Published on July 11, 2016
1. General Data Protection Regulations: The Key Changes Craig Clark Information Security & Compliance Manager
2. Topics • What is the GDPR? • European Law • Key Dates for the GDPR • Key changes from Data Protection Act - Harmonisation - Enforcement - Off Shore Processing - Governance - One Stop Shop - Consent - Transparency - Data Portability - Data Processors • Next Steps
3. What is the GDPR? • A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information • Applies across all member states of the European Union • Applies to all organisations processing the data of EU data subjects –wherever the organisation is geographically based • Specific and significant rights for data subjects to seek compensation, rights to erasure and accurate representation • Compensation can be sought against organisations and individuals employed by them • Fines of up €20,000,00 or 4% global annual turnover • Significant reduction in that amount based on the implementation of technical, or organisational controls implemented
4. European Law Landscape EU Legislation can be separated into two main branches: Directives • Require individual implementation in each Member State (Each State can implement rules in their own way) • Implemented by the creation of national laws approved by the parliaments of each Member State • European Directive 95/46/EC is a Directive • Sets out a goal that a member state must achieve –room for tailoring • UK Data Protection Act 1998
5. European Law Landscape EU Legislation can be separated into two main branches: Regulations: • Immediately applicable in each Member State in a uniform manner • Binding legislative Act • Require no local implementing legislation – no tailoring • EU GDPR is a Regulation • Regulations are not negotiable by member states • Regulations may apply to countries outside the EU if they affect EU subjects (people who are originally from the EU)
6. Key Dates for GDPR 8 April 2016 the European Council adopted the Regulation. 14 April 2016 the Regulation was adopted by the European Parliament. 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. This Regulation shall be binding in its entirety and directly applicable in all Member States.
7. GDPR Structure European Data Protection Board Lead Supervising Authority (Information Commissioners Office) Data Processor Data Controller (Organisation) Data Subject (Individuals) 3rd Countries 3rd Party
8. GDPR Structure • The European Data Protection Board will issue guidance for controllers and processors • They will facilitate the use of Data Protection Impact Assessments • The ICO will oversee both Data Controllers and Data Processors • Breaches and Notifications will be made to the ICO • 3rd Countries – countries to which data is transferred • At the centre of the GDPR is the protection of Personally Identifiable Information
9. Key Changes Between DPA and GDPR Harmonisation Across Member States: • Adoption of a single set of rules on data protection, directly applicable in all EU Member States: Even if the UK leave the EU the GDPR will apply for all EU Data Subjects • Each Member State has previously implemented data protection laws locally which transpose the EU Data Protection Directive leading to fragmentation in terms of compliance requirements across Member States. • The GDPR is intended to adopt a harmonised approach to compliance across all Member States by implementing legislation that will be directly applicable in all 28 Member States. There will be no opportunity for local transposition.
10. Key Changes Between DPA and GDPR Enforcement: • A revised enforcement regime underpinned by power for supervising authorities to levy heavy financial sanctions of up to 4% of the annual worldwide turnover of the organisation or €20 Million, whichever is greater. • Fines are designed to be effective and dissuasive and ensure that which will non compliance is considered a significant risk for businesses. • Supervisory authorities will have the power to impose these sanctions from where the data subject habitually resides or in the territory that the breach occurs. These changes will significantly increase the risk associated with privacy non-compliance.
11. Key Changes Between DPA and GDPR Off Shore Processing: • Application of the GDPR to companies established outside the EU, if they target EU citizens e.g. international students. • The new rules have a broader territorial scope since they apply to non- EU established companies targeting the EU market by either offering their goods or services to EU citizens or by monitoring their behaviour. • Currently, EU Data Protection legislation only applies to non-EU established controllers if they make use of equipment on EU territory for the purposes of processing personal data, and to processing taking place in the EU.
