DATA AND THE LAW

‘General Data Protection Regulation’ is arriving in early 2018. I take a look at what it could mean for businesses.

A disclaimer: I am not a lawyer, and the following is not a substitute for good legal compliance advice. Rather, it is a ‘speed summary’ intended to provide context to the forthcoming legislation, and to alert readers to the provisions they may have to make. The entire text of the law can be found at www.gdpr-info.eu which is worth saving to your favourites.

25 May 2018 is the day the ‘General Data Protection Regulation’ [GDPR] will become law. Brexit will not affect the fact that GDPR will be implemented as law in Britain. A forthcoming bill, championed by the UK’s digital minister Matt Hancock, will implement GDPR in UK domestic law. But GDPR will be law beyond the EU anyway: any time an EU residents’ data is processed or monitored, this law takes effect. Theoretically, data processors from Bhutan, Nigeria, North Korea, and Antarctica, would be bound by the law, should they process EU data. More substantially, companies in the US are also preparing for GDPR.

However, it is a widespread worry that not all businesses will be compliant. Some predictions conclude that by the end of 2018, more than 50% of businesses affected by the changes will not yet be fully compliant with them. The Financial Times also ran an article in July 2017 arguing that businesses are ‘failing to prepare.’

In this case, failure looks like a whooping great fine. Violating GDPR could cost you up to 4% of the previous years’ turnover, or 20m euros – whichever is higher. You may be required to show you have taken reasonable action to comply. There may well be substantial legal wrangles which follow this law.

ENFORCED – AND PERHAPS ENFORCEABLE

Given the scale of the change that the legislation demands, and the level of the anticipated failure to comply, there are questions about how this law will work. Part of this involves broader questions about legislating in an international space.

This law will be enacted immediately across the EU. This means that data regulation will be homogenised across the EU, cutting costs for businesses hoping to operate in multiple countries. There has also been some progress with cutting red tape: for example, you will no longer have to notify certain local authorities when a citizen’s data is processed. Since the law relates to the location of the people whose data you process, which could be any number of countries, some degree of homogenisation is really a prerequisite for the bill to work.

However, there is still scope for local regulatory authorities to stipulate area-specific rules. Whether this will manifest, and we will see specific legislation for the data of the people of Wallonia, or any of the EU’s countless municipalities, remains to be seen.

WHAT DO I HAVE TO COMPLY WITH?

1.    You have to move my data if I tell you to
   The great overriding principle here is that I – the subject of the data – own the data, not you. One thing this means in practice is that I have the right to ‘data portability.’ If I request it, my data must be transferred to another organisation (e.g. your competitor), in an intelligible format. Your systems need to be ready to produce all the data that relates to a person as and when they need it.

2.    Tell me if my data has been stolen
   I must be notified if, and when, a security breach occurs, if the breach constitutes a privacy risk for me. At any rate, your ‘supervisory authority’ must be contacted in the context of any breach within 72 hours. The ‘Article 29 Working Party’, or W29, published a guide to identify what your supervisory authority is. This is why taking basic, healthy, cybersecurity measures – such as installing ‘patches’ for your operating systems, when they’re released – is also important. A list of security measures to be taken ‘if appropriate’ can be found in article 32.

3.    Keep an inventory!
   You must keep an inventory of all processing activities which have taken place. This must include all third parties receiving the data, and should be intelligible. Details can be found in article 30.

4. The Right to Be Forgotten
   Article 17 guarantees the right to be forgotten, which happens at the request of the data subject. Data should be deleted if the subject withdraws their consent and there are no lawful grounds for collection of data without it. It should also be deleted if it has been unlawfully processed or collected; or if it violates the member state law of the subject.

5. Some companies will need a Data Protection Officer
   You will need a Data Protection Officer (DPO) if you process data which reveals genetic data, health data, racial or ethnic origin, religious beliefs. There are also other circumstances which require a DPO: the rest can be found in article 37.
   
   A DPO is a person responsible for helping to interpret the GDPR for your organisation. ‘DPO’ is a legally protected term which requires qualifications, not just a job title you have to hand to someone. You have three options here: you could hire somebody wholesale – totaljobs estimates the average salary for jobs relating to data protection is £27,000. You may choose somebody internal and train them – I could find accreditation courses which took between two days and a week, and cost around £2,000. But perhaps the simplest option is to hire an external consultant to work on an as-and-when basis or for occasional checks.

6. ‘I process data on behalf of others, have I become liable?’
   The GDPR refers to ‘the controller’ and ‘the processor’, where ‘the controller’ collects data and ‘the processor’ processes it. They are both liable. The processor is obliged to appoint a DPO and to keep records of all processing activities (the controller is too in some instances). A supervisory authority has legal powers and can come to you directly with requests.

HOW DO I SHOW I’M COMPLYING?

The Information Commissioner’s Office (ICO), the regulatory body in the UK, produces a blog with checklists of actions firms need to take to be compliant.

They may ask you to prove you are complying.  Ideally there will be examples of users exercising a right this bill gives them, and you can therefore demonstrate that you did comply. If you have a certified DPO, so much the better.

Importantly, the EU introduces mandatory Data Protection Impact Assessments (DPIA). This terrifying-sounding term is mandatory where processing is ‘likely to result in a high risk to the rights and freedoms of natural persons.'  It is ‘particularly relevant where new technology is introduced.’

The DPIA is like a risk assessment; ‘prior to the processing’ you must ‘seek the views of the data-subjects or their representatives… where appropriate.’ Article 35 provides a framework for undertaking a DPIA.

Beyond this, to show you’re complying, you could try flicking through the hortatory (as opposed to mandatory) aspects of the law, and conspicuously follow their advice. For example, the regulation also states that, ‘the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance.’ The certificates referred to here are not yet available and you are not obliged to have them. But when they are, you may want to get them in order to minimise risk of perceived noncompliance and a ‘4% of turnover’ fine.