Part 1 of 2
On May 25, 2018, the European Union (EU) is set to enact what is arguably the most significant change in how personal data is used, managed and governed since the UK Data Protection Act of 1998 (link) and the 1995 EU Framework Directive 95/46/EC (link). Essentially, in its 99 articles and 173 recitals, the General Data Protection Regulation (GDPR) attempts to broaden the scope, strengthen the obligations and impose larger sanctions against the controllers and processors of EU citizens’ data who are non-compliant with the provisions of the regulations.
An entire website can be dedicated to detailing and analyzing each provision of the regulation, and there are many. Of course it is prudent to employ the advice of appropriate legal counsel when interpreting these provisions. While I do not have the necessary titles that follow my name to command anything more than your interest in the topic of GDPR, I do have the necessary educational background and interest in another matter related to GDPR that should interest you – more on that in moment, but let’s first make sure we have a core foundation for the main provisions of GDPR.
The Main (Albeit Simplified) Provisions of GDPR
A broad definition of personal data is regardless of its role in identifying a person in their private, public or work life. It essentially is information directly referring (name, id number, location, online/social id, etc.) or indirectly referring (IP address, website cookie, associative data points, etc.) to the physical, genetic, physiological, mental, economic, cultural and social identify of that person.
Stronger rules in the GDPR mandates that the extent to which a data subject’s information is going to be used must be made clear and obvious at the point the data is collected. Furthermore, it must be demonstrable to auditors and consent must freely be given with it being equally easy to withdraw the consent at any time.
Essentially, the GDPR states that “with much data about a given subject, come greater rights of that subject to have access”. This means that a data subject has the right to know:
- The identity and contact details of the data controller and data protection officer (DPO).
- The purposes of the processing related to their personal data.
- The legal basis of the processing.
- The legitimate interests pursued by the data controller or third party
- The recipients of their personal data.
- If the personal data is intended to be transferred.
- The period for which the personal data will be stored.
- The right to withdraw consent at any time.
- The right to lodge a complaint with the regulatory authorities.
More impactful are the rights to have access to their personal information, rectify or amend inaccurate data, have their personal data be made portable and have their data erased.
GDPR stipulates that organizations must take a “risk-based approach” to working with personally identifiable data. This means that appropriate controls must be developed according to the degree of risk that exposing said data would have related to the manner in which it’s processed. This makes it mandatory to run annual privacy impact assessments, embed data protection safeguards into the designs of any new product, process, or service at the earliest stages (a concept referred to “privacy by design”) and be able to anonymize data to protect the data subject. There would also be a significant increase in the record keeping and auditing process for the members responsible of an organization.
GDPR introduces the concept of organizational responsibilities tied to data controllers – those who, alone or jointly with others, determine the purpose and means of processing personal data. It also identifies a data processor as an authority who has access to and works with the personal data on behalf of the data controller. Lastly, all hail the data protection officer, a role responsible for systematically and regularly monitoring organizational alignment to the provisions of GDPR with respect to how personally identifiable data is processed, among other activities. The DPO can be an employee of the organization or a third-party service provider.
One of my personal favorites because we often hear the word “breach” and immediately think that it is in reference to a network intrusion. In the case of GDPR, a personal data breach is a breach in the security standards leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data that is transmitted, stored or otherwise processed. Does this mean that any breach of personal data is required to be reported? No. In fact, if the breach of personal data is unlikely to result in a risk for the rights and freedoms of individuals, notice is not required. I don’t know how to quantify that (note my earlier point of not having specific titles that follow my name), but let me give you a specific example of this one:
Data base administrator (DBA, also known as data processor): receives a report that the company’s CRM system is not working properly. After investigating the problem, determines a junior IT member (who is not supposed to have access) inadvertently executed a command that resulted in the table containing each customers’ personal details to be deleted. This is a data breach in the eyes of GDPR. Not to worry though – the DBA restores the dropped table from the most recent backup and recovery set for the table and work continues. According to GDPR, the DBA must notify the data controller of the breach.
IT manager (data controller): receives an email from the DBA outlining the problem, the actions taken to rectify it, any data loss or exposure and the impact to the business. Given this was resolved quickly, any lost data was recovered and impact did not result in any specific risk for the rights and freedoms of the individuals in question, there is no specific need to comply with notification responsibilities. However, our data controller exercises better judgement and informs the organization’s DPO, as it is should be their decision ultimately (and it turns out they agreed with the assessment).
True, this sort of sounds like a scene from one of those mandatory corporate educational sessions, but it is a simple example that demonstrate how complex a “data breach” is and how opaque the responsibilities can be.
What if the above example was complicated a bit more – say a rogue element gains unauthorized access to the organization’s network and takes the information in question? Enter GDPR’s article 32, which states that should the data controller determine that the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, they must communicate the information regarding the breach to the appropriate authority and the affected data subjects without undue delay, and where feasible, no later than 72 hours after having become aware of it. Any delays beyond 72 hours must be reasonably justified by the controller. Vague terms such as “undue” and “reasonably justified” complicate matters, and this is when those titles following ones’ name become so important.
The previous example begins to introduce time-based responsibilities that organizations have under GDPR. The table below attempts to group these notification requirements in a digestible format for those articles that apply specifically to an organization. The official reference material for GDPR can be downloaded here.
Principles relating to processing, erasing, or rectifying personal data
Transparent information and communications for the exercise of the rights of the data subject
Without delay, and in any event within one-month of receipt of the request
Data subject’s right to data rectification
Without undue delay
Data subject’s right to be forgotten
Without undue delay
Notification of a personal data breach to the regulatory authority
Without undue delay, and where feasible, within 72 hours after becoming aware
Notification of a personal data breach to the data subject
Without undue delay
Data Protection Impact Assessment
Without specific guidance, it is recommended that they be undertaken annually
As I mentioned earlier, non-compliance with the GDPR articles brings heavy fines of up to 20,000,000.00 EUR, or in the case of an undertaking, up to 4% of the organization’s total worldwide annual turnover of the preceding financial year – whichever is higher. But what would that look like, financially, to a company that is deemed to have violated the GDPR?
I'll make an attempt to calculate that based on some very recent and highly publicized data breaches in part 2 of this blog.