By Chris Ince, Information Security Consultant
“The processing of personal data should be designed to serve mankind.” (Council of the European Union, 2015)
On 8th December the European Parliament, Council and Commission (the trilogue) agreed the text for the new General Data Protection Regulation. Although there are still some additional bodies that have to provide their approval, the path to full implementation across all 28 member states in 2018 has really begun.
For those of you that have allowed this to slip under the radar the General Data Protection Regulation will replace the current EU Data Protection directive. With it being implemented as a regulation rather than a directive it will also replace any local laws across all 28 member states without having to go through any local legislative process.
The GDPR is billed as strengthening individuals’ data protection rights, giving Europeans a greater say in how their data is used — as well as seeking to streamline some elements of compliance for businesses.
Within the GDPR existing rights are not majorly extended but they are clarified:
- The right to be provided with fair processing information will be expanded. At a basic level the data controller will need to provide more detailed information, such as the source of the data and the retention period (why would you not be doing this already?). In addition, the GDPR requires this information to be provided in an intelligible form, using clear and plain language that is adapted for the individual (again why would you not be doing this already?). If you are subject to laws on equality this requirement will present you with little challenge. Minor tweaking will be needed with minor inflections in language used depending on whether they are aimed at children or adults.
- Regarding the right of access, under the GDPR proposals, data controllers will be required to provide additional information to individuals (e.g. storage period of the data). The new requirements will be somewhat more burdensome for businesses – in particular, businesses will need to set up a specific process in order to deal with access requests. Unless the request is “manifestly excessive“, data controllers will in principle be obliged to provide the information free of charge (say good bye to the £10 fee).
- The rectification right is mostly the same and the changes will have very limited practical impact.
- More significantly, the right to object is now broader as, when the processing is based on the legitimate interests of the controller or is undertaken for direct marketing purposes, the individual can object without having to provide specific justifications.
- The right to be forgotten where the retention of such data is not in compliance with this Regulation or with Union or Member State law to which the controller is subject. This could cover instances were consent to process data was given as a child but the individual was not fully aware of the implications of such processing. Removing such data could prove difficult for most organisation if they hold not register of information assets. Certainly for online processors there is an expectation that you take reasonable measures to remove data from other processors. You responsibility does not end with your copy of the data.
- The right of data portability has been created in order to improve the interoperability of data processing. It will however place a heavy burden on the data controller as it imposes a requirement to provide personal data to the data subject in a commonly used format. It will not be enforced on processors that process personal data for compliance with legal requirements, or process it in the public interest, or in the exercise of an official authority vested in the controller.
In simple terms:
- All businesses will have to update and revamp their privacy policies and data protection notices to make sure that the extended rights are properly addressed. Businesses should check that the data protection notices that they provide to individuals contain all the required information and it’s accessible and tailored to the data subject’s needs.
- Businesses will need to assess whether they should put in place new or updated processes and procedures to deal with the practical implications of the extended rights, e.g. a specific data procedure for dealing with access requests.
- The right to be forgotten and the right of portability will almost certainly require changes to organisations’ operational processes and IT systems. In simplistic terms you really must get a handle on what personal data you have, where it is and if you provide it to any secondary processors. How do you ensure you can provide it to a data subject or ensure you fully remove it from your system and other processors remove it from theirs?