The EU General Data Protection Regulation: T Minus 10 months and counting….
At 260 pages, the European Union’s General Data Protection Regulation isn’t as chunky as some EU law, but when it ‘goes live’ in May 2018 it’ll mark a watershed in information security and data protection law. You may not think it applies to you, but it almost certainly will, and that opens SMEs and e-commerce to fines and other penalties that in some cases they may not survive.
Here at www.seorw.com, we’ve read the law in full. Here are our key takeaways:
Time to bone up on infosec
Yup, it’s time to get all your ducks in a row when it comes to information security. That’s because come May 2018, you’ll be responsible in law for the security of any data you hold on EU citizens. Now, if you can say with absolute certainty that you don’t hold any such data, all well and good. But can you?
Paragraph 23 of the General Data Protection Regulation’s preamble states:
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.
In other words, even if you’re based in Timbuktu, and your servers are all in the South Pacific, and you’re selling flags with the legend ‘I hate the EU’, all you need is a single customer inside the Union to be, in EU law, bound by the GDPR’s precepts.
And note the phrase ‘irrespective of whether connected to a payment’. Let’s say you run an international birdwatching website that acts as a clearing house for information on tours and rare bird sightings. Members are not asked for a payment, but you ask them for personal details so you can analyze your membership and serve them better. One member from the EU, and boom, you’re covered by the regulation.
No hands in the cookie jar
Any tracking software, such as cookies, that are used to monitor or analyze the online behavior of EU citizens, and can be used to identify them, including IP addresses, needs explicit consent from what the EU law calls a ‘data subject’ (i.e., the person whose data is being stored). Pre-ticked boxes, silence, and inactivity are not deemed ‘forms of consent’ under the law.
If you request personal information from an EU citizen, you’re also required to inform them of what use that information will be put to. Let’s say you plan to sell that information on to an online marketing business. Under paragraph 39 of the Regulation’s preamble, ‘the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.’
I don’t remember; I can’t recall
What’s more, the Regulation enshrines the so-called ‘right to be forgotten’ and the right to insist on corrections of erroneous or out-of-date information. As a ‘data processor’ (the person or body that analyzes or interrogates the data) or ‘data controller’ (the person or body that is in ultimate control of the data, and who might sell it, for example), you have to comply with requests to permanently delete data you hold on individuals, and do so in a timely fashion (within a month).
So, at last, you have the right to tell Facebook what it can do with all the reams of data it’s stored on you.
The main body of the General Data Protection Regulation sets out the principles which the Commission says are at the heart of the Regulation. These are
- lawfulness, fairness and transparency
- purpose limitation
- data minimization
- storage limitation
- integrity and confidentiality
These are mostly self-explanatory. Under paragraph 2 of Article 12, it is the ‘data controller’s’ responsibility to ensure that ‘data subjects’ are able to exercise their full rights under the Regulation. Basically, ‘data subjects’ have rights, while ‘data controllers’ and ‘data processors’ have responsibilities. This means that the principle of ‘transparency’ asserts the right of data subjects to be informed of the use to which data held on them will be put. ‘Purpose limitation’ bars data controllers from further use of data on subjects without their explicit consent (Chapter III, Section 2, paragraph 3; Article 14, paragraph 1). Subjects should also be informed when their data is used for profiling (Chapter III, Section 2, paragraph 2(f)), and be notified when a controller intends to share subject data with a third party, particularly when that party is outside the European Union (Chapter III, Article 14, paragraph 2(f)).
Complicated and confusing, I know! It is a Government regulation, after all, so it’s what we should expect. The EU has set up a website, though, that tries to explain the GDPR in layman’s terms.
Relevant regulatory authorities, as well as data subjects themselves, must be informed of any breach of security within 72 hours of its discovery (unless you have a damned good excuse).
But the Regulation can do more than just give you an admin headache. If you fail to comply with its provisions and are deemed negligent by the relevant regulatory authority, your company can be liable to a fine of up to four percent of annual turnover. Ouch! That’s gotta hurt.
Just do it
So what can you do to ensure compliance? Well, data controllers and processors are required to produce a data protection impact assessment, so getting one of those done is a good start. Also, if you have a reasonably sized operation, you’ll need to appoint a data protection officer to monitor your compliance as well as the overall security of the data you hold. You’ve less than a year to get your houses in order, folks, so there’s no time like the present.
You can download the complete General Data Protection Regulation here (good reading if you have insomnia).
We’ll be writing more about the GDPR over the next few months including what you need to do to your website to get prepared. Enter your email address and first name below so you never miss an article. We’ll let you know everytime we post something new.