The General Data Protection Regulation
Long awaited EU wide data protection law finalised
The General Data Protection Regulation (GDPR). It has been in the making for over four years but in April 2016 it was finally finished. The regulation promises data protection rules that will remove red tape for businesses but also tighten privacy protections for online users.
What is the GDPR?
Since the mid-1990’s, legislation that protects the information privacy of individuals in the European Union (EU) has been primarily based on EU Directive 95/46/EC: the Data Protection Directive. This is the legislative act that has set out the minimum standards on data protection in the whole of Europe. Each country within the EU has taken Directive 95/46/EC and transposed it into their own, local data protection laws. The Dutch Wet bescherming persoonsgegevens, German Bundesdatenschutzgesetz, Belgian Privacywet / Loi vie privée and United Kingdom’s Data Protection Act 1998 are all examples of such local laws.
Since the Directive has essentially not changed since 1995 and all local legislation based on it has only seen minor updates, the European Commission and European Parliament deemed it outdated to meet modern privacy needs and concerns. Therefore preparations have been started over four years ago to come up with a replacement A European data protection act that is up to date and protects individuals’ privacy in the digital world we live in today.
That data protection act has now been finalised. It is called the General Data Protection Regulation (GDPR) and will replace local data protection laws, such as the ones mentioned above, being valid in every country of the EU. The EU institutions made good on their promises to remove red tape for businesses but also tighten privacy protections for individuals. This means privacy rules will change and organisations that deal with information relating to individuals will need to adept.
Significant changes in privacy rules
On this page we describe a number of these changes, the ones we feel will have the most impact. The complete GDPR is over two hundred pages in length, so what follows is a very brief summary and not meant to be an exhaustive list. Please refer to the official text as authoritative source.
The GDPR strengthens the rights that individuals have to control their own data. One of the most significant examples of this is a new right that has been granted to individuals: The right to data portability. It basically says that an individual has the right to transport his personal data from one organisation to the next – hence the word ‘portability’. The personal data must be provided to the individual in a structured, commonly used and machine-readable format. And the rules also stipulate that when technically feasible, organisations should facilitate electronic transfer of personal data from one to another, if the individual requests this.
The impact of this rule could large. What does it mean commercially when your client can ask a copy of all his personal data and take it to your competitor? But also technically it may be a challenge: Are you able to provide an individual with a copy of all his personal, can your systems handle that?
Data breach notification
Every organisation that processes personal data needs to make sure that this data is properly safeguarded against loss, theft, unauthorised access, etc. In other words: the security of the personal data is important. So important that the GDPR includes a personal data breach notification rule. This says that when a breach of security occurs, this breach should be reported to the supervisory authority within 72 hours. And if the security breach also is likely to result in a high privacy risk for individuals, than these individuals should also be informed of the breach! Organisations in the Netherlands were of course already familiar with such a rule, as it is in the current legislation, however now it is valid throughout Europe.
The legislators have made good on their promise to remove red tape, as the obligation to notify local authorities of personal data being processed, is gone. This has for a long time been seen as a difficult and rather bureaucratic rule, putting a large burden especially on internationally operating organisations. However, in its place a rule has been created that an organisation now must maintain a record of processing activities under its responsibility – or, in short, that they must keep an inventory of all personal data processed. The minimum information of what should be in the inventory has been described and it goes beyond just knowing what data the organisation processes. Also included should be for example the purposes of the processing, whether or not the personal data is exported and all third parties receiving the data.
Data protection by design and by default
Data protection by design and by default are both included in the GDPR. This basically means two things. First, it will be mandatory when designing a new system, process, service, etc. that processes personal data, to make sure that data protection considerations are taken into account starting from the early stages of the design process. Moreover, organisations need to be able to prove that they have done so. Second, when the system, process, service, etc. to be designed will include choices for the individual on how much personal data he shares with others, the default setting is the most privacy friendly one, so the one that says to not share any information at all. This data protection by default notion further includes data minimisation principles.
Expanded territorial scope
Interesting to see in the GDPR is the notion of territorial scope. This states that the GDPR (and therefore the European privacy laws) also applies to organisations that are not located within the EU, but that do offer goods or services to, or monitor behaviour of data subjects in the EU! In other words, organisations that target EU residents via the internet with services, goods or for monitoring, have to be compliant with EU rules on privacy of those residents’ data. It looks like this creates an interesting precedent, where the rules follow the data instead of being strictly territorial.
If you are processor (you process personal data on behalf of another organisation), the GDPR has a significant change for you in store. Where so far all the burden of compliance with privacy legislation was on the controller (your client), now you get some obligations yourself directly as well. You will get responsibilities directly under the law and will be accountable as well. Some of these new responsibilities include that a processor must appoint a Data Protection Officer and keep records of all their processing activities they perform on behalf of clients. Moreover, a supervisory authority can go to processors directly with requests and demands. It is to be expected that this will shift the balance of power between controllers and processors to a more equal playing field.