12. Key Changes Between DPA and GDPR Governance: Area of major change • Increased responsibility and accountability on organisations to manage how they control and process personal data. • Controllers must ensure all personal data is processed in compliance with the Regulation and be able to demonstrate compliance to a supervisory authority if requested. • There is now a requirement to keep extensive and detailed records of processing operations. • Organisations must perform Data Privacy Assessments for all high risk activities. • A Data Protection Officer must be formally appointed and recognised with a number of stipulations added for ensuring impartiality.
13. Key Changes Between DPA and GDPR Governance Continued: • When notifying the regulator of data breaches, Controllers will be required to notify the Information Commissioners Office, and in some cases the data subjects involved of significant data breaches within 72 Hours. • Privacy by design - taking privacy risk into account throughout the process of designing a new product or service, rather than treating it as an afterthought. Now required to assess and implement appropriate technical and organisational measures and procedures from the outset to ensure that processing complies with the Regulation and protects the rights of the data subjects. • Privacy by default - ensuring mechanisms are applied retrospectively to ensure that, by default, only as much personal data is collected, used and retained for each processing task, both in terms of the amount of data collated and time for which it is kept.
14. Key Changes Between DPA and GDPR One Stop Shop: • Ability to nominate a single national data protection authority as the lead regulator for all compliance issues in the EU, where the organisation has multiple points of presence across the EU
15. Key Changes Between DPA and GDPR Consent: Area of major change • The DPA allows a controller to lawfully process data with the "consent" of the data subject. Consent can be either express or implied consent - or where the processing is necessary for the "legitimate interests" of the controller in circumstances that do not cause undue prejudice to the individual. • GDPR redefines consent. Now, consent must be freely given, specific, informed and unambiguous. Implied consent, (e.g., by just staying on a website or not responding to a request) will not be sufficient.
16. Key Changes Between DPA and GDPR Consent Continued: • Requiring consent from an end user in order to give that person access to a service, where these personal data are not necessary to perform the contract, will no longer be allowed. • Controllers will be expected to provide much more consideration in their working practices as to what the data subject would like and expect their data to be used for. • Consent can be withdrawn any time, and as easy to withdraw consent as give it • Data subject must give consent for specific purposes - blanket consent no longer allowed –This has significant implications in information sharing, processing and retention • One month to respond to subject access and no charges can be applied • Must be able to supply evidence that consent for each specific purpose was given
17. Key Changes Between DPA and GDPR Transparency: • Any communications with a data subject must be concise, transparent, intelligible • Controller must be transparent in providing information about itself and the purposes of the processing • Controller must provide data subject with information about their rights. • Policies must explain to data subjects both how their personal data will be processed and what their individual rights are and how they may be exercised. • This must be provided in an intelligible form, using clear and plain language that will be understood by the target audience.
18. Key Changes Between DPA and GDPR Data Portability: • The Regulation introduces a new right to data portability, which grants data subjects the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format. • The data subject is also entitled to have the data transmitted directly from one controller to another, where this is technically feasible. • A statutory "right to be forgotten" has been included which will allow individuals the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it – including when a subject has withdrawn consent.
19. Key Changes Between DPA and GDPR Data Processors: • The GDPR directly regulates Data Processors • Processors will be required to comply with a number of specific obligations, including to maintain adequate documentation, implement appropriate security standards, carry out routine data protection impact assessments, appoint a data protection officer, comply with rules on international data transfers and cooperate with national supervisory authorities. • Processors will be liable to sanctions at the same level as controllers if they fail to meet these criteria. • Information Sharing Agreements will help ensure that Controllers give clear instructions to processors on how they expect and require their data to be handled.
20. Next Steps • Meet with top management and form a Working Group to ensure that compliance with GDPR before it is enforced. • Follow the ICO’s ‘12 Point Plan’ for actions to take prior to introduction. • Obtain specialist knowledge in the implementation of changes required and ongoing compliance with GDPR. • ITIBGQ offer Foundation and Practitioner certification in EU GDPR – in my view these certifications are essential for Information Security managers so that they can provide the skills and advice required to ensure compliance.