In May 2018 the General Data Protection Regulation (GDPR) comes into effect. The new regulation strengthens local European legislation for data protection and aligns regulators under one authority. David Thomas, Head of Information Security & Privacy Compliance at MThree Consulting, provides an overview of GDPR and six privacy principles organisations must follow when collecting, processing and managing personal information data. Organisations which breach any of these areas risk fines of up to €20 million or 4% of global turnover and data processing bans.
GDPR is a new data privacy regulation adopted in 2016, the most significant and far reaching of its kind, which applies in full from 25th May 2018. The regulation, which repeals and replaces the EU Data Protection Directive 95/46/EC and all other EU national data protection legislation, asserts new and expanded privacy rights for over 500 million individuals in the EU.
The regulation applies to a wide definition of personal data, in short “any information relating to” an individual (i.e. includes identifiers such as name, ID numbers, phone number, online ID, mobile device ID, or one or more factors about an individual’s physical, physiological, genetic, mental, economic, cultural or social identity). Supervisory authorities and courts are already applying various principals of the regulation (e.g. compulsory disclosure of personal data breaches).
In the event of a data protection breach or other types of infringement, the European regulatory body has been given the mandate to act. For organisations – GDPR regulates every entity worldwide that provides services and / or handles information relating to individuals in the EU – compliance to GDPR is key, as non-compliance to the regulation can result in big penalties. In cases of serious infringement, fines up to €20 million or 4% of worldwide turnover (whichever is higher) can be given, and organisations can be banned from processing of personal data.
To comply to GDPR, organisations broadly speaking need to embed six privacy principles within their operations:
1. Lawfulness, fairness and transparency
Transparency: Tell the subject what data processing will be done. Fair: What is processed must match up with how it has been described. Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)].
2. Purpose limitations
Personal data can only be obtained for “specified, explicit and legitimate purposes”[article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
3. Data minimisation
Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1(c)]. In other words, no more than the minimum amount of data should be kept for specific processing.
Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Baselining ensures good protection and protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.
5. Storage limitations
Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary” [article 5, clause 1(e)]. In summary, data no longer required should be removed.
6. Integrity and confidentiality
Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [article 5, clause 1(f)].
These 6 principles give a top level overview of the areas covered by the new regulation, however they do not delve into nuances of consent and other articles of GDPR, nor the complexities of data flow mapping, lineage and coordination activities associated with implementing a programme to meet GDPR compliance.