The EU’s General Data Protection Regulation (GDPR) is receiving ever greater level of attention. Much of the focus is around dates, compliance deadlines, and the higher fines and penalties that GDPR can enforce. However, GDPR should not be treated as a short term compliance exercise. The reality is that GDPR is a new journey that organisations need to embark on – and it won’t come to an end in May 2018 which is just an arbitrary date when it comes into force. GDPR has implications which may ultimately impact an organisations business model and strategy. Forward thinking organisations will be evaluating how to position themselves to take advantage of potential new markets and revenue opportunities that will flow from GDPR. This initial article will provide an overview of what GDPR is and outline the three practical steps an organisation can take to start their GDPR journey. Our follow up article will examine the new business opportunities that GDPR may generate – particularly in the context of ‘data portability’.
Part One – Basics Of GDPR
What is a ‘data subject’ and what is ‘personal data’?
A data subject is the individual and personal data is any data that identifies the person. According to the European Commission:
“personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” European Commission provides examples of personal data “it can anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address”.
Data subjects are the legal ‘owners’ of their personal data. This is a crucial GDRP concept and means that organisations that gather personal data do not own it. Rather, they are borrowing the data from data subject. Consequently, they need the data subject’s permission and consent to collect and process it. GDPR requires this consent to be clear, transparent and explicit. The European Commission makes it clear that,
“companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
What is the difference between a ‘data processor’ and a ‘data controller’?
According to the European Commission definition,
“A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
So for example, a card issuer may have a customer CRM database full of personal data. They may also decide to analyze their customer card transactions and combine the datasets to drive marketing activity. In this instance they are the data controller. The same card issuer may use a cloud based CRM solution and the personal data is in fact stored at a data center under the control of the solution provider. In this instance the solution provider is the data processor. Under GDPR, data controllers and processors have specific roles, responsibilities and compliance obligations.
Does my business need to appoint a Data Protection Officer (DPO)?
European Commission says that,
“DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.”
So in most instances, companies will not be required to appoint a DPO. This is good as DPOs must be independent and will, for good reason, be hard to remove once appointed. Its worth noting that DPOs are appointed by a board but answerable to member state data protection laws – and not therefore management. The need for a DPO needs to evaluated carefully. Some larger scale players, such as banks and larger scale payment processors, may be caught. Also some member states, such as Germany, already mandate the role. Given that German law requiring DPOs came into force in 2001, most organisations will already know if they are caught or not on this particular point.
What are the conditions under which personal data can be processed?
It is important that organisations determine the lawful ‘basis’ for processing personal data and document this. The list below sets out some of the lawful bases available for processing personal data (as stated in the GDPR text). Additional conditions for “special categories of data which merit higher protection” are not included – such as health-related data processing activities.
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Many organizations may rely on #6 as the lawful basis of their data processing activities. The GDPR text in fact uses fraud prevention services as an example. Recital 47 of the GDPR text says that:
“Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. …..The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
And goes on to say that “At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.
How does GDPR affect organisations outside of the EU?
European Commission says that,
“The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.”
So as a rule of thumb, any organisation anywhere in world that intends to do business that involves processing personal data of EU data subjects will need to comply with EU GDPR rules.
How does the GDPR affect policy surrounding data breaches?
Organisations need to fine tune their data breach response procedure. This GDPR article relates to how an organisation should respond to a data breach – not about preventing a breach occurrence. European Commission says that,
“Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.”
What about ‘Brexit’?
The UK government’s position on Brexit and GDPR were directly addressed in the Queens Speech (on 21st June 2017) which formally set out the new governments legislative plans. It included the introduction of a new Data Protection Bill which will incorporate both GDPR and the EU’s law enforcement Directive for GDPR. Hence, the UK will continue with GDPR and we can expect the same rules to apply post-Brexit. This is in line with the following EU statement:
“The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR.”
When does GDPR come into effect? What are the penalties for non-compliance?
The GDPR comes into effect on 25 May 2018. Fines and penalties organisations may incur for noncompliance are considerable.
“Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.”
