Friday, 1 August 2014

EU GDPR - data protection will never be the same again

(This blog entry is based on an AIIM webinar given on 17 July 2014)


 
As an IT practitioner I have a lot of bitter experience regarding Data Protection. I helped implement the first 1984 DPA in a large chunk of the UK NHS in 1985, and was on one of the people involved in the advisory panels for the amendments brought in for the 1998 Act.
For those readers who are unfamiliar with the abbreviation, the GDPR is the European Union General Data Protection Regulation that is intended to replace the current Data Protection Directive, and throughout this blog I will aim to explain the reason for the new Regulation and the differences from the Directive(s).
This blog and its wording is based upon the assumption that most readers are in businesses or organisations which will be affected by the
GDPR, there are very few who won’t be. If not forgive me and contact me later for specifics relating to your context.
Just to clarify, Data protection is about effectively managing personally identifiable information, ensuring that the rights of the persons identified are not breached. It applies equally to both manual and electronic records
Data Protection in the EU has been around for a long time, but not because of the bureaucratic ambitions of Brussels. Rather it supports the founding principles and objectives of the EU, facilitating both free trade and a level playing field for businesses. It also supports the articles of the European Convention on Human Rights (ECHR) which all member states ascribe to.
Like the US Sarbanes Oxley Act (SBA) in 2002, the DP Directive(s) and the new Regulation effectively codify best business practice. The SBA basically enshrined in law the Federal Rules of Business first published in 1937.
The GDPR is not one of those ideas put out by Brussels which will get forgotten. It has been in debate for 20 months, it has had 250 hours of committee time, and has had 3000+ amendments tabled and addressed, it will happen.
As previously mentioned EU DP legislation is not new, being 30 years old, however the original directive did not envisage the rapid march of technology. For example the emergence of social media and cloud, Neither did it consider that the EU would be 28 countries big with ambitions to be bigger. At present, each of the 28 states has its own Data Protection Act and some of them conflict. In addition multinational companies currently have to register with the relevant Data Protection Authority in each of the member countries within which they operate.
The current directive, snappily named 95/46/EC, is therefore no longer fit for purpose, and needs updating for all the reasons mentioned above, and GDPR is has a specific focus on making the rules clearer for both social media and cloud services. 
Readers please note, it is a Regulation not a Directive, so rather than the 28 different interpretations we currently have, it will create a single regulatory landscape within the EU. This is particularly relevant for cloud applications and cloud storage providers.
Meanwhile, until it kicks in, organisations will have to comply with the individual regulations across 28 member states, plus those outside.
AIIM, in association with the London law firm Bird & Bird, is currently producing a definitive guide as to how 11 of those country’s rules apply to the cloud, and to an extent, how their Information Commissioners are interpreting and enforcing them across a number of different data types.
From the implementation of the GDPR one single set of rules will apply to all EU member states and there will be one Single Data Protection Authority (DPA) within the EU responsible for each company depending on where the Company is based or which DPA it chooses to register with.
The significant changes from the previous directive include:


·         The GDPR Applies to “any information” (that can identify a person i.e. a ‘data subject’) whether private, professional or from public life.

·         The GDPR requires both ‘Privacy by Design and by Default’ (Article 23) and  that data protection is built into systems and processes and therefore privacy is accorded a high priority.

·         Data controllers in organisation must be able to prove "explicit consent" (opt-in) and consent may be withdrawn by the data subjects.

·         A data subject shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system, and delete it.

·         Data Protection Officers (Articles 35-37) are to ensure compliance within organisations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.

·         The Company’s data controller has to inform the Data Protection Authority (DPA) within 24 hours (this will probably change to ‘without due delay’) of any breach (Article 31).

·         Data subjects must be notified of any adverse impact consequent upon a breach (Article 32).

·         The Regulation enforces the ‘right to be forgotten’. Upon withdrawal of consent (or upon it no longer becoming necessary), an individual’s  data must be deleted unless there is a legitimate reason for its retention (Article 17).

