The General Data Protection Regulation, Part 2

In part 1 of this article, we warned about the looming deadline of 25 May 2018, the date by which the GDPR becomes enforceable. Part 1 of the article dealt with the scope of the GDPR. It also discussed how the GDPR introduces one single set of rules that applies in the whole of the EU, what the lawful bases of processing private data are, and about parties’ responsibility and accountability.

In part 2 of this article, we will first have a closer look at the most important ‘Digital Rights’ the GDPR introduces: The Right of Access (art. 15), the Right of Correction / Rectification (art. 16), and the Right to Erasure (art. 17), and the Right of Data Portability (art. 20).

Right of access by the data subject (Article 15): As the name says, the Right of Access is a data subject right. It gives EU inhabitants the right to get access to their personal data and to information about how these personal data are being processed. Upon request by the data subject, a Data Controller must provide an overview of the categories of data that are being processed (Article 15 (1) (b)), as well as a copy of the actual data (Article 15 (3)). The Data Controller must also inform the data subject on the details about the processing such as: what the purposes are of the processing (Article 15 (1) (a)), with whom the data is shared (Article 15 (1) (c)), and how it acquired the data (Article 15 (1) (g)).

Right to rectification (Article 16) and the Right to Erasure (Article 17): As was the case under the old Data Protection Directive, the data subjects also have the right to obtain from the Data Controller the correction of inaccurate data, and the completion of incomplete data, without undue delay (Article 16). In a famous case, the EU Court of Justice had ruled in 2014 that EU inhabitants also had a right to be forgotten. In the GDPR, this right to be forgotten was replaced by a more limited right to erasure. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Right of Data Portability (Article 20): The British Information Commissioner’s Office (ICO) summarizes the right to data portability as follows: [it] “allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.” The right applies both to data that has been ‘provided’ by the data subject, as well as data that has been ‘observed,’ such as information about their behaviour. The Data Controller must comply with the data subject’s request, and must provide the data in a structured and commonly used Open standard electronic format.

The GDPR contains far more regulations, e.g., on data breaches (art 33-34), on the Data Protection Officer (art. 37-39), on sanctions and pseudonymisation, but those are beyond the scope of this article.


The General Data Protection Regulation, Part 1

Are you aware of the important deadline of 25 May 2018 that is looming? “What deadline is that?”, you may ask. It is the deadline to comply with the EU General Data Protection Regulation (GDPR). (The official name is the ‘REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ‘). It came into effect on 25 May 2016 and provided a two-year transition period to comply with its requirements. It therefore becomes enforceable on 25 May 2018. And that is important because non-compliance with the GDPR can lead to severe penalties of up to 4% of worldwide turnover, or of 20 million EUR, whichever is biggest! In this two-part article, we’ll have a closer look at the GDPR.

So, what is the GDPR? As the name says, it is a EU regulation, which means it becomes directly enforceable and does not require any legislation on a national level. Its primary purpose is to protect the personal data of private citizens and residents, and to give them more control over those personal data. It also wants to simplify and unify the regulatory environment for national and international businesses, by creating one set of rules that applies throughout the EU. (To that end, each member state of the EU must create an independent Supervisor Authority to hear and investigate complaints, sanction administrative offences, etc.; and these Supervising authorities can organize joint operations). The GDPR replaces the 1995 Data Protection Directive, which was conceived before the Internet era, and was hopelessly outdated and not suited to deal with the changes the Internet has brought.

The GDPR has far-reaching effects and is already having an impact on the legal market. To comply with the new regulations, a lot of the existing software that companies are using has to be modified. This is obviously the case for CRM software but also affects, e.g., eDiscovery software, document management software, etc. The GDPR has also led to entire new ranges of services and products, which, given the scope and scale of the GDPR, makes sense. There are apps to test one’s knowledge and compliance or readiness with regard to the GDPR. There are intelligent checklists and other AI solutions that can review the data you are keeping. There already are AI solutions that can review your contracts.  There are online reviews and tests, including quite detailed online interviews, as well, to check whether you are complying with the GDPR.

The GDPR also provides new opportunities for lawyers. Some law firms already are assisting their clients by checking whether they are GDPR compliant and by making recommendations if they are not.

So, with the deadline only months away, how well prepared are we for the GDPR? Not very well, it seems. Research by the UK Government revealed that in January 2018, only four months before the GDPR becomes enforceable, less than half of businesses in the UK were aware of the upcoming data protection laws, or of what the new legislation means for how information security is handled. In other words, the majority of UK businesses is not yet in order. The situation is worst for the construction and manufacturing sectors, where only one in four businesses is aware of the GDPR. The finance and insurance sectors are said to have the highest awareness of the legislation.

And what about law firms? Research published three months ago revealed that at the time, three quarters of law firms were still unprepared for the GDPR, potentially opening them up to large penalties.

Let us now have a closer look at the GDPR itself and start with the scope. Question 1: what does it deal with? The regulation applies to ‘personal data’. The European Commission defined ‘personal data’ as ‘any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.’
Question 2: Who does it apply to? The regulation applies if any of the following conditions are met: if the data controller (an organization that collects data from EU residents) or the data processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. In other words, the regulation also explicitly applies to organizations based outside the European Union if they collect or process personal data of EU residents. There are exceptions for personal data that are processed within the EU for national security and law enforcement purposes.

Data can only be processed if there is at least one lawful basis to do so. The lawful bases for processing data are:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes. This consent must be explicit for data collected and the purposes data is used for.
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • processing is necessary for compliance with a legal obligation to which the controller is subject.
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Anybody processing personal data must keep records of the processing activities. These records must include the purpose of the processing, the categories involved, as well as the envisaged time limits, and must be made available to the Supervising Authority upon request.

The regulation also requires a ‘data protection by design and by default.’ This means that the development of the business processes for products and services must be explicitly designed to take the protection of one’s data into account, and that the default settings must be such to promote optimal protection of personal data. (There are other requirements, like pseudonymisation, etc., which are beyond the scope of this article).

To be continued: in part two of the article, we’ll have a closer look at the digital rights EU residents are granted under the GDPR.