On 25 May, the much talked about General Data Protection Regulation (GDPR), came into force. This new regulation has the primary objective of governing the gathering, using and sharing of personal data. The amount of data we create each day is growing at an exponential rate, and as the regulation says, “the processing of personal data should be designed to serve mankind”. In this blog, we’ll look at some of the key areas of the new law and some of its potential impacts.
Although the regulation becomes “enforceable” later this month, it was in fact adopted on 27 April 2016. This gave businesses and other entities that will be affected a “transition period” during which they have been able to prepare for the new requirements (drafting new terms and conditions etc). From this point onwards, those in breach of the provisions can face huge fines; either 20,000,000 EUR or 4% of worldwide annual turnover, whichever is largest.
The new regulation is a response to greater demands from Europeans for uniform data protection rights across the EU. The legal term “regulation” means that the GDPR is directly applicable in EU member states; it does not require governments to pass any new legislation.
The GDPR will apply to any “data controller” (see below) who are established within the European Union, regardless of whether the processing of the data takes place in the EU or not. Additionally, the regulation will be applicable to those companies who are based outside the Union but manage European data (such as Facebook and Google).
|Figure 2: In the lead up to May 25, you probably received notifications from your favourite social media sites asking for your consent.|
The GDPR infers certain key rights onto the “data subject”. Firstly, if there is a data breach, individuals must be notified within 72 hours of the breach being detected by the data processor or controller. Data subjects will also have the right to access information regarding the use of their personal data, as well as the data itself if requested.
The “right to erasure” will also be introduced, meaning that an individual can ask the data controller to delete the data they possess (subject to certain conditions). The final right we want to mention is the idea of “privacy by design”. This has been around for some time now but is becoming a legal requirement in the GDPR. Essentially, it calls for data protection to be included when technology systems are designed, rather than as an “add-on”.
Consent is one of the key areas that has been amplified and strengthened. No longer will companies be able to use page-long terms and conditions to obtain consent. Consent now required “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”. One of the key ideas of this is that individuals must be aware of what their data will be used for, and who will use it. Importantly, previous consent is no longer valid, which explains why you may have noticed “our data policy is changing…” messages from apps you use such as Facebook and Instagram.
Some key terms:
Below you will find some key terms and principles that you are likely to hear more often now that the GDPR is in play:
- Data Controller – the organization that collects data
- Data Processor – often a third party charged with collecting data on behalf of the controller
- Data Subject – the individual whose data is being used
- Profiling – profiling is the process of using personal data to evaluate certain personal aspects to analyze and predict behavior/performance/reliability etc
- Pseudonymization – the process of pseudonymization is an alternative to data anonymization. Whereas anonymization involves completely removing all identifiable information, pseudonymization aims to remove the link between a dataset and the identity of the individual. Examples of pseudonymization are encryption and tokenization.
Within LUCA we work with anonymized and aggregated data in all our services. We believe in the privacy of data and look forward to the improvements that the GDPR will bring to company-client relationships. To keep up to date with all things LUCA check out our website, and don’t forget to follow us on Twitter, LinkedIn and YouTube.