Hello everyone, welcome. Today we’re going to be talking about GDPR, you might have heard about it, it’s a big topic at the moment within the world of data. It’s the General Data Protection Regulation.
This is regulation that’s coming in, it’s been brought in by the EU. Today is actually a very opportune moment to be speaking about it. It will be exactly one year when this comes into enforcement, so it’s very, very important we understand a little bit about it. So, what I want to share today is the top line of GDPR, what it means for us, what it means for our clients, and some of the things we need to be thinking about, in terms of data protection.
So, the top line summary is that the GDPR replaces the data protection directive that was introduced in 1995, and there’s an important difference between the regulation and directive. The directive hasn’t necessarily had big ramifications for businesses who failed to meet it. As a regulation, this stuff will be highly punishable for those who fail to meet the regulations that are being introduced. It will apply from the 25th of May 2018, and as I said, the fines are going to be significant. It’s going to be €20 million, or 4% of global turnover, whichever is greater, for the most severe penalties for those who fail to meet the regulations I’m about to go through.
The GDPR really applies to any business who is processing the personal data of an EU citizen. There’s also additional regulations for those who are transporting data out of the EU on EU citizens, or for international businesses who are accessing the data of EU citizens.
GDPR is being brought in to strengthen the existing data protections rights of individuals within the EU. The idea is that it gives control back to the individual. This is positive, with the data breaches that are in the news, rightfully, individuals should have control of their personal data. The other big benefit of this is, it aims to unify the regulation across the EU. If all EU members have to conform to the same regulation, it makes it easier for international business to get involved, and it makes it easier to regulate across all of the different countries.
So, the key requirements that I’m going to go through quickly today are:
- Responsibility and accountability
- The need for data protection officers
- Data breaches
- Right to erasure
- Data portability
- Privacy point design and by default
A lot of these are quite technical, but what I’m hoping to do is dispel them a little bit today, give you an understanding of what they’re about and how it will affect us.
There’s some terminology which is used throughout the GDPR documentation around data controllers, and data processors.
A data controller is an organisation or an entity, which is collecting the data, defining the means of how the data are processed, and how it’s being used. This will largely, from our point of view, this will be our clients, it will be businesses who are collecting the data from their customers, it’s the first party.
Then you’ve got data processors, which might be third parties, or tools that these data controllers work with, and this will typically be third party, so it could be a cloud storage provider, which the data controller puts their data into, or it could be third parties like us. If we’re receiving personal data from clients, we would be in that scenario, a data processor. Important to bear those in mind, because there’s different rules for each of these groups.
First point in GDPR is around responsibility and accountability. There’s no more excuses. Businesses, data controllers and data processors will be accountable for the information they hold on their customers. It’s purely automated decision making, so we talk about, machine learning, in finance for example, the decision whether to lend money or not could be based on a purely automated machine learning algorithm. GDPR brings in legislation to ensure that individuals can dispute the decisions made by these systems, they have the right to request more information about how that decision was made.
Data controllers, who are our clients, must also be able to demonstrate the compliance in data processing, so they need to be able to demonstrate how they collected the information, that the information was given with consent – which we’ll come onto a little bit more – and they also need to be able to demonstrate that the data processing carried out by a third party, so the data processor, also complies with GDPR.
Now on consent, consent must be explicitly given by the user; it’s opt-in only. It will not be allowed to have a form that says: ‘I agree to give my email address’ that is pre-ticked. Users must actively give consent, and they must know full well at the time what they’re signing up for, how that data will be used, and why it is being collected. Data controllers will also have to give information about how long the data will be valid for, when they will delete it, if it has an expiry date, and when that will be.
They must be able to prove the consent, for children. Any minors must be able to prove that an adult or a guardian gave that consent, and it might be withdrawn at any time for the individual. So, any service you sign up to, under GDPR you have the right to be able to request that your information is deleted from the data controller.
Data protection officers are also being introduced into this legislation. It’s not required for all businesses, but it is encouraged that all businesses should review their data practises and their usage of data. This will be particularly important for data controllers who…our clients will need to do an audit of the information that they collect from their customers, and then we need to determine whether it’s necessary for them to appoint a data protection officer.
