{"id":15335,"date":"2016-01-14T00:00:00","date_gmt":"2016-01-14T00:00:00","guid":{"rendered":"https:\/\/members.dataiq.global\/articles\/summary-eu-general-data-protection-regulation\/"},"modified":"2024-05-29T13:23:45","modified_gmt":"2024-05-29T12:23:45","slug":"summary-eu-general-data-protection-regulation","status":"publish","type":"article","link":"https:\/\/www.dataiq.global\/devstage\/articles\/summary-eu-general-data-protection-regulation\/","title":{"rendered":"A Summary of the EU General Data Protection Regulation"},"content":{"rendered":"<p><strong>In December 2015 the long process of agreeing a new set of legislation designed to reform the legal framework for ensuring the rights of EU residents to a private life was completed. This was ratified in early 2016 and becomes widely enforceable on the 25th May 2018. This blog is an Introduction to this important new General Data Protection Regulation.<\/strong><!--break--><\/p>\n<p>\u00a0The reforms consist of two instruments:<\/p>\n<p><strong>The General Data Protection Regulation\u00a0 (GDPR) <\/strong>which is designed to enable individuals to better control their personal data. It is hoped that these modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by reducing regulation and benefiting from reinforced consumer trust.<\/p>\n<p><strong>The Data Protection Directive:<\/strong> The police and criminal justice sectors will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.<\/p>\n<p>The GDPR was ratified mid 2016 and immediately became law. Member states now have a 2 year implementation period. Enforcement will commence by 25th May 2018 <strong>at the latest.<\/strong><\/p>\n<p>This document summarises the key components of the GDPR \u2013 it should be noted that this is only a simplified summary and that the full text (all 204 pages) contains much more detail.<\/p>\n<h2>Key Components<\/h2>\n<h3>Harmonisation across and beyond the EU<img decoding=\"async\" alt=\"\" src=\"https:\/\/www.dataiq.global\/wp-content\/uploads\/europeancourt238x132_1.jpg\" style=\"width: 238px; height: 132px; float: right; margin: 10px;\" title=\"\"><\/h3>\n<p>The regulation (rather than the current directive) is intended to establish one single set of rules across Europe which EU policy makers believe will make it simpler and cheaper for organisations to do business across the Union.<\/p>\n<p>Organisations outside the EU are subject to the jurisdiction of the EU regulators just by collecting data concerning an EU resident. Such organisations will only have to deal with one single supervisory authority producing an estimated saving of \u20ac2.3 billion per year (according to EU figures).<\/p>\n<h3>What is \u201cPersonal Data\u201d?<\/h3>\n<p>\u201cPersonal data\u201d is defined in both the Directive and the GDPR as any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.<\/p>\n<p>So in many cases online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.<\/p>\n<p>To be clear there is no distinction between personal data about individuals in their private, public or work roles \u2013 the person is the person.<\/p>\n<h3>Controllers and Processors<\/h3>\n<p>The Regulation separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide \u201csufficient guarantees to implement appropriate technical and organisational measures\u201d to meet the Regulation\u2019s requirements and protect data subjects\u2019 rights.<\/p>\n<p>Controllers and processors are required to \u201cimplement appropriate technical and organisational measures\u201d taking into account \u201cthe state of the art and the costs of implementation\u201d and \u201cthe nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.\u201d<\/p>\n<p>The regulation provides specific suggestions for what kinds of security actions might be considered \u201cappropriate to the risk,\u201d including:<\/p>\n<ul>\n<li>The pseudonymisation and\/or encryption of personal data.<\/li>\n<li>The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.<\/li>\n<li>The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.<\/li>\n<li>A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.<\/li>\n<\/ul>\n<p>Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate compliance.<\/p>\n<p>The controller processor relationships must be documented and managed with contracts that mandate privacy obligations \u2013 ultimately controllers must assure themselves of processors privacy capabilities.<\/p>\n<h3>Fines and Enforcement<\/h3>\n<p>There will be a substantial increase in fines for organisations that do not comply with the new regulation.<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/www.dataiq.global\/wp-content\/uploads\/2015-04-15_Fines.jpg\" style=\"width: 350px; height: 240px; float: left; margin: 10px;\" title=\"\">Regulators will now have authority to issue penalties equal to the greater of \u20ac10 million or 2% of the entity&#8217;s global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.<\/p>\n<p>However violations of obligations related to legal justification for processing (including consent\u2026), data subject rights, and cross-border data transfers may result in penalties of the greater of \u20ac20 million or 4% of the entity&#8217;s global gross revenue.<\/p>\n<p>It remains to be seen how the supervisory authority tasked with asking for these fines will work. The current ICO framework will probably need to change as funding mechanisms will be different (no notification fees) \u2013 Fines may become a driving force.