The EU recently agreed a text on new data protection rules. Daragh O’Brien, MD of Castlebridge Associates, explains what this means for companies, consumers and data protection as a whole.
On 17 December, the European Parliament, Council of Ministers, and the European Commission reached agreement on a text for the ‘Data Protection Package’. This consists of a new General Data Protection Regulation (GDPR) affecting anyone processing data in the EU or about EU residents, and a new Data Protection Directive (DPD) specifically for the police and criminal justice sector.
This article addresses the Regulation only. I will cover the Directive for law enforcement on the Castlebridge website.
Busy start to 2016
Final texts of both the Regulation and the Directive are expected to be published early in Q1 2016. By coincidence, January is already a busy month in data protection land.
World Data Privacy Day is on 28 January, and the collective group of EU Data Protection is set to issue its view on the legality of mechanisms for data transfer to the US in the wake of Max Schrems’ landmark Safe Harbour case. So, I would be unsurprised if there was a big announcement on the DPR at the end of January.
Privacy campaigner Max Schrems, via Connor McKenna
This legislation will come into effect two years and 20 days from its publication in the Official Journal of the EU. I will discuss the likely timescale for publication, implementation, and enforcement in a later article, but it is important to recognise that, as this is a Regulation, it will have direct effect and will not require domestic legislation to be passed.
Rather, domestic legislation will be required for any of the derogations that exist in the Regulation.
What is changing in this Regulation?
Well, for a start, this Regulation is not banning under-16-year-olds from social media. Parental consent will be required for under 16s for ‘Information Society Services’, unless a Member State has opted to implement a lower age threshold.
This is technically the situation that already exists with platforms like Facebook today, where users are required to be over 13 to ensure compliance with US privacy legislation.
The GDPR builds on the existing framework of the current data protection rules in the EU. However, it introduces changes in a number of key areas that will affect organisations of all sizes.
Castlebridge Associates will be publishing some detailed, practical, and pragmatic analysis over the coming weeks on our website, but the broad themes organisations need to get their heads around are relatively straightforward, and involve a large stick, some fundamental principles, and some carrots of ‘value-add’ for organisations that embrace the opportunity that the Regulation brings.
The Stick (and it is a big stick)
The stick in all of this is that penalties are changing – significantly. Currently the absolute maximum theoretical penalty for a breach of the data protection legislation is €250,000.
Under the GDPR, that jumps to €20 million, or 4pc of global turnover, whichever is higher.
Penalties are broken out into two main categories, the second category attracting a smaller maximum penalty of 2pc of turnover, or €10m.
This is in addition to powers for the DPC to order you to stop processing data or to delete it, and the continued right for data subjects to sue you where their data privacy rights have been infringed.
The higher penalties are reserved for more ‘fundamental’ breaches of core principles in the legislation relating to the obtaining and processing of data and the handling of requests from data subjects relating to their rights under the Regulation.
That includes things like subject access requests, which accounted for 57pc of the complaints to the ODCP in 2013. In a Whitepaper we published in 2015, we presented findings of a mystery shop of Irish organisations where only 40pc came even close to complying with their obligations under current legislation.
These organisations now potentially face €20m penalties.
The lower end
The lower threshold penalties are reserved for more ‘operational’ breaches relating to the mechanisms of governance and control over personal data in the organisation.
For example, not conducting data protection impact assessments during design of processing and ensuring controls are implemented is a 2pc of turnover penalty, as is not keeping a record of your processing activities or taking appropriate organisational and technical measures regarding security.
However, the stick is sweetened somewhat in this near-final version of the text by the apparent removal of the power – under Section 29 of the current Data Protection Acts – for the Data Protection Commissioner to take proceedings against directors, officers or managers of bodies corporate who “through their consent, connivance or negligence” allow an offence to be committed.
This power has been used effectively by the DPC in recent years against organisations engaged in the unlawful obtaining of personal data from government departments and other organisations and, frankly, I’m surprised to see it not make the cut in the new Regulation.
However, Article 79b of the Regulation may allow for this power to come back before all of this is settled. It would be a pity to see the enforcement arsenal of the DPC reduced given Ireland’s key role in the international data industry.
The Principles (rights, duties, obligations)
The Regulation builds on the existing principles and rights of the current DPD. The ‘old reliable’ eight Data Protection rules have evolved into seven key principles for processing personal data, which are centred on fundamental concepts of transparency, accountability, necessity and proportionality.