It’s kind of interesting, this kind of role previously, has been perhaps somebody in the legal team who is a little bit more clued up on data protection law, but GDPR is stating that this person needs to have a broader set of skills. They need to be covering, not just the legal implications of GDPR, but also the technical skills to be able to pull it off and understand whether it’s being implemented within the organisation, so the technical specifications that are required. It’s quite a tough role, and the role of this individual will be to act as a mini-regulator within the organisation, to ensure that every aspect of personal data is being treated with compliance, amongst the organisation. I love this little guy. “Data protection audits help companies avert privacy risks and comply with privacy laws.”
Now this one I can hardly say. I’ve head various people talk about it: ‘pseudonymisation’, ‘pseudonymisation’, all sorts of different ways, it sounds a little complicated, but essentially it’s basically making data anonymous. One of the ways to do that, which is being talked about a lot is encryption. The important bit is, that the anonymous user data, and any data required to de-anonymize it, must be stored entirely separately.
So, in the case of encryption, you have encryptions keys, the keys allow you to encrypt and decrypt the information. If you encrypt it, you must keep those keys separate from your data. GDPR doesn’t actually apply to anonymised data, so things like Google Analytics, where we aren’t able to tie back the information to an individual, will not be under the jurisdiction of GDPR. GDPR applies to personal data, personally identifiable information, which does include IP addresses.
Data breaches, there’s new rules coming in around the breaches of data as well. This is particularly topical, because we see so much about it in the news. Obviously with the WannaCry malware going around at the moment, this is a hot topic. So GDPR brings in regulations and guidelines for businesses to be able to handle and disclose data breaches. They will have a legal obligation to disclose a data breach, or a known data breach, within 72 hours of discovery, to supervisory authorities, which will be appointed within each country.
If individual data is impacted, then they must give notification to the individuals if their personal data has been compromised. If the data are anonymised, so if it’s encrypted, then the same regulations don’t apply. So, if my anonymised data is leaked, and someone has my encrypted data, or they don’t know that it’s me, I won’t necessarily know about it. But if my personal information, my Royal credit card number, my phone number, my address, leaks, the controllers who own that data or hold that data on me will be obligated to disclose it.
There’s also the right to erasure, so we’ve previously had the right for individuals to be able to access their information, so this goes a little bit further. The individuals have the right to request the erasure of personal data. They have the right to request the erasure of their data from a data controller that they’ve given their information to. Under a number of different guidelines, they can withdraw their consent at any time. Of course, this might mean that the data controller is no longer able to provide the service to them, but that will be the decision of the individual. But it will also now be the responsibility of the data controller, the business who originally collected that data, to inform all of their third parties that that request has been made. The third parties will then have to remove that data too.
This one’s particularly interesting, data portability. Now I’ve got to admit, this isn’t something that I’d heard a huge amount about, before GDPR. GDPR is bringing in new rules that expand upon the right for users to be able to access their information. As it currently stands, we can make requests to businesses to say: “show me all the stuff you’ve got on me”. Businesses were allowed to charge for that, there’s no particular regulation. So, data portability not only allows individuals to access their information, but it must be done for free. It must be done with a machine-readable format as an output, so that’s something I like a CSV or a JSON, a JSON format.
The users also have the right to request that that data is sent immediately to another data controller. Organisations will be required to build tools to be able to better comply with these things, that means things like APIs, programmatic interfaces for individuals to access the data that a company holds on them, and then to be able to send it immediately to another data controller. This has massive implications for things like comparison websites. You may have already seen MyData, which is a government initiative to try and standardise the transportation of data from one service to another. It would mean that you could switch banks, just by saying: “take all the information that my bank has got, send it to another bank and see if they can give me another deal, or a better deal”. This will have big implications.
Finally, there’s privacy by design and by default. This one’s a little bit more technical. It applies perhaps more to the product development aspect of things, and the technical handling and processing of data, but it must be entirely GDPR compliant, from the moment the data is collected right the way through all of the data processing that occurs.
There’s lot of practises being spoken about, like personal data should only ever be accessed when absolutely required, it shouldn’t ever be opened-up to individuals who shouldn’t have access to it, and it must be compliant along every step of the way. Anonymisation by default, anonymising as early as possible and so on. Thank you very much.