<\/p>\n<h3>Data Protection Officers<\/h3>\n<p>Data Protection Officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve \u201cregular and systematic monitoring of data subjects on a large scale\u201d or where the entity conducts large-scale processing of \u201cspecial categories of personal data\u201d (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like). This is likely to apply to some of the larger scale Marketing Service Providers and Research Organisations \u2013 but needs further clarification.<\/p>\n<p>Although an early draft of the GDPR limited mandatory data protection officer appointment to organisations with more than 250 employees, the final version has no such restriction.<\/p>\n<p>The regulation requires that they have \u201cexpert knowledge of data protection law and practices.\u201d The level of which \u201cshould be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.\u201d<\/p>\n<p>The data protection officer\u2019s tasks are also delineated in the regulation to include:<\/p>\n<ul>\n<li>Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.<\/li>\n<li>Monitoring compliance including managing internal data protection activities, training data processing staff, and conducting internal audits.<\/li>\n<li>Advising with regard to data protection impact assessments when required under Article 33.<\/li>\n<li>Working and cooperating with the controller\u2019s or processor\u2019s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.<\/li>\n<li>Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.<\/li>\n<\/ul>\n<p>Data Protection Officers may insist upon company resources to fulfill their job functions and for their own ongoing training.<\/p>\n<p>They must have access to the company\u2019s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line \u201cto the highest management level\u201d of the company.<\/p>\n<p>Data Protection Officers are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest.<\/p>\n<p>The regulation expressly prevents dismissal or penalty of the data protection officer for performance of her tasks and places no limitation on the length of this tenure.<\/p>\n<p>A company with multiple subsidiaries (a \u201cgroup of undertakings\u201d) may appoint a single data protection officer so long as they are \u201ceasily accessible from each establishment.\u201d<\/p>\n<p>The GDPR also allows the data protection officer functions to be performed by either an employee of the controller or processor or by a third party service provider.<\/p>\n<h3>Privacy Management<\/h3>\n<p>Organisations will have to think harder about privacy.<\/p>\n<p>The regulation mandates a \u201cRisk Based Approach:\u201d where appropriate organisation&#8217;s controls must be developed according to the degree of risk associated with the processing activities.<\/p>\n<p>Where appropriate, privacy impact assessments must be made \u2013 with the focus on protecting data subject rights.<\/p>\n<p>Data protection safeguards must be designed into products and services from the earliest stage of development \u2013 Privacy by Design.<\/p>\n<p>Privacy-friendly techniques such as pseudonymisation will be encouraged to reap the benefits of big data innovation while protecting privacy.<\/p>\n<p>There is an increased emphasis on record keeping for controllers \u2013 all designed to help demonstrate and meet \u00a0compliance with the regulation and improve the capabilities of organisations to manage privacy and data effectively. There is an exclusion for small businesses (less thatn 250 staff) where data processing is not a significant risk.<\/p>\n<h3>Consent<img decoding=\"async\" alt=\"\" src=\"https:\/\/www.dataiq.global\/wp-content\/uploads\/2015-11-15-sign-up-form-register-data-collection1.jpg\" style=\"width: 300px; height: 199px; margin: 10px; float: right;\" title=\"\"><\/h3>\n<p>Consent is a basis for legal processing (along with legitimate interests, necessary execution of a contract and others). \u00a0For marketers in particular there has been much debate about the type of consent that might be required under this new regulation.<\/p>\n<p>According to the Regulation consent means \u201cany <strong>freely given, specific, informed and unambiguous<\/strong> indication of his or her wishes by which the data subject, either <strong>by a statement or by a clear affirmative action, signifies agreement<\/strong> to personal data relating to them being processed;\u201d<\/p>\n<p>The purposes for which the consent is gained does need to be \u201ccollected for <strong>specified, explicit and legitimate purposes<\/strong>\u201d<\/p>\n<p>In other words it needs to be obvious to the data subject what their data is going to be used for at the point of data collection.<\/p>\n<p>Consent should be <strong>demonstrable<\/strong> \u2013 in other words organisations need to be able to show clearly how consent was gained and when.<\/p>\n<p>Consent must be freely given \u2013 a controller cannot insist on data that\u2019s not required for the performance of a contract as a pre-requisite for that contract.<\/p>\n<p>Withdrawing consent should always be possible \u2013 and should be as easy as giving it.<\/p>\n<h3>Information Provided at Data Collection<\/h3>\n<p>The information that must be made available to a Data Subject when data is collected has been strongly defined and includes;<\/p>\n<ul>\n<li>the identity and the contact details of the controller and DPO<\/li>\n<li>the purposes of the processing for which the personal data are intended<\/li>\n<li>the legal basis of the processing.