GDPR the Important Bits...Part 1

GDPR (General Data Protection Regulation), is the "upgrade" to the Data Protection Directive (implemented in the UK under the Data Protection Act), and it comes into force in May 2018.

There has been a fair bit of coverage in the press about GDPR, and not all of it well informed, and some of it quite negative. With so much of our data being shared with companies, having strong data protection that understands the nature of the way that information is shared and stored, and the way that business is conducted these days is vitally important...Not only that, much of the GDPR is really just best practise codified.

GDPR? Who Cares?

There are so many pieces of regulation and compliance vying for our attention these days, why should you care about this piece of EU regulation?

GDPR applies to companies irrespective of their location (including if they're based in the United States), if they are collecting, storing or processing personal or sensitive information about EU residents

The first and most important point, is that this legislation isn't just applicable to countries in the EU or the EEA, it applies to any organisation who is dealing with the personal data of EU residents no matter where it is stored or where the company is based (yes this includes the United States).

Fines for non-compliance can be as high as €20m or 4% of annual global turnover

To express the importance of remaining on the right side of GDPR the maximum fines have been increased from those of the DPD to an attention grabbing maximum of €20m (approximately €22.25m, £17.7m at time of writing) or 4% of global annual turnover whichever is the higher.

GDPR applies to UK companies irrespective of the Brexit vote

If you are a UK based company that it is thinking that this is a piece of EU oriented legislation that you don't have to implement, I'm sorry that is not the case...The UK won't "Brexit" before May 2018 (when GDPR comes into force), and even post Brexit, it is likely that the UK will maintain equivalence with legislation like GDPR to ensure that UK companies can sell products and services to EU residents.

What Is Personal and Sensitive Data?

Personal data is data that can be used to identify a living individual, this includes structured data like name and address, but also codes or reference numbers such as telephone numbers, social security numbers, passport numbers etc. that can be combined with other datasets to establish personal information.

Importantly unstructured data can also fall into the category of personal data if it identifies a living individual, for example:

"The women who lives as 12 The High Street, Sometown who owns a red Porsche"

As strange as this might seem, this could be considered personal information if for example, there is only one women living at that address, or one Porsche owner, or one owner of a red Porsche.

The GDPR makes it clear that it considers online identifiers and GPS location information can be personal information, this includes things like the identifiers used in web browser cookies and IP addresses. Almost all websites will create at least some logging information, this typically includes details of pages and images that have been accessed, along with the IP address of the requestor. Depending on the structure of your website, and the logs that the site creates, the data could be considered Personal Information.

Sensitive data includes data such as biometric or genetic data, or information relating to the sexual orientation of the data subject. Companies storing this type of information need to make sure that they pay particular attention to the requirements of the GDPR and ensure that the protection of sensitive data is appropriate.

Consent

Consent sits at the heart of the GDPR and is one of the main differences between the approach to data ownership in Europe and the US for example. Under the terms of the DPD and the GDPR the data still belongs to the data subject (the person to whom the data refers), and that data subject gives consent for the data to be collected and used in a certain way. The fact that a company has paid for the collection of that data and the subsequent storage of that data does not convey any form of right to use the data, without the consent of the data subject.

Data can only be used for the purpose for which consent was given

Once collected the data provided can only be used in accordance with the purpose for which it was collected, and that consent was given. So you can't collect data for the purpose of providing a service and then use that data for marketing purposes, without having sought permission to use it for that purpose (this is the purpose of the marketing tick boxes that are often at the bottom of forms, that say something like "Please contact me by email about similar services from A.N.Other Service Provider"). Consent has to be opt-in (so no answer or a default of opt-in isn't acceptable), so pay attention to your legal disclaimers and consent gathering process.

The Need for a Data Protection Officer

The GDPR (unlike its predecessor) makes it clear that there needs to be someone responsible and accountable for the protection of personal and sensitive data. This person is known as a Data Protection Officer. This needs to be a named person, and will be the person to deals with the governing Data Protection Authority (DPA), and will in the case of a data breach or incident be responsible for notifying the DPA, and for managing the incident.

The role of the Data Protection Officer will vary slightly depending on the nature of your organisation, but generally they will be responsible for:

1. The protection and accuracy of the data within the company
2. The creation and maintenance of the data protection policies and procedures for the organisation
3. Dealing with the data protection authority
4. Dealing with data protection issues, breaches or incidents
5. Creation of data categorisation
6. Monitoring of data retention adherence
7. Smaller organisations won't have to have a dedicated resource (i.e. the Data Protection Officer role can form part of their job), where the knowledge exists. For larger organisations they will be expected to have a dedicated resource.

It is possible to have this function provided by a supplier, this certainly overcomes the challenges of ensuring that there is sufficient knowledge and time available from internal resources.

Will Every Company Need to Change?

Those that are already compliant with the DPD will have the least change to make. If your organisation is compliant with the DPD and the only personal data that you process are HR and employment records for example then the amount of change required is certainly at the lower end of the spectrum, you should however make sure that you understand the rights of the data subject has under GDPR (I will cover this in Part 2) to ensure that there are no changes needed to either computer systems and/or business processes, and you will of course need a data protection officer.

At the other end of the scale are organisations that haven't previously been compliant with the DPD, and process data that is considered personal data under the GPDR. The changes that such organisations may need to make will include:

1. Implement data protection policies and procedures (including data categorisation, data retention and data destruction)
2. Changes to business processes to accommodate the data subject's rights (covered in part 2)
3. Potentially make changes to computer systems to be able to fulfill the data subject's rights
4. Appointing a data protection officer

Encryption Takes Away the Pain?

Actually it doesn't. GDPR (and its predecessor the DPD) is of course about protecting information from hackers and data breaches an area where encryption might help, but it is just as much about ensuring that the data is used in the way that the data subject was told it would be used, and by those it was said to be used by.

Encryption doesn't take the GDPR pain away

Implementing policies, processes and procedures that are aligned with GDPR, along side technical and security solutions (including encryption) is the painkiller that you're looking for. For organisations who haven't implemented anything like this before this will require effort, and potentially some changes to business processes. For those who have implemented data protection previously these changes will be incremental improvements.

Vendor Management

A phrase that I seem to say a lot more frequently these days is:

"You can outsource the function but can't outsource the responsibility"

This doesn't just apply to GDPR, there are many governance or regulatory requirements that this applies to, so it worth remembering the phrase and making sure that it is a principle of your Vendor Management System, or your approach to any co-sourcing or outsourcing activity.

The practical implications of this phrase is that you need to measure, monitor and manage the services provided by vendors, making sure that they are processing the data in accordance with applicable data protection regulation (GDPR in this case). Where they don't and if there should be a violation or data breach your organisation will be liable and will be dealing you data protection authority to explain the nature, extent and mitigative actions that are being taken to pick up the pieces.

Practical Advice for Right Now

Posting this in October is in the middle many companies' budget season. It is critical that you're considering how compliant you are going to be to GDPR, and what changes are likely to be be required as part of your 2017 budget planning.

Many companies already have a change agenda large enough to keep their teams busy, so the chances of successfully implementing GDPR at the last minute is unlikely, so plan early, and implement early, what's the worst that can happen? You might be protecting your customer's information more securely than your competition, which in the face of a number of high profile hacks recently, really isn't a bad thing.