EU data protection regulation: what you need to know

Onus is companies to understand what steps they must take to achieve GDPR compliance

Cloud-based services, where infrastructure is basically rented, may become appealing if the security of the infrastructure helps to mitigate risk under GDPR.
Cloud-based services, where infrastructure is basically rented, may become appealing if the security of the infrastructure helps to mitigate risk under GDPR.

The General Data Protection Regulation (GDPR), which will come into effect in all European Union member states in two months' time, represents a dramatic departure for EU regulators from the previous directive on data protection.

In postwar Europe, the European Convention on Human Rights aimed to enshrine the rights of citizens, with article eight focusing on the right to privacy. In recent decades, the arrival of the internet and the advent of mass data processing and analytics enabled EU citizens to generate vast quantities of data through browsing behaviour, social media and buying and selling online.

Data-driven business models have been a feature of Silicon Valley industries, where data protection and privacy have frequently featured only after the fact, if at all.

The recent announcement by Uber of a major data breach which the organisation had concealed for more than a year is a case in point – as is the disclosure this week that a British company, Cambridge Analytica, used data from people’s Facebook interactions without specific permission to, among other things, help deliver the US presidency for Donald Trump .

READ MORE

In drafting the GDPR, the EU is essentially disrupting the disrupters, and advertising itself as the leading global watchdog in the establishment of a new order with respect to the data rights of citizens.

What rights?

One of the most significant changes within GDPR is its “expanded territorial scope”. GDPR applies to all EU citizens’ personal data regardless of whether it is processed within or outside the EU.

The new regulations also expand the material scope of data privacy. The definition of what constitutes “personally identifiable data” is being extended beyond obvious attributes to ethnicity and gender to include biometric data, genomic sequencing data and even the IP address of an individual browsing the web.

The GDPR is accompanied by an enforcement regime, with sanctions for serious breaches reaching up to €20 million or 4 per cent of total worldwide annual turnover (whichever is greater). Clearly this is intended to alert the market to the gravity attached to the GDPR; failure to comply is a not an option.

For businesses, GDPR will bring a number of operational requirements. Workplaces will need to implement new business processes such as privacy impact assessments, allocate new responsibilities such as data-protection officer and heed specific rules governing breach notification.

The new regulations address the practicalities of “pseudonymising” data to allow ongoing analytics, with the intention of allowing some degree of business as usual for the analytics and data science industry, once checks and balances are in place with respect to user privacy. But this means that businesses will need to assess their exposure and data-handling procedures.

They will also need to have in place a protocol for dealing with subject access requests – ie requests from individuals (in this case potential, current or former employee) for any information held on them. Under GDPR individuals can invoke new rights, including erasure of personal data, correction of records, and even requests for data in accessible formats.

The time frame for supplying this broader range of information is tighter than it was under previous data regimes and the ability to charge applicants more restricted.

Consent

The GDPR particularly focuses on the concept of “explicit consent”. This is intended to forbid models based on opting-in as a default, or simply burying consent acceptance into the text of terms and conditions that typically remain unread.

From a business perspective this raises some fundamental questions about the direction of IT strategy. Cloud-based services, where infrastructure is basically rented, may become appealing if the security of the infrastructure helps to mitigate risk.

Cloud service providers, including Microsoft’s Azure platform, and Amazon’s Web Services offering, have prepared for GDPR by designing services that are intended to assist compliance. These are based on a sharing of responsibility between the provider and the customer, so the onus is still on the customer to ensure compliance, although outsourcing the bulk of the system may make this goal easier to achieve.

Preparing for GDPR

Companies and managers can inform themselves of their obligations and their employees' rights by visiting the website of the Data Protection Commissioner (dataprotection.ie) Organisations already compliant with the existing directive are operating from a position of strength. However, the onus is on everybody, particularly small companies, to understand precisely what the GDPR means for their business, and what steps they need to take to demonstrate and achieve compliance.

In addition to expert advisory services offered by many companies, numerous free events and information days are also taking place around the State. The clock is ticking, however, and companies need to accept that any revision to existing organisational practices could be complex.

While complacency is not an option, the good news is that achieving compliance will help to tighten up and introduce best practices in the often overlooked area of risk management.

Jack Nagle is business development manager at the Irish Centre for Cloud Computing (IC4) based in Dublin City University Business School