Whether your new to GDPR or you’ve been working with data privacy for awhile, it’s important to understand the basics of what it is and why it’s needed in the first place. The basic question for many people is, “what is GDPR?”.
As this term is the number one searched term related to data protection on Google, I thought this relatively short primer may help clear things up. I’ll preface this article by saying, it’s high level and does not cover all the implications and rules associated with GDPR. I also delve into the Irish and UK data protection acts of 2018 in an effort to compare and contrast key differences.
GDPR or general data protection regulations came into effect in May 2018 as a successor to the Data Protection Directive of 1995. The intention of the regulations was to create one set of rules for all EU states to follow when protecting personal data.
The general data protection regulations are mandatory as opposed to the data protection act which was a voluntary code of conduct and identifies three main parties in the data protection chain which are the data controller, data processor and data subject (individual or customer) which I’ll explain shortly.
Why GDPR came into being?
At a simple level, the rules came into place as a result of the age of big data and the internet and revelations around abuse of how our personal data was misused.
It’s widely believed that the revelations of Edward Snowden around US government mass surveillance programs (PRISM & UPSTREAM) of US citizens which inadvertently collected EU citizen data triggered alarm bells in Europe and pushed the issue of data protection to the fore.
Another major case recorded was Max Schrems vs Facebook Ireland in 2013 in an action where Schrems won. The issue at hand was with respect to Facebook’s failure to get his consent to transfer his personal data from Austria (where he resides) back to the US. This of course had larger ramifications for all EU citizen data and how it was automatically transferred outside the EU without knowledge or proper supervision and subject to possible surveillance by the US intelligence agencies (e.g. NSA).
Other case history contributed to individual sub-rules within GDPR coming into effect. Rules like the ‘Right to be forgotten’ clause which stemmed from a 2010 case where Mario Costeja González took an action against Google Spain to have derogatory data removed from google search results. Gonzalez also won that case.
The last case I’ll mention also involves Facebook and Cambridge Analytica in the 2016 trump campaign area. Cambridge Analytica was allowed access to the Facebook Developer platform allowing them to gather personal information on millions of citizens that could be used in advertising for the purpose of electing Trump. This information was later used to target individuals for campaign purposes without consent.
Regulators in the EU took a look at these cases and abuses by ad-tech firms and other data brokers (see on “how you are targeted by data brokers”) and called time on the behaviour which led to GDPR coming into force.
What is Personal data anyway?:
Personal data which is sometimes referred to as PII or personally identifiable information is data which can be used to uniquely identify a person such as name, address, social insurance no, drivers license amongst others. The official list for GDPR is published Here by the European Commission website.
Within PII is an even more specialised category called sensitive personal data which identifies attributes such as religion, race, genetic data, trade union membership and information about minors. Adjacent to PII is the term PHI, personal health information which is used in HIPAA regulations which means that PHI and sensitive health data PII are used interchangeably in many instances.
What are data controllers?
processors and subjects: Data controllers are generally organisations who record your data first and are legally responsible for how it’s used and protected. For instance, an insurer who takes your details online or via phone to issue you with a policy would likely be the data controller for your personal data.
When that insurer forwards your data to an underwriter for approval, the underwriter would likely be the processor who is handling the data at the request of the controller. Lastly, the data subject is the customer for which the data is being recorded or the insured party in the example above.
What are the key principles of GDPR?
: This is the main part of our topic and thus deserves the most attention. The regulations are expansive with at least 99 articles referenced in the final text with quite dense legal rules cited in the original text. But they are roughly broken into two perspectives which are; The rights of customers (or data subjects) and the expectations of the companies that use their data. In this way, the rules are a reference point for customers and for companies.
The key parts of the regulations cover data subject rights, consent, data safeguards (security), complaint mechanisms and fines.
So, from the perspective of the data subject, when we talk about subject rights or individual rights, the main areas GDPR refers to are the main following rights;
– Right to be informed about how and for what purpose their data is being used
– Right to request a copy of their data (usually within 28 days)
– Right to have their data erased known as a ‘right to be forgotten’
– Right to have their data rectified
– Right to have their data moved (data portability)
These rights are combined with the principle of consent as to how their data is used and the right to withdraw consent at any time. Which means that customers must be given clear information on how their data is processed with an option to withdraw consent at any time for how it’s used.
Individuals, have a channel for complaint mechanism through the data protection commission dataprotection.ie and information commissioners office (NI/UK) (ico.org.uk). These authorities regularly send out notices of enforcement and publish adjudications on their websites. From what we see, many complaints relate to data subject access requests (DSAR’s) not being provided timely, confidential data being sent to the wrong address, persistent marketing even after requests to stop have been filed and some wrongful termination actions where CCTV or weak employee monitoring policies were in question.
This leads us nicely into fines. Technically speaking, fines can be up to €20 million, or 4% of a firms annual turnover, whichever amount is higher. In practice, fines, if they do happen are usually in the tens of thousands range, e.g. DPC vs TUSLA (75k). ICO fines in the UK tends to go higher as noted with Marriott and BA fines in the millions. You can read more about them Here.
