Data Protection Regulation


Old-court-session-smllIt was quite a delightful start to the day to find the news on the agreement of the new EU Data Protection Regulation (GDPR). Clearly it is not complete yet with all the legal text, but end of January 2016 is realistic!

I thought to discuss some of the main points that are getting most publicity in the press…

Fines 4% of global sales

Companies that don’t abide by the rules will potentially face fines up to 4% of global turnover (sales). Clearly from a privacy advocate and privacy professional perspective this is good news.

The new data protection laws are graced with a strong set of teeth.

However putting on my business hat, the how fines are calculated is not fair to those companies that operate on low margins, versus those that operate on high margins because the fine is aligned to sales, not to profits. I am not sure if when it states ‘up to 4%’ of global turnover if that means each company will be treated based upon the nature of their business, i.e. low margins pay 1%. If this is the case a criteria will must be defined over the next 2 years to be able to do this in order to achieve consistency across member states.

Regardless, whichever camp your business is sitting in, a fine of this nature from the data protection commission is going to hurt!

Shared liability

If you are a data processor and not a controller today, you are blessed with immunity. Once the law becomes effective you will have joint liability with the data controller. So if they do their job badly, your business will suffer.

What I see happening is the implementation of a new type of Privacy Level Agreement (PLA) that works in the direction from the processor to the controller. After all, data controllers have already covered their liability in the form of SLAs that include protection of personal data aligned with existing data protection laws by jurisdiction, but there is no protection today to protect processors from incompetence of the data controller.

The right to be forgotten

Now this has been around in the Directive since 1995. The right for data subjects to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information.  So if this is nothing new, why all the fuss? Well I don’t think many member states, if any at all have implemented it in their national data protection laws. This is certainly the case in Sweden.

Hence if they don’t already have the mechanisms, companies will need to have the processes and security mechanisms implemented to be able to deal with requests from data subjects. This includes validating that they are who they say they are when a request is made pertaining to personal data. Those online services giving direct access to personal data, i.e. via a web or app within the service have a clear advantage, e.g. Facebook, Amazon, etc., many are getting to grips with the security of user access, even offering 2-factor authentication.

Parental consent for minors

The new regulation includes extra protections for minors, i.e. children under 16 years old (with option for member states to reduce to 13 yrs). Parental ‘explicit’ consent is required for the collection of personal data of minors. There is some rather bad posts and publicity concerning this new provision which is unfounded. There has been a law in the US protecting personal data of minors (under 13 years) that has been in force since 1998! So why did we in the EU take so long should be the question. Clearly there are some practicalities here, many due to the fact we didn’t do something earlier. In any case we can look to the US for some guidance here.

‘Unambiguous’ consent

This is the one I have the main problem with. My vote was with ‘explicit’ consent required from the data subject on the collection, processing, sharing, of personal data. An example of ‘explicit’ consent is a ‘tick-box’ on a form on a web-page saying you agree to the privacy policy. ‘Implicit’ can be implied by behavior, e.g. continued use of a service.

Now ‘unambiguous’ is in-between ‘implicit’ and ‘explicit’. I can’t actually find a clear definition of what this actually is! So I really don’t like this ‘half-way house’ approach.

Data Protection Officer (DPO)

It has been decided that all large companies must have a DPO. This job has been defined as mandatory, except for small and medium sized companies, unless data processing is core to their business.

In fact when you look at the penalties for non-compliance it is probably prudent to have some form of DPO, even if you are not large. One of the aspects that was in the 2012 version was some form of ‘independent’ function. I expect a new market offering DPO timeshares popping up to fill this market.

Is there more?

Yes loads, so watch this space, I don’t want to overload you with too much in one go 😉

There’s starting to be a bit of a flurry here in Sweden with the upcoming new Regulation.

One of the communications I received last week was concerning the fact that here in Sweden our personal data, including our ID is considered public information. This will not be the case once the Regulation comes into effect. What I find funny (you know the funny, not-so-funny British humour ;-)) is that those I talk to here think this is new in the Regulation, but it’s not. It is included in the Directive of today, just not implemented as law here in Sweden.

This is going to require significant work to get compliance in Sweden, especially the way our personal data is sold with the use of ‘utgivningsbevis’ without the consent of the data subject. In fact it is impossible for data subjects in Sweden to remove their personal data from public viewing!

Hurry up new Regulation so I can get my personal data removed from ratsit.se, birthdays.se and hitta.se… just to name a few!

Here is the article from the Register. Well I’m tempted to set-up a lobby to lobby the lobbyists…