Thank you to Dale Penn, one of the talented Advent IM Security Consultants for this informative guest post.
GDPR (General Data Protection Regulation)
This January the European Commission revealed a draft of its GDPR. The European Commission is hoping to introduce the GDPR by this end of 2015 to replace the outdated EU Data Protection Directive 95/46/EC as this current standard is not really inadequate to deal with issues such as globalization, Social networks, Cloud Computing etc etc.
The GDPR is a Regulation and not a directive and so this means it will have immediate effect on all 28 EU member states after a 2 year transition period.
The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.
What should it achieve?
The GDPR should provide a single set of regulations for data protection across the EU which deal with the current global environment and the advances made in communication technology and foster a baseline standard of data protection across the EU.
- Non EU Businesses may still have to comply with the Regulation.
Non EU controllers (and possibly non-EU processors) that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Although regulation beyond EU borders will be a challenge given the huge proposed fines, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
- The definition of personal data will become broader, bringing more data into the regulated perimeter.
The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as the genetic, mental, economic, cultural or social identity of an individual. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
- Rules for obtaining valid consent will change.
The consent document should be laid out in simple terms, and there is a proposal that the consent have an ‘expiry date’. Silence or inactivity should not constitute consent.
- The appointment of a data protection officer (DPO).
At the moment, there is still no agreement on the thresholds for appointing a DPO. There have been proposals to appoint a DPO for each company over 250 employees, and, in other instances, where companies process more than 5,000 data subjects a year.
- The introduction of mandatory privacy risk impact assessments.
A number of proposals have suggested conditions under which a privacy risk impact assessment will be required. What seems to be clear is that a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.
- The Introduction of data breaches notification
The Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is still subject to negotiations at present. The reporting of a data breach is not subject to any minimum standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. Individuals have to be notified if adverse impact is determined.
- The right to erasure.
The right to be forgotten has been replaced by a more limited right to erasure. A data subject has the right to request erasure of personal data related to him on any one of a number of grounds.
- Data Portability
A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system.