From the perspective of the company or data controller as they are usually referred to, there are even more areas to consider with GDPR. To condense this down, companies are expected to;
– Have a legal basis for using data in the first place (e.g. in performance of creating an insurance policy / contract)
– Mimimise the amount of data collected, the purpose it’s used for and the length of time it’s used
– They are expected to have security safeguards in place that protect customer data held on systems. Safeguards such as, encryption, two factor authentication, strong passwords and anonymisation/pseudo-anonymisation of data.
– Firms are expected to notify the data protection commission (Ireland) / information commissioners office (UK) when there is a suspected case of data breach within 72 hours. They are also expected to notify individuals directly in cases where a personal data breach is suspected. The rules define a personal data breach as one that may effect the rights and freedoms of the individual.
– Firms are required to hire a data protection officer if they are public authorities or profiling customers in a significant way or handling sensitive personal data such as medical records. In practice here, many firms are increasingly expected to hire data protection officers in any instance, if they are handling data on thousands of customers.
– Firms are expected to conduct privacy impact assessments on high risk data and have contractual agreements in place with third parties (processors) and for international transfers of data outside the EEA.
There are many more aspects of responsibilities for firms such as ensuring privacy by design when developing in-house processes and procedures, mapping out where customer data is in organisations, staff privacy training, privacy policies, processor agreements and general documentation such as keeping a record of processing activities.
In essence there is a high bar for companies to maintain in managing their data privacy programs and most report that documentation burden, finding resources and keeping up with the rules as major problems.
What about the Data Protection Acts?
There’s a bit of confusion here as there are two Data Protection Acts of 2018. An Irish one and a UK version. In both cases they are a customisation of the data protection rules to respective jurisdictions, for which are allowed under GDPR. The Irish Data Protection Act of 2018 lays out more specificity as to how GDPR is applied to the republic of Ireland and the powers of the Irish data protection commissioner. It lays out a specific mandate for the Irish DPC in terms of enforcement and how they can access and search premises, their right to conduct audits, section 110 statutory enquiries and the right to require companies to disclose data breaches. Last year the DPC oversaw 5,496 complaints and managed 70 statutory inquiries as per their annual report. In addition, the Irish act restricts the rights somewhat for an individual when making a data subject access request. Specifically, an individual maybe refused access to data about them where legal claim proceedings are underway or legal advice that may have been given (attorney client privilege). There may also be grounds for not releasing information when a confidentiality agreement is in place or when the data concerns criminal convictions.
On the UK data protection act side, there are a number of deviations from GDPR. The ICO lays it out at a high level that the DPA 2018 sets out the data protection framework in the UK, alongside the GDPR. It contains four separate data protection regimes:
Part 2 Chapter 2 (GDPR): supplements and tailors the GDPR;
Part 2 Chapter 3 (applied GDPR): extends a modified GDPR to some other (rare) cases;
Part 3: sets out a separate regime for law enforcement authorities; and
Part 4: sets out a separate regime for the three intelligence services.
Just a summary of some differences are listed below, but are by no means exhaustive and are derived from various websites reporting on key differences.
GDPR states that a child can consent to data processing at age 16, whilst the DPA sets this at 13.
GDPR requires those processing criminal data to have official authority, the DPA does not.
GDPR states that data subjects have a right not to be subject to automated decision making or profiling, whereas the DPA allows for this whenever there are legitimate grounds for doing so and safeguards are in place to protect individual rights and freedoms.
GDPR ensures that all data subjects have rights in relation to the processing of their personal data.
The DPA allows these rights to be ignored if compliance with these rights would seriously impact an organisations ability to carry out their functions when processing data for scientific, historical, statistical and archiving purposes.
GDPR gives Member States scope to balance the right to privacy with the right to freedom of expression and information.
The DPA provides an exemption from certain requirements of personal data protection in respect of personal data processed for publication in the public interest.
The UK DPA is wider in scope than the GDPR, covering:
Criminal sanctions and fines for GDPR infringements (for example the introduction of an unlimited fine for the new offence of intentionally or recklessly re-identifying individuals from anonymised data)
Processing relating to areas outside the scope of EU law (and the GDPR) such as national security and immigration
Transposition of the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into UK law
The role and powers of the UK’s independent authority (the ICO) in upholding information rights and freedoms
In a criminal data sense The major difference between this section and the GDPR is that the requirement to process personal data transparently has been removed (to prevent any prejudice in a criminal investigation).
While this is only a snapshot of the governing rules of GDPR and associated Irish and UK data protection acts. I hope that it sheds some light on a complex area. There are many sources out their for information and a good place to start are the data protection authority (DPA) websites (ICO / dataprotection.ie), the European Commission online data protection reference section (here) and the official textbook for the CIPP/E which features on the IAPP.org website.
Pay attention to enforcement notices and annual reports section on the DPA websites to get a feel of where companies are falling afoul of the regulations. These are the real world scenarios to be worried about if your a data privacy practitioner.