The EU’s General Data Protection Regulation – get ready or get busted

The challenge of the EU’s General Data Protection Regulation (GDPR) is as great as the millennium bug in 1999 and will catch out all organisationss who fail to make the appropriate adjustments to their business processes and IT activities in time. My Figure shows the numerical results for searching for a number of selected phrases on July 3rd and demonstrates a significant lack of activity just 10 months away from implementation. I want to do my bit to raise awareness and help you to understand the background, legislation and activities you’ll need to undertake to be and remain compliant.

Excellent rights and theoretical protection for EU citizens

Since the EU last legislated on data privacy in 1995, huge growth in the use of social media and the digital transformation of many of our everyday processes have widened our vulnerability to those who can gain access to and abuse the private information we give to participate. GDPR addresses these changes. For citizens it gives some excellent rights. For instance:

  • To find out whether a controller holds your personal data and what it is.
  • To be forgotten – the controller has to erase any links to, or copies or replications of those personal data.
  • To protest about and stop the processing of your personal data
  • To be asked for permission for each project which uses your data.
  • To stop the processing of your personal information for use in direct marketing campaigns.
  • Not to have decisions made for you (such as being turned down for a credit card) purely by automatic evaluations (including profiling) of your personal details.

Despite the exceptions and modifications for public Healthcare, secret service, police and legal purposes, it sets out some serious new responsibilities – backed up with stringent penalties for non-compliance – for all organisations targeting or serving EU citizens whether they’re based in the EU or not.

Personally I’ve been concerned about constant cold-calling from highly speculative suppliers (including a local oven cleaning company using automated phone calls without the chance to opt out), the accessibility of my ex-directory phone numbers on the Internet, the amount of money that many suppliers make from selling personal data to others for different, new and irrelevant purposes, license agreements for apps and software written in small print across 25 pages and the number of times that various apps require location services switched on and/or access to the photographs on my phone and contact lists. Every day I receive hundreds of spam messages – some from recognised suppliers such as Fox News, CNN, MSBC and the Huffington Post – without ever having asked for them and without the ability to switch tem off. My hopes are that this latest legislation gives me the tools to stop this kind of abuse, although they’re not very high given my online experiences over the last 22 years.

Big new responsibilities for suppliers

Just as GDPR offers new levels of protection of citizens over the use of their personal data, it raises some serious challenges for all organisations supplying them with services, some of whom are even unsure of what an EU Regulation is. Some companies in already heavily-regulated industry sectors such as Financial services, Telecom and HealthCare GDPR will take compliance in their stride, although others in sales, marketing, retain and wholesale industries will not. Hopefully most of the companies make their living from selling and abusing personal data will be put out of business.

As a business owner based in the UK, I have had no direct information on GDPR either from the British government or the EU. Luckily my business is small enough to adjust and comply by May 25th 2018; less fortunate are the medium and large businesses who, if unaware of the changes, are probably already too late to adjust their HR, marketing and other business processes as well as the way they run their IT systems in a short period of time. There will be no grace period, the maximum fine for non-compliance is €20m or 4% of your last year’s annual turnover and you won’t get off the hook in the UK just because it’s leaving the EU.

The Data Protection Board – who, where, what remit?

GDPR replaces the 1995 Directive 95/46/EC and is more stringent and tuned for the advances made in social business since then. Under it the EU will set up the Data Protection Board (DPB) with legal responsibility for enforcing the Regulation. It will replace the ‘Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC’ in 1995. EU countries also will set up single supervisory bodies to whom complaints can be directed. Member states should set out the rules on criminal infringements of the Regulation.

Controllers and processors – who, where, what responsibilities?

The Regulation separates suppliers into controllers and processors who have individual and joint responsibilities. In particular:

  • A contract based on EU or member state law is required to exist between the 2 – they have joint responsibility for adherence to the regulation whichever country/region they are based in and either/both can be prosecuted for non-compliance.
  • After completion of each project the processor must delete or return the data to the controller. You will need specific and unambiguous permission for the use of personal data for each project – you can’t store it up for some new purpose, or sell it to another company for a different purpose for which permission was given. You will have to keep records of the projects and data used for audit by the supervisory authority.
  • Representatives based in the Union are necessary for controllers and/or processors based outside it, but offering products or services into it.
  • Breaches have to be reported to the RCB within 72 hours.
  • Controllers must undertake data protection impact assessments on large projects where there is a serious risk of a breach.
  • Certification mechanisms and data protection seals and marks should be encouraged to help individuals choose which to use or reject.
  • The Commission will certify (or revoke the certification) of certain countries, territories, sectors and specific organisations outside the EU with an adequate level of data protection.
  • The unauthorised reversal of pseudonymisation (where 2 databases can be linked to identify individuals) is not allowed.
  • Those outside the EU should accede to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol

The Regulation sets out a number of exceptions such as the processing of employee information, the processing of personal data by government bodies or by households. Fines for non-compliance include a maximum of €10m or 2% of the previous year’s annual turnover (whichever is greater) for some infringements and €20m or 4% for the most serious ones.

EU and international suppliers serving its citizens are unaware and unprepared for compliance

Currently there is not enough discussion or activity to expect anything other than a messy introduction next year. If things don’t improve many companies will go out of business hounded by multiple requests for information and refusals from individuals and prosecutions from the GDB and individual governments for non-compliance. If you agree, please join me by commenting below or emailing info@itcandor.com so we can address this important issue together.