GDPR: Do not resist! Unless you want a visit from the data police
€20m is srs bsnss so we will keep talking about it
Comment Data was a hot topic last year and it's already big in 2017: Microsoft continues to resist the US government's attempts to get hold of data held in its Irish data centres. But just as it seems to be making progress, the government has won a favourable first instance ruling against Google forcing it to disclose data held outside the USA. This looks set to end up in the US Supreme Court.
Back in Europe, the European Court of Justice has been fighting for data protection. It recently confirmed that the general and indiscriminate retention of data such as in the UK Data Retention and Investigatory Powers Act is incompatible with the E-Privacy Directive. This will put pressure on its replacement, the Investigatory Powers Act 2016. In the meantime, the EU Commission has published a new draft E-Privacy Regulation to strengthen privacy in electronic communications. It seems the EU currently favours regulations rather than directives to harmonise laws. US tech companies are busy signing up to Privacy Shield. But there's a challenge from Ireland on its way to the ECJ against the whole scheme.
Some are concerned that President Trump's executive orders are undermining the scheme anyway. And Max Schrems – the person responsible for the annulment of Safe Harbor, of course – is hoping for a ruling against Facebook's privacy rules.
Here in the UK, the Information Commissioner's Office has had a busy January issuing fines for data breaches. It fined IT Protect £40,000 for making nuisance calls to people who had registered with the Telephone Preference Service to opt out of calls, ironically to sell them a call-blocking device. "Hello, I know you opted out of these calls so how would you like to buy a device to block these calls."
Additionally, it fined LAD Media £50,000 for buying a list of phone numbers and instigating the sending of 400,000 spam texts about debt without consent. It also fined Royal & Sun Alliance £150,000 for failing to take "appropriate technical and organisational measures".
There is no definitive guidance on what these measures are. That means the legislation is vague but adaptable. Certainly in this instance it meant they should have prevented their employee or contractor walking off with a NAS drive containing the personal information of 60,000 customers.
Awareness of GDPR is growing. This is good news since it becomes enforceable on 25 May 2018. Some websites have now started displaying countdowns to emphasise that time is running out. There are many scaremongers out there who say that unless you completely change your business model and install expensive software you will be fined. It's probably not as bad as all that unless you have no procedures in place. But you do need to get ready. For those of you who read my last column, you know that Brexit won't derail GDPR in the UK so non-compliance is not an option. Let's clear up some of the confusion over the changes.
Massive new fines: This is one you know about already. The new fines will be the higher of 4 per cent of annual global turnover or €20,000,000. This will make the ICO's current fines look like small change – its record fine last year was £400,000 against TalkTalk. The highest fines will be for breaches of the keystones of GDPR such as the basic principles for processing data, including obtaining proper consent or the requirements relating to international transfers. Other breaches will be at the lower level of fine, being the higher of 2 per cent of annual global turnover or €10,000,000. Still pretty high. Some cynics say that it is currently cheaper to pay the fine than pay for proper measures to avoid data breaches. GDPR will change that as there will be no CFO who will want that kind of fine on their desk.
Data protection by default: Companies will have to ensure they approach data protection by "design and default". This will require clearer processes for collecting just the data they need, obtaining proper consent and adding functionality for returning or deleting data. They will also need to keep proper records. Companies should check their current systems and processes to ensure they are GDPR-ready.
Data Protection Officer: Some businesses have told me they're concerned they will have to appoint a dedicated Data Protection Officer. Let's be clear, GDPR requires you to appoint a DPO if you are a public authority or you regularly and systematically monitor data on a large scale. The average business which doesn't trade in personal data is unlikely to need a DPO – unless you're in Germany. Even if you are not obliged to appoint a DPO, you should still appoint someone with responsibility for your data compliance. This is how you can reduce your risks of breach and receiving one of those nasty new fines. You can even outsource this service – DPOaaS if you like – and that outsourced provider or DPO need not even be based in the EU.
Some CTOs have told me they've been asked to also fulfil the role of Data Protection Officer. They are concerned that by doing so, their dual role will place them in a conflict. As DPO they may be seeking IT systems that have data protection designed into them. As CTO they might not have the budget for it or the inclination for new software on an otherwise stable and tested platform. The best way to avoid this kind of conflict is to ensure that both roles make recommendations to the board as a whole. The board should then make the decision. DPOs should also ensure they document their recommendations, especially if they are ignored or overruled and make sure they are included on the company's indemnity insurance for senior officers.
Consent from individuals: Consent is the quick way to comply with data protection laws. GDPR tightens this regime. To rely upon consent, it must be given by a "clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement". Consent must be "explicit" in relation to sensitive data. Consent must cover all the proposed activities and will not be regarded as freely given if there was no genuine or free choice. Also, individuals can withdraw their consent at any time. Companies should immediately review their consent statements, tick boxes, privacy policies and terms and conditions.
Expansion of individuals' rights: At present, individuals have a few limited rights such as to know what information a company holds about them and to have this corrected. They also have the right to object to direct marketing to them. Under GDPR an individual will get broader rights. There is, of course, the well-known "right to be forgotten" (or the "right to erasure") from the Google vs Spain case, and this will be expanded under GDPR. The controller will have to act "without undue delay" to delete the individual's data where, for example, they withdraw their consent. The controller must even take reasonable steps to inform third parties of this request. This will create administrative and technical challenges for businesses. The courts will be called upon to define the scope. For example, does it extend to back-up copies and archives? Individuals will also have the right to receive their data from the controller in a "structured, commonly used and machine-readable format". Also they will have the right to transmit the data to another controller "without hindrance". This "data portability" right may lead to better standardisation or interoperability of data formats, at least at the point of returning or migrating it.
Breach notification: Right now, data breaches might go unnoticed since there is no all-encompassing obligation to notify the ICO. That will change under GDPR. Unless the breach would not result in a risk to the rights and freedoms of individuals, controllers will have to notify "without undue delay". If a controller notifies after 72 hours, they will have to explain the delay. Companies must put in place proper processes to ensure the breach is notified to their DPO or the person responsible for data compliance. That person must then notify the relevant supervisory authority.
International transfers: GDPR doesn't fundamentally change the process of international transfers. Those who rely upon consent to authorise personal data transfers must ensure they inform the data subject of the possible risks. Now that the UK government has clarified that it will not remain in the Single Market, this means that after Brexit data transfers to the UK from the 27 remaining members of the EU will not automatically be authorised as they are at present. If the UK continues to adhere to GDPR standards, the EU Commission will issue an "adequacy decision" authorising transfers. However, if the UK courts ignore ECJ decisions or interpretations of GDPR, or the ECJ rules that the Investigatory Powers Act is too broad, this could undermine data transfers. Also, UK controllers collecting personal data from within the EU will have to appoint a representative in the EU. These changes will mean the UK has to work hard to avoid becoming a data island.
Data processing in contracts: GDPR will tighten obligations on data controllers. For the first time, data processors will also have direct obligations, although these are not extensive. I expect businesses to review their customer/supplier contracts that involve personal data to ensure they are fit for purpose. With hefty fines for non-compliance, companies must ensure their suppliers are GDPR compliant so that they don't get a fine. There's no point implementing GDPR-compliant systems and appointing a DPO if your supplier doesn't adhere to the same standards. So, data will remain a big topic in 2017. As the GDPR deadline rapidly approaches, expect to hear greater calls and urgency for compliance. After all, nobody wants to be the first to get a €20m fine. ®