Part Two – Three Practical Steps
Many organisations have already embarked on their GDPR journey. Be careful not to treat your journey as merely a short term compliance exercise to avoid fines and penalties after May 2018 deadline. GDPR has far wider and longer term implications – some of which may impact your organisations business model and strategy. For example, the concept of data portability is extremely important to get to grips with. It will quite plausibly create entirely new markets for the sale of personal data by data subjects. Forward thinking organisations will evaluate how to position themselves to take advantage of potential new markets and revenue opportunities that will flow from GDPR in the medium term. Hence, when planning for your GDPR journey, we recommend taking three practical steps:
Step 1 – Set Up a GDPR programme to get started
- Set up a GDPR programme and team. Be careful not to treat GDPR as merely a short term compliance exercise. The project team’s objective and timeline should go beyond meeting the May 2018 deadline. Whist identifying and fixing high priority issues needs to be a short term objective, the team should be tasked with assessing and evaluating the wider implications of GDPR for the organisation as a whole.
- Build awareness in your organisation. This can include a range of activities from workshops and conference calls for management to educational sessions and on-demand webinars for the wider organisation.
- Gaining C-level involvement and commitment is of course essential as will starting the process of obtaining resources and budgets.
- Develop a knowledge base of GDPR including what it is, how it differs from existing data protection legislation in your jurisdiction and how in practical terms it will affect your organisation. GDPR is a long piece of legislation consisting of 99 articles. Some will affect your organisation more than others and indeed some not at all.
Step 2 – Identify high priority issues with a data health check and gap analysis
- The project team should start with a high level data health check and gap analysis based on the following steps (1) develop a checklist of the requirement of each article, (2) define evidence required to demonstrate fulfilment of each requirement, and (3) decide who in the organisation has ownership for each piece of evidence collection and request they provide feedback (4) develop a risk evaluation framework that both establishes the gap between the GDRP requirements and the current As-Is situation on the one hand, and captures the risk level of each gap and the effort and actions required to obtain the necessary evidence. This health check should be carried out in a reasonably short time frame such as 4 to 6 weeks. The timeline will depend on various factors not least the size of your organisation.
- One of the high priority action items from the health check will be for your organisation to develop a Data Map and Data Processing Register both of which will demonstrate and provide documented thought of the following critical issues:
- What personal data your organisation holds
- Where the Personal Data physically resides ie: locations of data centres
- What data processing activities your organisation conducts that include personal data
- How the data processing activities take place ie: how personal data flows between different locations, systems and entities to complete each step in a data processing activity
- Why the processing activity is taking place and the legal justification, as outlined in the GDPR, for each activity
- Developing a Data Map is a great starting point. There are others that can run in parallel such as checking security measures and breach notification procedures, checking consent and many others.
- The result of the data health check will be a clear prioritisation of actions based on a risk evaluation along with the estimated effort and time required to complete each action. It may in some instances not be feasible to complete some high risk actions by May 2018. These need to be flagged up early and documented thought invested in to how potential mitigating steps.
- The final output of the data health check will be to assign an owner to each action and set timelines. The project team then needs to manage the completion of the actions using standard project management tools to monitor and track progress.
Step 3 – Start planning for the long term implications
- Whilst identifying and fixing high priority issues may be the short term objective, the team needs to plan for medium term goals that extend beyond the May 2018 enforcement date.
- This will include setting up permanent governance and monitoring processes and procedures. The team will need to consider if supporting infrastructure is required and define options to embed it into the existing organisation.
- It will also be critical to carefully assess and evaluate the wider implications of GDPR for the organisation. This process may yield a variety of business implications that point to new business opportunities or raise fundamental strategic and business model questions.
- In particular the team should get to grips with the implications of data portability. This is a core GDPR concept. Article 20 says,
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance….”
- It is crucial for organisations to get familiar with the data portability concept which is also a central theme in PSD2 as well as the UK’s Open Banking initiative.
- The topic is not straight forward and raises various tricky issues about how it might be implemented in practice.
- An EU Working Party document published in Dec 2016 provided further guidance including data portability examples such as: data held by a music streaming service; titles of books held by an online bookstore; data collected from a smart-meter; emails held by an email service provider. So for example an online book store would be obliged to provide customers with tools enabling them to easily download their purchase history data.
- These are of course fairly basic examples but provide a conceptual framework that can be applied at a more granular level to specific use cases. Forward thinking organisations should be exploring how the concept of data portability will evolve and what the business implications are for them going forward. These may ultimately impact an organisations business model and strategy. Organisations need to be thinking about how to position themselves to take advantage of potential new markets and revenue opportunities that may emerge from data portability.
- Our follow up article will examine this topic of data portability in more detail.