as early as possible – 25 May 2018 might sound far away, but there’s a lot to get right. Immediately, you should seek to employ a data protection officer if necessary, and check the current state of your data protection rules and policies, particularly consent.
Anthony Merry, head of data protection at Sophos, said firms should start by reviewing the current state of their data protection policies, before updating them.
“Businesses need to review their data protection policies and technology to check they are compliant, and should not be shy of reaching out to their local regulatory body or to a trusted consultant for advice to ensure they get it right,” he said. “Be proactive and protect the data you hold, encrypt it and always keep up to date with your security solutions. Data breaches occur every day – and the EU have just increased the consequences of inadequate security.”
The issue, however, is how long such a process will take.
“The two-year implementation period may sound relaxed but it will only be so for those who start to tackle the issues raised by the GDPR now,” he said.
“Organisations need to start by understanding what data they acquire, hold and process and the legal basis for that. Privacy needs to be designed into systems and processes and respect for data subject rights needs to be stepped up. Policies and procedures for handling any security breaches needs to be in place. At its heart however, data protection is about the same issues – understanding what data you hold and why.”
Then work out what procedures you need to adopt, or update, to comply. Introduce these as quickly as possible so you can start educating your workforce about them.
If you work with any third-party suppliers who would count as processors, check what their data protection policies are and whether they comply – if they don’t, it might be time to tender again.
It’s also worth looking out for technology that will help you meet requirements around data deletion and data portability.