General Data Protection Regulation (GDPR) – What is it and what should organisations know?

On May 25th 2018, the General Data Protection Regulation will come into effect in all EU member states. It will replace the Data Protection Act 1998 in the UK.   Known simply as the GDPR, this Regulation represents a dramatic departure for European Union regulators from the previous Directive based approaches to data protection legislation.

Prior to exploring what GDPR means for organisations and individual citizens alike, it is worth reflecting briefly on where this is coming from. In Post-War Europe, the European Convention on Human Rights aimed to enshrine the rights of European Citizens with article 8 of the ECHR focusing on the right to privacy. In recent decades, the arrival of the internet and the advent of mass data processing and analytics enabled EU citizens to generate vast quantities of data through browsing behaviour, buying and selling online, and social media. Such advances has fostered the emergence of large Silicon Valley giants founded upon these data-driven business models, where data protection and privacy have frequently only featured after the fact, if at all. The recent announcement by Uber of a major data breach which the organisation had concealed for over a year is a case of the lack of regard given to citizen privacy. In drafting the GDPR, the EU is essentially disrupting the disrupters and advertising itself as the leading global watchdog in the establishment of a new order with respect to the data rights of citizens.

One of the most significant changes within GDPR is the ‘expanded territorial scope’ which means that the GDPR applies to all EU citizens’ personal data regardless of whether it is processed within or outside of the EU. Of particular importance is also the expanded material scope of GDPR, with the definition of what constitutes Personally Identifiable Data (PII) extended beyond obvious attributes to ethnicity and gender to include biometric data and genomic sequencing data and even the IP address of an individual browsing the web. The GDPR is accompanied by an enforcement regime, which sanctions for serious breaches reaching up to €20 million or 4% of total worldwide annual turnover (whichever is greater). Clearly this is intended to alert the market to the gravity attached to the GDPR; failure to comply is a non-trivial offence.

The GDPR also brings a raft of additional operational requirements covering the need for business processes such as privacy impact assessments, new roles like Data Protection Officer and specific rules governing breach notification. Additional consideration is given to the process whereby data can be ‘pseudonymized’ thereby allowing ongoing analytics, the intention here being to allow a fair degree of ‘business-as-usual’ to the analytics and data science industry, once appropriate checks and balances are in place with respect to user privacy.

In an effort to shift the balance of power and provide citizens with greater control over their personal data, the GDPR introduces a range of new rights for data subjects. These rights include erasure, rectification and portability. Erasure or the ‘right to be forgotten’ stems from the case of a Spanish Lawyer who wanted details of a previous bankruptcy to be removed from online search engines. Rectification refers to correcting erroneous data, and portability confers the right on a data subject to gain access to their own records, and in a readable format.

In addition to all of the above, the Regulation enshrines the concept of ‘explicit consent’. This is intended to outlaw online consent models where opting-in is achieved by getting users to accept lengthy terms and conditions, which for the large part remain unread. Gone are the days where users, simply tick boxes in blind faith, and consent remains unread in the text. The GDPR mandates that consent must be clear and obvious, similar to the manner in which websites now advertise cookie usage. Furthermore, the new accountability principle requires organisations to provide proof that explicit consent was given by citizens.

Citizens can inform themselves of their rights by visiting the website of the Information Commissioner’s Office https://ico.org.uk/. Organisations already compliant with the existing Directive are operating from a position of strength, however the onus is on everybody, particularly small companies, to understand precisely what the GDPR means for their business, and what steps they need to take to demonstrate and achieve compliance. Ignorance is no defence, and notwithstanding the Y2K flavoured circus that seems to be taking place around GDPR, there are many consultants who can provide expert advisory services, many coming from the Information Security Industry.  Numerous free events and information days are also taking place around the country. Time is ticking however and companies need to accept that any revision to existing organisational practices are complex. While complacency is not an option, the good news is that achieving compliance will help to tighten up and introduce best practices in the often overlooked area of risk management.

A useful checklist for organisations in preparation for GDPR is available from the Information Commissioner’s Office.

 Jack Nagel, is Head of Business Development, and Grace Fox is a Post-Doctoral Researcher at the DCU Centre for Cloud Computing and Commerce