     ·         There are a range of fines can be levied for non-compliance – up to EUR 250,000 or 0.5% of annual global sales for not responding to requests by the data subject or DPA, and up to EUR 1 million or 2% of annual global sales for not complying with specific GDPR regulations. To put that in context, currently in the UK the maximum fine for breach is £500,000 or EUR 628,500.
The drivers for a change to the directive also reflect what is happening on the ground. Mario Costeja, the Spanish Lawyer who recently took a case against Google requesting that it removed search results to ‘outdated’ information on him won his case in the ECHR, and now Google has established a process for removing such links in searches. However it has been to put it mildly ‘overwhelmed’ with 70,000 individuals requesting in excess of 250,000 links being removed.
And as we found out here in the UK recently, the ruling could have unforeseen consequences, as when a top BBC journalist was informed by Google that links to one of his blog posts, on the BBC website would be cut.
However, this is NOT the right to be forgotten as envisaged by the Regulation, but it is an important step towards it.
I previously referenced the US SBA – that act not only applied to the actions of US companies on US soil but to all their subsidiaries in other countries. With a similar global view, the GDPR applies to any organisation collecting personal data on individuals in any of the 28 EU states, irrespective of where that company is headquartered, or where the data is held.
Thus a company such as the cloud based file sharing and collaboration provider BOX, which does not have any EU data centres IS subject to the regulation, because it collects personal details on an EU subject.
The regulation also overrides the legal complexities we have established in current business relationships. For example, a German company signs a contract with the Irish subsidiary of a US cloud provider, fully aware that a backup of all data is physically stored in a data centre in India. While the legal location of the provider would be Ireland, the political location would be the US and the physical location would be India, legally under the regulation all data is still under German control and the responsibility of the German company.
In April, here in the UK,
Trend Micro commissioned some research on awareness of the GDPR undertaken by Vanson Bourne. It includes some good and some frightening figures. First a scary, across Europe 15% of companies were not aware of the GDPR. Then some mixed messages:

·         Whilst 88% of British companies said they were aware, a tiny 7% thought their understanding was good.

·         Whilst the French had a lower level of awareness overall at 73%, those whose understanding was very good was much higher than the UK at 23%.

·         Somewhat stereotypically our German cousins had a very high awareness of  a forthcoming EU Regulation i.e. 92%

·         The real scary figure revealed by the survey is that 14% of British companies do not currently comply with 95/46/EC. That does not put them in a good position for meeting the timescale of the regulation.
Continuing the look at the awareness of the GDPR, AIIM undertook some research earlier in 2014, looking at world-wide numbers, for financial services organisations. Whilst having a “what is it?” figure, not surprisingly a bit higher than Trend’s “Not aware”, the research also had the frightening figure that 23.5% did not think the GDPR applied to their organisation.
The vast majority of those organisations have got it wrong! As I have previously expressed, if an organisation holds personally identifiable information either electronically or in manual form on EU citizens – the Regulation, applies to them in whichever country they are based. And it is not just customer data, it is employee or even associate data (with, it must be added, a few exceptions that would confuse this piece).
Whilst I have an opinion on the date for implementation of the regulation, it is still ‘up for grabs’. The reason being that the Regulation has to be approved by the 700 plus new Members of the European Parliament (MEPs) that took their seats on the 1 July 2014. A not insignificant chunk of them don’t like the EU, and want to frustrate its operations. However, back to my earlier comments, the Regulation is pretty much ‘done and dusted’ in technical terms. It has been in negotiation for 20 months, there have been 3000 plus amendments tabled and in excess of 250 hours debating time. I don’t foresee many more changes and neither does the EU Parliament, with a target date for passing the Regulation set for late 2014.
However, for organisations that are worried about addressing the Regulation, there is a 2 year implementation period, recognising that some countries and organisations need to be brought up to a level of compliance. Therefore by early 2017 all organisations need to be ready. Obviously if an organisation is complying with respective countries Data Protection Acts, it should be easier.

So in summary: Organisations should not be afraid of the GDPR. Unless they are one of the 14% of UK companies that do not currently comply with 95/46/EC. Compliance with the GDPR should not be a big leap, and even if they don’t two years is a big window.
Please note however, given the Mario Costeja case and the recent revelations that Facebook tested user responses without their consent, this is ‘hot stuff’, and potentially easy pickings for regulators
The relevant experience I would like to bring to readers is again of the SBA. Companies investigated by the SEC for potential breach would spend effectively 6 months in ‘shut down’ whilst their directors and executives provided information to the SEC, irrespective of their compliance or not. Six months when their competitors could innovate, and take market share.
Back to my opening comments  – at its base the GDPR it is about supporting free competition – it is coming - grab it – use it – those who are ready will have an major advantage.