<\/li>\n<li>where applicable the legitimate interests pursued by the controller or by a third party;<\/li>\n<li>where applicable, the recipients or categories of recipients of the personal data;<\/li>\n<li>where applicable, that the controller intends to transfer personal data internationally<\/li>\n<li>the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;<\/li>\n<li>the existence of the right to access, rectify or erase the personal data;<\/li>\n<li>the right to data portability;<\/li>\n<li>the right to withdraw consent at any time;<\/li>\n<li>and the right to lodge a complaint to a supervisory authority;<\/li>\n<\/ul>\n<p>Importantly where the data has not been obtained directly from the data subject \u2013 perhaps using a 3<sup>rd<\/sup> party list \u2013 the list varies and includes:<\/p>\n<ul>\n<li>From which source the personal data originate.<\/li>\n<li>The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.<\/li>\n<\/ul>\n<p>There are some exceptions \u2013 notably where the effort would be disproportionate (although this is unlikely be a good justification in day to day circumstances) and, importantly, where the information has already been provided to the data subject.<\/p>\n<p>This is likely to cause many headaches to marketers using multiple sources of third party data \u2013 and to those building such data products.<\/p>\n<h3>Profiling<\/h3>\n<p>The regulation defines profiling as any automated processing of personal data to determine certain criteria about a person.\u00a0 \u201cIn particular to analyse or predict aspects concerning that natural person&#8217; s performance at work, economic situation, health, personal\u00a0 preferences,\u00a0 interests, reliability, behaviour, location or movements\u201d.<\/p>\n<p>This will certainly impact some marketing processes and services \u2013 although the extent of this impact is yet to be understood \u2013 where does profiling finish and selection start? Full personalisation and other ad serving techniques for example rely on a degree of selection normally built on profiles of behaviour or purchase \u2013 is explicit consent for this now required? It looks this way.<\/p>\n<p>Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him\/her or otherwise significantly affects them. So, individuals can opt out of profiling.<\/p>\n<p>Automated decision making will be legal where individuals have\u00a0<strong>explicitly <\/strong>consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State Law.<\/p>\n<h3>Legitimate Interests &#038; Direct Marketing<\/h3>\n<p>The regulation specifically recognises that the processing of data for \u201cdirect marketing purposes\u201d can be considered as a legitimate interest.<\/p>\n<p>\u00a0Legitimate interest is one of the grounds, like consent, that an organisation can use in order to process data and satisfy the principle that data has been fairly and lawfully processed.\u00a0<\/p>\n<p>The act says that processing is lawful if \u201cprocessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.\u201d<\/p>\n<p>It\u2019s worthy of note that \u201cDirect Marketing\u201d has not been defined \u2013 so consideration should be given to the precise nature of the marketing activity proposed to be covered by this grounds for processing.<\/p>\n<p>It may, for example, mean that a simple mailing of similar goods and services to existing customers and prospects is completely legitimate without direct consent \u2013 but it certainly doesn\u2019t include \u201cProfiling\u201d for marketing purposes which does require consent.<\/p>\n<h3><img decoding=\"async\" alt=\"\" src=\"https:\/\/www.dataiq.global\/wp-content\/uploads\/2015-03-05_data_breach.jpg\" style=\"width: 300px; height: 233px; float: left; margin: 10px;\" title=\"\">Breach &#038; Notification<\/h3>\n<p>According to the regulation a \u201cpersonal data breach\u201d is \u201ca breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed\u201d<\/p>\n<p>It\u2019s important to note that the wilful destruction or alteration of data is as much a breach as theft.<\/p>\n<p>In the event of a personal data breach data controllers must notify the appropriate supervisory authority \u201cwithout undue delay and, where feasible, not later than 72 hours after having become aware of it.\u201d If notification is not made within 72 hours, the controller must provide a \u201creasoned justification\u201d for the delay.<\/p>\n<p>Notice is not required if \u201cthe personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,\u201d \u00a0How this translates into real-world action is not clear \u2013 something the legal profession will debate I\u2019m sure.<\/p>\n<p>Importantly when a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation.<\/p>\n<p>Should the controller determine that the personal data breach \u201cis likely to result in a high risk to the rights and freedoms of individuals,\u201d it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 32, this must be done \u201cwithout undue delay.\u201d \u2013 Again we will have to wait to see how this applies to real-world situations.<\/p>\n<p>The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances:<\/p>\n<ol>\n<li>The controller has \u201cimplemented appropriate technical and organisational protection measures\u201d that \u201crender the data unintelligible to any person who is not authorised to access it, such as encryption\u201d<\/li>\n<li>The controller takes actions subsequent to the personal data breach to \u201censure that the high risk for the rights and freedoms of data subjects\u201d is unlikely to materialise.