Right to be forgotten
Another data subject right that already got a lot of attention the past years is the right to be forgotten. The data subject’s right to erasure of his personal data did already exist in the current Data Protection Directive but is now elevated in the GDPR. Under the new regulation all organisations that process personal data must remove all of that data if one condition (out of a list of six) is met. The list of conditions includes when it is clear that data have been processed unlawfully and the case when a data subject withdraws previously given consent. This ‘new’ right received a lot of attention due to the Google v. Spain case in which the Court of Justice of the European Union ruled in accordance with this new obligation.
The GDPR introduces Data Protection Impact Assessments (DPIA) as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these are identified, the GDPR expects that an organisation formulates measures to address these risks. This assessment should happen prior to the start of processing the personal data and should focus on topics like the systematic description of the processing activity and the necessity and proportionality of the operations. With that the DPIA resembles Privacy Impact Assessments (PIAs) that many organisations already execute regularly. The contents of PIAs however was never strictly defined, so perhaps this helps in getting more uniform assessments.
The need to take proper information security measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services has always been a part of privacy legislation. New is that the GDPR champions pseudonymisation and encryption of personal data: These security measure are thought so valuable that they have been specifically mentioned in the text of the act. Furthermore it is stressed that security should be based on a risk assessment, however not of the risks the organisation faces, but the risks for the rights and freedoms of natural persons, i.e. the risks that an individual’s privacy is compromised.
Accountability and data governance
Data protection legislation in the EU has always been based on a number of principles that need to be adhered to. Lawfulness, fairness, purpose limitation and transparency are well known examples of those. The GDPR introduces a new principle: accountability. Organisations will not only be responsible for adhering to all the principles, they also must be able to demonstrate compliance with them! For most organisations this means they will have to elevate their internal privacy governance maturity, not only because of this new accountability principle but also because the public opinion will expect it from modern organisations.
One of the most discussed aspect of the GDPR must be its explicit mentioning of fines. Whereas the Data Protection Directive only had one line stating that sanctions had to be defined by the Member States, the GDPR exactly details what administrative fines can be incurred for violating articles of the GDPR. The maximum fines depend on what the “category” in which the violation occurs: For less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%.
One stop shop
As a partial relief for organisations that operate across the EU, a sort of ‘one stop shop’ system for supervisory authorities in Europe will be introduced. The GDPR introduces a co-operation system between supervisory authorities. The ‘Lead Supervisory Authority’ will be the supervisory authority of the country in which the data controller or processor has its main establishment. The Lead Supervisory Authority will be the primary authority organisations need to deal with, but under circumstances local authorities can step in as well. They need to co-operate, but it will be interesting to see how this co-operation will function in practice.
Approved certification mechanism
The legislators have acknowledged that for many organisations being able to proof that they adhere to the GDPR will be an advantage. For that purpose data protection certification mechanisms and data protection seals and marks are introduced. The GDPR even speaks about the possibility to come to a common European Data Protection Seal. And although for now the GDPR provides scant details it is to be expected this mechanism for showing adherence will develop in the coming years.
It is critical to note that the GDPR is a Regulation, not a Directive. Where the Directive 95/46/EC was transposed into local laws in each European country the GDPR, as EU Regulations go, will be directly valid. This will be a relief to many organisations that operate in multiple countries within the EU – having to account and comply with slightly different rules on data protection in each EU member state can be a legal and operational nightmare. However, we do note that in the GDPR the legislators have provided local governments the ability to add or adept provisions to fit their local data protection needs. Views on how much individuals’ personal data should be protected and from whom are deeply rooted in local culture. Even within the EU vastly different opinions exist on this from one country to another. It is expected that that many governments will make provisions in line with local cultural habits and views.
Next steps for any organisations now that the final text of the GDPR is known, is to identify how this new legislation may impact them. This will of course vary per organisation, but in general terms, privacy consists of making sure you address not only the legal aspects. This new regulation emphasises that it is also about making sure that you have organised yourself properly to deal with privacy and you have the technical ability to do so. In a next update we will provide more insight into how this can be done.
In the meantime, should you have any specific question on the GDPR or privacy and data protection within your organisation, please contact Jan-Jan Lowijs from the Deloitte Privacy Team. The effects of the GDPR has will differ per organisation and we are more than happy to provide you with tailored insights and updates.
The Deloitte Netherlands Privacy Team remains in contact with the leaders of the Global Deloitte Privacy Practice on the impact and consequences the GDPR may have, to ensure we can advise global clients on the next steps to take. As privacy requires a legal, technical and organisational approach, we have our specialists bundled in one multidisciplinary privacy team enabling all round solutions.