Brexit has caused a great deal of confusion over how the regulatory landscape will pan out, particularly regarding the EU General Data Protection Regulations (GDPR). But the general consensus is that organisations will still seek to comply with the legislation in order to oil the wheels of progress and trade. Similarly, although the EU GDPR was never going to be compulsory for some public sector bodies, the assumption was that the public sector would always embrace the legislation.
It’s easy to see why. The EU GDPR is long overdue in terms of rationalising how data is protected and redacted. It aims to address data protection issues, acknowledges the different demands of data management created by Cloud Computing and Social Networking, and enshrines principles such as the need to protect user privacy, and finally introduces some serious repercussions for those who fail to comply.
The GDPR was finalised in December 2015 and adopted by the Council of the EU and the European Parliament in April 2016, with enforcement of the legislation expected in May 2018. The aim was to have one law applicable across 28 EU countries and while the UK may no longer be part of the EU, trade agreements will likely see EU GDPR become widely applied if not mandatory. The major changes are in:
· Scope: the framework will include all EU-based organizations and citizens
· Reporting: reform to Data Protection Authorities; incident response notification, which will integrate Data Protection Authority notification
· Design: privacy-by-design and default principle
· Risk: data protection impact assessment and risk assessment processes will be strengthened
· User emancipation: informed consent obligations; “right to be forgotten” adoption (named “right to erasure”); enforcement of users’ right to observe collected data.
· Control: data protection officer role reinforcement
· Punitive measures: new sanctions enforcement
Taking the time to adapt to these changes now will ensure the organisation can become compliant in an organised and systematic manner but much is unknown so for now the organisation should tackle challenges in two stages. Immediate actions include completing an information audit and risk impact assess to determine how reforms will be actioned. Protective and detective measures should be identified and assured, and the organisation should look to use this information to assess and update incident response procedures.
Going forward, and once the dust has settled, the organisation can then consider the broader sweep of recommendations. These include appointing a Data Protection Officer, selecting Data Protection Agency/ies and educational programs raising awareness and training personnel over changes in dealing with personal data. It should also hopefully become clearer how the EU GDPR will fit in relation to the EU-US Privacy Shield controversy as the danger is that we could find ourselves trying to please all of the people all of the time.
What both the US and EU regulations illustrate is that data protection regulation is both needed and constantly evolving. The EU GDPR is by no means a definitive finite reform. It has not managed to fully integrate the Big Data revolution. Issues such as behavioural analytics, predictive analytics, user/usage profiling and psychosocial characteristics extraction are not fully accommodated, especially when you include emerging technologies such as the Internet of Things which is expected to further radicalise data analytics and data protection. The era of IoT and wearables will be heavily supported by Cloud Computing and user-generated content.
Future issues include:
· Conflicts of interest: controversies surrounding how the regulation relates to national legislation
· Extension: the need to address employee data protection in the future (is talent acquisition going to get even harder?)
· Open to interpretation: could different interpretation and nationalisation of the EU legislation affect application of the proposed regulation?
· Sovereignty: new laws regarding data portability shall arise since this issue has not been adequately addressed
So perhaps we should all regard the EU GDPR not as a definitive set of regulations but as a starting point, and a very valid one, for our revision of data protection practices.
By James Henry, UK Southern Region Manager, Auriga