How changes to EU data protection law could affect UK business
Prudent businesses are now preparing for the forthcoming EU General Data Protection Regulation
For nearly 20 years, UK data protection laws have remained fairly static, even in the face of considerable technological advances, the rise of social media and the big data boom.
The European Commission decided to address this gap between law and technology across the region by publishing a new draft EU data protection law, the General Data Protection Regulation.
Since the draft regulation in 2012, the European Parliament and the European Council have both reviewed it and added their comments. So we now have, rather confusingly, three drafts of the regulation and, over the next few months, these three bodies will engage in heated negotiations with the aim of producing a final version.
Once the new regulation is adopted, there will be a two-year transition period before it becomes enforceable across EU countries, including the UK, by data protection authorities and the courts. A two-year grace period may sound generous, but in reality, given the number of teams that will need to be involved to help a company comply with the new regulation (such as IT, marketing, legal and compliance, as well as management and business teams) and the time taken to implement business change and new IT projects, two years can pass quite quickly.
Therefore, prudent businesses are considering and planning for the new regulation right now.
An important change for UK businesses is the increased scope of the regulation. Currently, data protection laws apply only to data that directly identifies an individual and to data that identifies an individual when combined with other information held by the data controller, which is the company that decides how personal data is to be used.
So pseudonyms, IP addresses and other unique reference numbers would not be personal data unless the data controller can combine them with other information, such as email addresses, which would allow those pseudonyms, IP addresses and reference numbers to identify an individual.
This will change under the new regulation, and all data that identifies an individual, whether directly or indirectly, will be personal data. There is no longer a requirement for the company to personally hold another dataset that would allow for re-identification. So any unique identifier or pseudonym will be personal data.
Many businesses use pseudonymous data because they believe this means they can avoid having to comply with data protection laws, but this will no longer apply. So we should expect the regulation to affect many more businesses than before.
One of the key issues being negotiated is whether there should be less stringent compliance requirements for pseudonymous data. All three legislative bodies agree that pseudonymous data is still a subset of personal data, but they disagree about whether it should be subject to the same requirements as “standard” personal data. It may be worth stressing that a more lenient approach to pseudonymous data is opposed by many of the data protection regulators and by privacy rights groups.
To prepare for the new regulation, businesses should start reviewing the types of data held: sensitive, personal or pseudonymous. Where possible, businesses should try to use pseudonymous data over personal data because it could benefit from less onerous compliance requirements.
Pseudonymous data is frequently used for customer profiling, which is another area of contention under the regulation. Profiling has been broadly defined as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour”.
This definition could potentially capture any form of data analytics and therefore would have significant impact for data-driven businesses.
The regulation will require businesses to have either a statutory basis for profiling (such as for crime prevention or detection purposes) or the individual will need to have given his or her consent to being profiled. Most businesses will therefore have to rely on obtaining an individual’s consent, which will make it considerably harder to use personal data for analytics.
Under current law, consent is often not obtained for profiling activities. This is because profiling is often carried out using pseudonymous data, or profiling using personal data is permitted for a legitimate purpose of the data controller, provided this does not unduly infringe individuals’ rights and interests.
So, under the new data protection regime, consent will be needed for any personal data analytics and there will be a new standard of consent. Consent must be freely given, specific and informed – the individual must have a genuine choice as to whether to give consent and be able to withdraw consent without detriment.