Intro to GDPR
The 25th may 2018 marks a watershed in the world of data protection. On that date the General Data Protection Regulation (GDPR) comes into force. This is EU legislation which will apply to any businesses which are holding personal data of any EU citizen. In addition the regulation is finessed by a Data Protection Bill currently going through Parliament. On top of these legislative developments meat is being put on the bones by advisory documents from the EU and our own Information Commissioners Office.
What then are the main differences from the old regime? In our opinion by far the most important relates to changes in obtaining consent for the processing of personal data.
The new approach makes effective consent harder than ever to obtain. There is a new buzzword “granularity” which means that any general consents such as “trusted third parties” are no longer good enough to use as consent for transferring personal data. You must name the parties and if there is a list of them mention each one.
For this, as well as other reasons, consent is no longer the avenue of choice for processing data. Instead we expect to see greater use of Article 6 of GDPR which sets out six valid reasons for processing of which consent is only one.
Overall you need to change your emphasis from collecting data with broad consents to deciding in detail what processing you want to do and analysing the basis on which you are going to justify it.
Process and documentation
This brings us on to the next changes of emphasis and practice: all of these processes must be documented. The GDPR creates a new role called the Data Protection Officer (DPO), a required role in some circumstances and a recommended role in all other cases. This Officer is responsible for reviewing and controlling Data Protection in the organisation: responsible to the organisation, the data subjects and the Information Commissioner. S/he will devise the processes and documentation referred to earlier, as well as being responsible for training and review. The DPO will also deal with data subject requests which carry on as before and establishing that subjects who have given consent can withdraw it just as easily as they gave it.
An unknown quantity
Next to consider - there is a new right called the Right of Data Portability. Data subjects can require that any data you hold be transferred to someone else. The detail on how this works seems scant to the point of non-existence. We use it to end conversations with IT consultants selling us their GDPR products. We ask them to set out their data portability solutions after which we don’t hear from them again.
As Intellectual Property lawyers we have starting thinking of data as a new form of intellectual property owned by the person who is the subject of the data (not to be confused with the ownership of data sets).
Whatever the size of your organisation, data protection should be on the agenda of all boards from now until you are fully compliant. It is harder than you may think, and with potential fines up to 17m euros for most businesses, more for bigger ones, you can’t afford the risk.