<\/li>\n<li>When notification to each data subject would \u201cinvolve disproportionate effort,\u201d in which case alternative communication measures may be used.<\/li>\n<\/ol>\n<h3>Data Subject Access Requests<\/h3>\n<p>Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.<\/p>\n<p>Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.<\/p>\n<p>DSAR\u2019s must be executed \u201cwithout undue delay and at the latest within one month of receipt of the request.\u201d<\/p>\n<p>Subject access requests must also give all the information relating to purposes that should have been provided upon collection.<\/p>\n<h3>The Right to Data Portability<\/h3>\n<p>Clearly focussed on helping drive competition between service providers this part of the regulation seeks to drive automated transfers of data (using a common format yet to be defined) between services which primarily process customers automatically \u2013 so for example these could include utilities, banks, telecoms and ISP\u2019s.<\/p>\n<h3>Retention &#038; The Right to be Forgotten<\/h3>\n<p>As has already been noted controllers must inform subjects of the period of time (or reasons why) data will be retained on collection.<\/p>\n<p>Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.<\/p>\n<p>Note that there is a \u201cdownstream\u201d responsibility for controllers to take \u201creasonable steps\u201d to notify processors and other downstream data recipients of such requests.<\/p>\n<p>This area of the regulation is likely to need further clarification \u2013 for example it doesn\u2019t seem to allow for the retention of suppression or do-not-contact lists.<\/p>\n<p><strong>A brief introduction to the E-Privacy Regulation and why GDPR needs this. <\/strong><\/p>\n<p>Known confusingly by many names including ePrivacy, ePrivacy2, PECR2 and ePR this regulation will replaces the existing EU Directive and is designed to harmonise and enhance the GDPR. Like the GDPR it has global reach and similarly significant penalties for non-compliance. In the UK this regulation will replace the exiting PECR laws.<\/p>\n<p>This legislation is designed to regulate the use of personal information across all <strong>electronic communications<\/strong> including telephony.<\/p>\n<p>At the time of writing this legislation is still in draft with the latest version issued on the 9th September 2017. This versions still proposed the law going live simulataniously with GDPR becoming enforceable on the 25th May 2018 &#8211; with adoption expected by august 2018.\u00a0 It is likely that the regulation may be delayed by a few months.<\/p>\n<p>This regulation is particularly important for digital marketing activity as it overrides the GDPR&#8217;s allowance for legitimate interests and enforces consent on all digital communications for marketing purposes. there will still be an allowance for the so called &#8220;soft opt-in&#8221; where customers can be communicated to about similar goods and services with an opt-out only, but it should be noted that the wording here has been tightened restricting the use to customers only.<\/p>\n<p>Cookies and similar tracking technologies, when used for non-essential processes (like profiling and advertising) will require prior consent. Browser and interface manufacturers are set to bear the burdon of responsibility here by providing new mechanisms to allow individuals to manage their consent more easily. These mechanisms are yet to be defined&#8230;This is set to revolutionise (and potentially harm) the ad-tech industry which relies on such techniques (third party cookie synching, the use of device ID&#8217;s etc) for increasing ad relevency.<\/p>\n<p>This regulation should lead to much more open dialogue between advertisers and data subjects &#8211; with advertisers needing to make much clearer the &#8220;value exchange&#8221;.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In December 2015 the long process of agreeing a new set of legislation designed to reform the legal framework for ensuring the rights of EU residents to a private life was completed. This was ratified in early 2016 and becomes widely enfor&#8230;<\/p>\n","protected":false},"author":1,"featured_media":15336,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","_searchwp_excluded":"","footnotes":""},"categories":[129,398],"tags":[171,179],"pillar":[],"class_list":["post-15335","article","type-article","status-publish","format-standard","has-post-thumbnail","hentry","category-editorial","category-public","tag-data-governance","tag-data-regulation"],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2026-06-16 21:15:55","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/article\/15335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/article"}],"about":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/types\/article"}],"author":[{"embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/comments?post=15335"}],"version-history":[{"count":0,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/article\/15335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/media\/15336"}],"wp:attachment":[{"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/media?parent=15335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/categories?post=15335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/tags?post=15335"},{"taxonomy":"pillar","embeddable":true,"href":"https:\/\/www.dataiq.global\/devstage\/wp-json\/wp\/v2\/pillar?post=15335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}