What’s coming with the new EU data protection regulations?
Negotiations are coming to a close in Europe around the new Data Protection laws to replace the Data Protection Act 1998. This new law is called GDPR – the General Data Protection Regulations and is a key enabler of the ‘Digital Single Market’.
Firstly, it is worth understanding some of the history and how we have reached the current situation.
A brief history of data protection
There are numerous separate but similar data protection regulations across various EU and non-EU countries. In the UK we have the ‘Data Protection Act 1998’, Germany has the ‘Federal Data Protection Act of 2001’, France has ‘Data protection Act 1978 (revised in 2004)’ and USA has, well actually USA has a whole mix of federal and state laws.
And that is the first problem we have. We do not have a common set of regulations/laws that we all work to, and as more and more data is shared across borders, this has become confusing, causing heightened fear of risk and could even be seen as a barrier to expanding and growing your business.
The problem with all these different laws is that many of them were written in a time when cross-border cloud computing was just a pipe dream, and since then communications technology has moved on rapidly and is now a global expectation. Data is captured, shared, manipulated and then used for competitive advantage. More recently this data has included personal information, often including more than just names and email addresses, but also being moulded by our online shopping habits in an attempt to target more appropriate retail advertising.
In January 2012 the European Commission proposed a comprehensive reform of data protection rules in the EU. The key objective is to give citizens control over their personal data and to simplify the regulatory environment for business, ultimately allowing European citizens and businesses to fully benefit from the digital economy.
The state of current negotiations
Negotiations have been ongoing since October 2013 and the next few monthly meetings are expected to finalise the regulations, hopefully before December 2015.
According to the plans, after the two-year transition period these regulations will have immediate effect on all 28 EU Member States and will not require any enabling legislation to be passed by governments.
The three main groups forming the negotiation committee are known as the ‘trilogue’ and comprise of MEP’s, the European Commission and European Council of Ministers. The meetings are held behind closed doors without published minutes but despite that, they are defined by a general principle stating that they “….shall consult each other and make arrangements for their cooperation by common agreement”. The result will be a solid set of regulations that will affect all aspects of the data lifecycle for citizens and organisations.
What is the scope of GDPR?
Before listing some specifics, it is worth understanding some common terminology that many of you will have been familiar with if you had some understanding of the Data Protection Act 1998. The term ‘data processing’ is about obtaining, recording or holding information or data as well as carrying out any operation on the data including altering, using, disclosing and erasing that data.
- Personal Data – data that relates to a living individual who can be identified from the data
- Data Subject – a living person about whom personal data is stored
- Sensitive personal data – data on a subjects racial or ethnic background, political or religious views, sexual life, criminal convictions, etc..
- Data Controller – a person who determines the purpose and manner in which personal data is to be processed (this would probable include your organisation)
- Data Processor – a person who processes the personal data on behalf of the data controller (this could include your IT department or your cloud hosting providers)
Data relating to European citizens is subject to EU law and any transfer of data outside the EU needs to meet certain standards.
GDPR extends the scope of the current data protection law to any organisation established within the EU, whether they are data controller or data processor and it can apply in three scenarios
Data controller or processor established in the EU irrespective of where the processing takes place
Non-EU organisations who offer goods or services to residents of EU or that monitor the behaviour of EU residents
Data controllers not in the EU but in a place where national law of a member state applies, for example in an overseas diplomatic embassy
The 8 key Data Protection principles
The key 8 principles of Data Protection (as documented on the Information Commission’s Officer website) are as follows. “Personal data must….”
Be processed fairly and lawfully
Be obtained for lawful reasons
Be adequate, relevant and not excessive for the purpose for which they are processed
Be accurate and kept up-to-date
Not be kept for longer than is necessary
Be processed in accordance with the rights of the data subject
Protected against unauthorised or unlawful processing and against accidental loss or destruction by use of appropriate technical and organisational measures
Not be transferred to a non-EU member state unless that country ensures adequate levels of protection for the rights and freedoms of data subjects
So in other words you can’t just go ahead and mine or harvest vast quantities of personal data unless you can prove that you have adhered to the above principles.
So what implications might this have for businesses in the EU?
Data subjects will have the ‘right to be forgotten and erased’. This includes the data subject withdrawing consent or objection to the data being processed, as well as non-adherence to the 8 founding Data Protection principles.
Not only will you need to permanently delete data on request but you will also need to provide proof of this happening. Data deletion was not actually defined within the Data Protection Act 1998 in the UK. Data deletion could also include physical destruction of equipment, and the subsequent evidence of that happening.
There are organisations who provide software and/or hardware destruction services for a fee. You may well already be engaging with one of these providers and you may also have detailed this in your operational procedures.
As a Data Processor you will need to have adequate provision to prevent attacks or errors that may compromise data, especially if you are a cloud provider yourself. This could include malware attacks, Denial of Service attacks, data leakages and corruption of data. Again, many of these will already be in place if you have an up-to-date ISO27001 accreditation.
As a Data Controller you may wish to check that your cloud service provider (i.e. the data processor) has addressed these issues and can provide evidence, and this should include end-of-service provision for data deletion.
Tougher regulations also require the Data Processor to notify data controllers immediately upon identification of a data breach, and data controllers need to notify data subjects within 72 hours.
Much of what is coming in 2016 has been common practice for years, but this standardisation should result in increased confidence that data can be held within other EU member states without fear of increased risk to data security, and arguably removing some barriers to expansion and business growth.
The penalties for non-compliance are high, and are still subject to final agreement. A fine of up to 100 million euros or 5 per cent of global annual turnover (whichever is greater) has been widely discussed, although a suggestion of 2 per cent of global turnover may well be the ultimate agreement.