A key shift in the Regulation is towards a risk-based model surrounding these fundamental principles –rather than a prescriptive and potentially rigid model – where organisations who are processing personal data need to actively and constantly assess the level of risk to fundamental rights and the privacy of the individual with regard to how they are processing personal data.
This lack of prescription means that ‘tick box’ approaches to compliance with all but the most mechanistic elements of the Regulation will be tricky to implement and organisations will have to focus on the ‘human factors’ in how we define and implement organisational and technical controls, and how we communicate with our customers about what we are doing with personal data provided to us.
Among the changes that will require us to pay close attention to how we implement things like privacy notices and our approach to obtaining consent – where consent is the only basis for our processing of personal data – is the need to obtain parental consent for information society services where those services are being used by children.
Easy to understand
Also there is the need under the Regulation to ensure that information provided is done so in a concise, transparent, intelligible form, using clear and plain language. This will be key to obtaining and keeping usable consent if your organisation relies on consent as the only basis for its processing, as consent will need to be freely given, specific and unambiguous.
Bye-bye legalese. Time to hire some people with backgrounds in adult literacy!
Much has been made of ‘new’ rights being introduced under the Regulation, but in most cases what are being introduced are extensions of, or reinforcements of, existing rights such as the ‘Right to Erasure’ (aka Right to be Forgotten) or the ‘Right to Data Portability’, which is essentially an extension of the existing right to access copies of data held about you by a data controller.
What is more significant with regard to these rights is that the window for responding to requests has been reduced from the current 40 days for a ‘subject access request’ to one calendar month overall.
Time to hit the books
In order to comply with shorter timescales for requests, and to be able to justify extensions to the time period where needed, organisations will need to have a significantly better understanding of where the personal data in their organisation is stored, who accesses it, and what it is used for.
These answers are contained in the documentation of processing activities that the Regulation requires organisations develop and maintain, which in turn will support their assessment of risk and the effectiveness of organisational and technical controls to ensure compliance with the Regulation.
This process is helped by the requirement to have a Data Protection Officer (DPO) in certain circumstances, such as for public bodies, or organisations processing sensitive personal data or data relating to criminal offences.
While most SMEs and micro businesses may be exempt from this requirement, the nature of data is that a small organisation can often be engaged in core operations that conduct systematic monitoring of data subjects, so it is prudent to consider appointing a DPO to help co-ordinate controls.
Even for organisations that are exempt, an out-sourced data protection advisor can help your compliance journey and help get you up to speed and on the right track.
Finally, the existing Data Security Breach Code of Practice that the DPC has operated in Ireland on a semi-voluntary basis since 2010 finally gets a strong statutory footing.
Organisations that have been complying with the DPC code will find the data breach notification provisions of the GDPR very familiar. But now they have strong enforcement teeth and significant penalties for non-compliance.
Over the coming weeks, we will be publishing more detailed drill-downs into key issues and obligations under the GDPR on the Castlebridge Associates website or on Siliconrepublic.com.
The Carrot (value added strategic information management)
Of course, with every stick comes a carrot. The carrot here is that the focus the GDPR brings to personal data is a valuable asset of your organisation.
The shift towards an inward looking, risk-based model of compliance will require organisations to look – even at a high level – at how they are processing personal data, who their partners are in that processing (data processors), and what key issues and risks with regard to that data might turn it from an asset into a liability overnight.
In our experience, once any organisation starts looking at what they are doing with data, the strategic value-add comes to the fore quickly. Whether it is:
- wasted spend on data storage for physical records that are no longer required (reduce costs, or free up real-estate for other uses)
- the loss of productivity through staff rechecking, correcting, or explaining ‘errors’ in data between departments or teams (in one client, we measured this at over 11pc of payroll cost)
- or recognising the business impact of key databases or systems to your day-to-day business and having contingency plans for disaster recovery
The provisions of the GDPR provide a stick to direct attention to opportunities to save money, reduce risk, or build customer or supplier relationships that will support your business.
Many have claimed that the GDPR will stifle innovation. I would suggest it creates an opportunity to innovate in new ways, and Castlebridge Associates is already working with a range of organisations looking to embrace that opportunity.
Daragh O’Brien is an internationally respected trainer and consultant in the field of information governance and data protection. He is MD of Castlebridge Associates as well as being a leading driver of data protection education both in Ireland and internationally.