Due to be enforced from 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) will require all data controllers and processors that handle the personal information of EU residents to “implement appropriate technical and organisational measures […] to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” or face fines of up to €20 million or 4% of annual global turnover – whichever is the greatest.
The GDPR is the latest step in the ongoing global recognition of the value and importance of personal information. Although the information economy has existed for some time, the real value of personal data has only become more recently evident. Cyber theft of personal data exposes EU citizens to significant personal risks. Big data analysis techniques enable organisations to track and predict individual behaviour, and can be deployed in automated decision-making. The combination of all these issues, together with the continuing advance of technology and concerns about the misuse of personal data by governments and corporations, has resulted in a new law passed by the EU to clarify the data rights of EU citizens and to ensure an appropriate level of EU-wide protection for personal data.
The GDPR applies across all the Member States of the EU but its reach is far wider: any organisation anywhere in the world that provides services into the EU that involve processing personal data will have to comply. This means that the GDPR is probably now the most significant data security law in the world. While it builds on the work of the EU’s Data Protection Directive (DPD), the US’s HIPAA and various other data protection regimes, the GDPR can be regarded as a distillation and comprehensive update of the EU’s goals in protecting the rights and freedoms of the people who live within it.
The purpose of the GDPR
The DPD (Data Protection Directive) has been in place for twenty years; it sets a minimum standard for data protection law in EU Member States. Many states have gone significantly further in terms of legislating to protect personally identifiable information (PII), and this has made it increasingly difficult for EU citizens to know how their rights are protected across the EU and for organisations to determine which set of laws they should comply with, particularly when trading across multiple Member States.
The EU Commission therefore decided that a single, unified law would be a more effective way of achieving two key goals:
- Protecting the rights, privacy and freedoms of natural persons in the EU.
- Reducing barriers to business by facilitating the free movement of data throughout the EU.
In terms of EU legislation, a regulation is quite distinct from a directive, which is how data protection was previously handled under the DPD. While directives set minimum standards and then ask EU Member States to provide their own legislation to meet those standards, regulations exist as laws themselves, superseding any relevant laws passed by Member States.
While Member States are allowed to apply directives in whatever way suits each member, a regulation is applied consistently in all Member States. If there is room for local variations, it is specifically identified in the text of the regulation. Regulations are, therefore, an effective mechanism for applying a consistent approach across 350 million people in 28 Member States – and often beyond.
Structure of the Regulation
Appendix 1 of this manual provides a breakdown of the overall structure of the Regulation. The regulation itself can be downloaded, in all the official languages of the EU, from http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf. There is also a pocket guide to the EU GDPR, available from IT Governance Publishing1, which gives an overview of the legislation.
The GDPR is divided into two broad sections, which is standard for EU directives and regulations. The first section comprises the recitals. The recitals essentially provide context, direction and guidance so that the later explicit requirements can be better understood.
The second part of the Regulation comprises the articles. The articles set out the specific requirements with which those entities within the scope of the regulation have to comply. Not every article in the GDPR applies to every organisation – given that some articles are relevant only to the Commission, the Board or the supervisory authorities, it may actually be impossible for every article to apply to a single organisation. In many cases, only a few articles may be completely relevant.
In broad terms, Chapters VI, VII, X and XI of the GDPR talk primarily about the Commission and the supervisory authorities so, if you are using this manual to plan your GDPR compliance programme, you may not need to give extensive attention to those sections.
Impact on the EU
As an EU regulation, the GDPR operates above the level of other Member State laws. It cannot be simply overturned or repealed by a single government or nation, nor can those governments or nations modify the legislated requirements to make compliance simpler or less effective. This is because it has already been agreed by representatives from all Member States through the standard EU legislative process.
The GDPR asserts a number of rights for individuals in relation to their personal data, and these rights are set out in Chapter III of the Regulation. The protection of these rights naturally results in a number of obligations on the part of the organisations that collect, store and process that personal data. Data collectors and processors have to act in accordance with the GDPR in order to ensure that the fundamental data rights of individuals are protected. This is not a simple “if A then B” law, of course, and there are various conditions that protect businesses’ rights to do business, as well as protecting public authorities’ ability to serve the public.
On one hand, the Regulation appears to be disruptive. Every organisation in the EU has to comply with the law and that means they will all need to review the impact of the Regulation on their operations to determine what changes have to be made and the extent to which spending on compliance needs to be increased; there will have to be significant changes to how most organisations collect, process and store personal data; and the GDPR is, of course, bolstered by the threat of punitive and “dissuasive” administrative fines. On the other hand, the Regulation is trying to tread a fine line between protecting the rights of the individual and removing barriers to the “free movement of personal data within the internal market”. In other words, while the GDPR sets out specific restrictions on the use and storage of personal data, it does so in order to preserve the interests both of the EU’s residents and the organisations that do business within it.
Organisations that act quickly to ensure compliance with the Regulation will be those that thrive in the evolving regulatory environment. Equally, some organisations will be able to make significant process improvements, as with standardised requirements for data protection, organisations can streamline their processes – particularly for pan-EU and Internet services operations – and significantly improve efficiency.
