Data protection has become a big issue over the last few years and as a result, the UK’s Information Commissioner’s Office (ICO) is becoming increasingly aggressive with its fines for DPA-related offences. In 2010 there were just 2 fines totalling £160,000 but so far this year (up to August 2017) there have been over £3 million in fines. However, this level of penalties is small compared to what is possible when the General Data Protection Regulation (GDPR) becomes law. Businesses that breach the new rules face a penalty of up to 4% of their annual worldwide revenue, or €20 million, whichever is higher. For example, under GDPR, TalkTalk’s £400,000 fine would now be up to £59 million and Pharmacy2U’s fine of £130,000 could shoot up to an unmanageable £4.4m. For many businesses, this level of fines brings with them the threat of insolvency or serious financial issues. Despite this as of July 2017, the largest category of companies in IDC’s GDPR Maturity Model is “dawning realization,” representing 40% of enterprises, which is short of compliance.
Meanwhile, 17% are still “blissfully unaware.” So, while the remaining 43% of enterprises (25% “pragmatic compliance,” 18% “beyond compliance,” 1% in “compliance exemplar”) are ready for GDPR in one shape or form, well over half of enterprises (57%) are not ready, despite enforcement being mere months away. This blog discusses the elements of GDPR that you need to know and what you may need to change in the next few months to make your organisation ready for GDPR.
What is GDPR
On 25th May 2018 GDPR will apply in all EU member states. GDPR introduces far tougher fines for non-compliance and breaches of data protection laws relating to people’s personal data. It also gives individuals more say over what companies can do with their data.
Although Britain is leaving the EU in 2019 there will be no immediate change to GDPR regulations as EU laws will be subsumed into British law. In February 2016, minister of state for digital and culture, Matt Hancock MP, suggested that any replacement legislation (when it comes) will be based on the GDPR.
Companies outside the EU are also not exempt as the regulation applies to any company dealing with data belonging to EU residents.
Controllers and Processors of data
Article 4 of the GDPR relates to ‘Controllers’ and ‘Processors’ of data.
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
A data controller states how and why personal data is processed. This could be any type of organisation that has personal data be it a local council, a supermarket, a charity or anybody who holds or processes personal data. Under GDPR it is the controller’s responsibility to ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
The processor is the party doing the actual processing of the data such as an IT firm. Processors must maintain records of their processing activities.
What constitutes personal data?
Article 2 of the GDPR states that the regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.
The GDPR’s definition of personal data is now also much broader than under the Data Protection Act (DPA). Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. Website cookies are a way of tracking consumer behaviour and are embedded in the majority of your online activities. These also can now be seen as personal data. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).
What this means in practice is that if my name (Simon Barnes) is released this may not always be considered personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this is clearly able to identify the individual and is therefore personal data.
However, if the name is not included that does not mean that it is not personal data. Simply because you do not know the name of an individual does not mean you cannot identify them from other types of data and so it is the combination that is important. For example my job title and company name can identify me.
What is ‘lawful’ processing of data?
It could be lawful if the subject has consented to their data being processed. Consent must be an active, affirmative action by the data subject, rather than the passive acceptance currently used such as pre-ticked boxes.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to change this or stop collecting data when the GDPR applies in 2018.
Lawful can also mean to comply with a contract or legal obligation:
- to protect an interest that is “essential for the life of” the subject
- if processing the data is in the public interest
- if doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply to allow the Processor to process data.
Right to Access
Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15) ; and
- the right to have data corrected
You can’t charge a fee for providing the information unless a request is obviously unfounded or excessive or repetitive. However even in these cases you can only charge the cost need to fulfil the request. In the case of excessive requests, you can refuse to respond however you must explain to the individual why you have not replied and inform them of their right to complain to the supervisory authority and to a judicial remedy as quickly as possible and definitely within one month.
All requests must be completed within 1 month however in certain circumstances such as complex or numerous requests this can be extended by a further 2 months.
Right to be forgotten
Individuals have also got the ‘right to be forgotten’. This means they can demand that their data is deleted if it’s no longer needed for the reason for which it was collected. Under this rule, they can also object to the way it is being processed.
The controller is responsible for not only erasing the data but also advising other organisations (e.g. Google) to delete any links that may exist to copies of the data.
Individuals now have the right to data portability to allow them to obtain and reuse their personal data for their own purposes across different services. Ironically the very thing that may have caused some of the data breaches (i.e. transmitting machine-readable open CSV files) is required as the mechanism to supply the personal data.
You may also be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.
The information must be provided free of charge and within 1 month.
It’s your responsibility to inform your data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. The UK authority is the Information Commissioner’s Office.
The report should outline the nature of the data that’s affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you’ve already actioned or plan to action in response.
Is Blockchain the answer?
It is IDC’s view that there are several characteristics inherent to blockchain that position it as a technology that can help reconcile the enterprise imbalance between access and trust that arises from Digital transformation (DX). The reason for this is shown in the following diagram that shows 6 high level themes associated with Blockchain.
IDC breaks down the role of private blockchain in GDPR compliance into three components:
- Information governance (i.e., managing the data life cycle)
- Meeting specific requirements (i.e., right to be forgotten, consent, encryption, data portability, record keeping, etc.)
- Reviewing “state-of-the-art” (establish “appropriate technical and organizational measures” relevant for your organization and context)
One of the few practical solutions to resolve these issues is provided by Gospel Technology. At the heart of Gospel is a private, permissioned distributed ledger, containing not only the key data that forms the value of your business (i.e. intellectual property / personal data / sensitive content / healthcare records etc. etc.) but also an absolute record of all trusted transactions taken upon it that are unlocked by Gospel’s Distributed Data Logic. The Gospel Cloud platform can be deployed as a public or on-premises service for complete control over the underlying infrastructure and to keep the maximum level of data compliance.
In simple terms Gospel can help with the following issues that could lead to GDPR non-compliance:
- Inter-Company Data Sharing
- Data Collaboration
- IoT and API Connected data
- Digital Consent and e-signature
- Cloud Service Usage
- Personal Data Collection and Usage
Specifically, on the consent issue the Gospel Cloud Platform has a dedicated mechanism which is unique in giving organisations a way to share data (internally and externally) with total data-owner driven consent Conditional granular permissions are used to enable the sharing of very specific data (either whole records or specific data points) to create a secure method of utilising data. An example may be enabling employees to control access to the way PII data is shared with external companies. In some cases, only a Boolean request needs to be fulfilled (Yes or No) and employees can provide consent on certain elements of their data being shared. In other cases, there may be the need to share sensitive IP between multiple parties and consent is used in these scenarios to only share certain parts of data requested rather than every party revealing 100% of their IP. This use case is common in project management scenarios involving multiple organisations.
Vivek Kundra, an investor in Gospel Technology, former CIO U.S. Federal Government, and current COO of Outcome Health, describes the impact of private blockchain on enterprise data handling as follows:
“The use of private permissioned blockchain within the enterprise environment is a huge leap forward for the future of data integrity, as companies move to make information more accessible across decentralized infrastructure and business partner relationships. The growth in customer and personal data being generated and processed, coupled with legislative pressure to maintain control of its usage, requires an immutable and trusted data solution.”
If you would like to know more or would like to attend a GDPR event in London on November 1st 2017 then please email me directly