Monthly Archives: September 2016

Data Loss, Data Protection, GDPR, Personal Information

GDPR – Nothing to do with us; UK is leaving the European Union, so we don’t need to do anything.

screen-shot-2016-09-13-at-11-40-12

(GDPR – General Data Protection Regulations 2016)

Bit of history to put things into perspective, in 1950, the Council of Europe created an international treaty to protect human rights and fundamental freedoms in Europe. Article 8 provides a right to respect for one’s “private and family life, his home and his correspondence”. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was published in 1980, this defined the data controller and personal information. A year later EU Treaty 108 was drafted which which espouses the Eight principles for protecting personal data. There are many other notable Acts of Parliament, including the Data Protection Act 1984 and Computer Misuse Act 1990. Let’s get to the present day.

GDPR is the culmination of efforts to update the EU Data Protection Directive, 95/46/EC that was ratified in 1995.

There are 99 articles and hundreds of recitals in the GDPR. I’ll present that in a GAP analysis in the future.

Bottomline

The Good news

  • The underlying reasons for having the GDPR hasn’t changed from the EU Data Protection Directive of 1995, the tenets are broadly the same.
  • Lawful processing, accuracy, appropriate technical controls etc still form the core of the GDPR.

However, as always, the devil’s in the details.

What has changed ..?

The reach of the new regulation is significantly extended.

The potential penalties are designed to be “effective, proportionate and dissuasive”. Based on a two-tier basis of 2%/4% of global turnover or 10m/20m Euros, whichever is greater.

Data Protection breaches will be taken more seriously.

Transparency. Accountability. Consent. Portability.
Breach notification. Certification. Data Protection Officer. Privacy by design.

Using tricks to opt people in will regarded in a negative light and is not in line with transparency.

The C suite will be accountable for Data Protection, not something which is loosely delegated to someone in IT.

Personal Data Breaches, the ICO must be notified within 72 hours.

Data Controllers must implement data portability in a commonly used format.

A Simple Checklist

  • Does your business collect, store or process personal data (anything that identifies an individual of the EU) ?
    (That includes customer lists, membership details, medical records, delivery addresses, cookies and other identifying markers)
  • Does your business have customers in any EU state ?
  • Does your business intend to retain or gain new customers in any EU state after Brexit ?
  • Does your business intend to partner with EU entities that serve EU customers between now and Brexit ?
  • Does your business intend to partner with EU entities that serve EU customers after Brexit ?

A “Yes” or may be means that your organisation will be better placed if it aligns it’s governance and policies soon, as it is likely to take time to adopt and implement.

This is not an IT exercise – this needs to be owned at C or board level and this must be demonstrable.

Also, don’t forget that the UK is still in the EU and it will take a minimum of 2 years for Brexit to complete, which takes us into 2019, a year after GDPR is in effect.

For non-UK readers (and companies), there are no geo-boundaries to this. Your company may be based in South Africa, but if you have EU customers (non-company), you need to comply.

Some questions that need to be addressed
Will the UK retain the GDPR after Brexit ? If it doesn’t, the UK will need introduce something broadly similar if she intends to trade with the remaining EU members. Which requires time and money.

My money is on the UK adopting the GDPR and applying some judicious derogations, enough to gain some flexibility, but retain compatibility.

On a similar vein, keep any eye on how the issue with US Safe Harbor/ Privacy Shield and Ireland Data Protection challenge of model contract clauses plays out in the near future.

screen-shot-2016-09-13-at-11-42-40

Further reading

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

http://www.twobirds.com/en/practice-areas/privacy-and-data-protection/eu-framework-revision