Implementing the GDPR
The prerequisites for implementing a complex compliance framework are knowledge and competence; the IBITGQ (www.ibitgq.com) Certified EU GDPR Foundation and Practitioner qualifications are designed so that individuals can gain the skills and competence they need and this manual, the primary purpose of which is to help organisations tackle the GDPR, is also the text book for the IBITGQ EU GDPR Practitioner qualification.
This manual explains how to achieve compliance with the Regulation and how to do so while minimising the impact of the necessary changes. In any compliance project, there are many instances where organisational processes must be structured to meet legal or regulatory requirements, and it is important to ensure that your organisation is able to do this cost-effectively and efficiently.
It is also important to understand that the GDPR will apply in varying measures to organisations outside the EU. Much as you are expected to abide by the laws of any country you live in, non-EU organisations that provide services into the EU, where those services involve processing personal data, will also need to abide by the Regulation. While compliance with the Regulation may be difficult for some organisations – typically smaller ones that have no other interest in the EU – simple supply-chain forces, and the explicit GDPR requirements around extra-territorial data processing will put compliance pressure on organisations that want to do business within the EU.
In fact, the only real way to avoid complying with the GDPR will be to avoid doing business with the EU entirely. Given that the EU is the largest trading bloc in the world, this would be impractical for any organisation that wants to take advantage of the Internet or works with modern global markets and supply chains.
This book does not lay out a one-size-fits-all framework for achieving GDPR compliance. Organisations operate in different ways, with different partners and suppliers, different business objectives and a variety of business models, and no single compliance framework is likely to work – or even be suitable as a general approach – for all organisations in all parts of Europe or the world. Rather, this book provides information about the features of a compliance framework that are known to work in many organisations and which reflect the GDPR requirements. The manual identifies the specific requirements of the GDPR and provides analysis and recommendations for pragmatically and effectively achieving compliance.
Readers should, however, note that this manual does not cover every possible situation in which the GDPR might apply, nor does it deal with the compliance requirements in every sector and industry. It instead focuses on the core activities and issues that most GDPR compliance projects are going to have to face, and provides advice and guidance that is broadly applicable in most – but not all – circumstances.
Finally, it should be noted that this is a manual for implementing a GDPR compliance framework in an organisation; it is explicitly not a legal compliance manual and you will need specific legal advice on aspects of the GDPR, particularly in relation to contracts and other legal statements. Your legal advisers have an important role to play in your GDPR project, but most lawyers are not experts on cyber security, information assurance or business continuity, nor do they usually have expertise in organisational management. Direct their services to the maximum value of your GDPR compliance project and remember that GDPR compliance is much bigger and more important than legal documentation; the GDPR has to become part of the fabric of the organisation in much the same way as does Health and Safety, internal control or information security.
There are a number of key terms that are used throughout the manual, many of which have very specific definitions. These definitions all originate in the GDPR itself. Article 4 of the GDPR contains all the key definitions and should be thoroughly reviewed. Of these, there are five terms universally applied throughout the Regulation that need to be clearly understood from the outset.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.2
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.3
The data controller is the organisation that determines the purpose for processing personal data and what processing will be done. As we’ve seen, “processing”, under the terms of the GDPR, includes collecting and storing information, so it’s possible that an organisation may be accountable as a controller but not otherwise involved with the actual processing of personal data. For a consumer products company that hires a marketing agency to profile their customers, and which provides the marketing company with the specific data necessary to provide those profiles, it will clearly be the data controller, and the marketing agency will be the data processor. If, however, the marketing agency determines what customer data it needs to see, and how that data will be used, and simply provides summary information to the consumer products company, then the marketing agency will be the controller.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.4
Data processors are organisations or entities that process personal information on behalf of a data controller. As noted above, “processing” is essentially anything done to the data, including storage, archiving, or just looking at it. It is normal for an organisation to be both a controller and a processor in respect of most personal data; it is only processing that is carried out by third parties on behalf of the controller that has to be addressed in line with the requirements on processors.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.5
Personal data under the GDPR is a broad set of types of information about “an identified or identifiable natural person”. This means that the information is not personal data if there is no way to link it to a natural person. Personal data is anything that could be linked in any way to the data subject, so organisations will need to be careful about how information is gathered and used, as it may be possible to accidentally gather sufficient information to remove the anonymity of the subject. Note that the definition now specifically includes biometric, genetic and health information, as well as online identifiers, such as an IP address that can be used to identify a person. The GDPR does not extend any rights to deceased persons.
‘Supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51.6
The supervisory authority is the governmental organisation in each Member State that will be responsible for enforcement of the GDPR. Your organisation may need to interact with the supervisory authority on a number of occasions, so it’s worth making sure you know who that will be (in the UK, for instance, it’s the Information Commissioner’s Office, while in France it is the Commission Nationale de l’Informatique et des Libertés, and so on). There is a full list of the current EU/EEA national supervisory authorities in Appendix 2.
If your organisation operates in more than one Member State, you may have a lead supervisory authority in whichever Member State the main establishment of your organisation is based7.
2 GDPR Article 4, Clause 2
3 GDPR, Article 4, Clause 7.
4 GDPR, Article 4, Clause 8.
5 GDPR, Article 4, Clause 1.
6 GDPR, Article 4, Clause 21.
7 GDPR, Article 56