The EU's new data protection regulation: your obligations at-a-glance

Chris Hamblin

8 November 2016

The panel looked at the task that firms are facing of learning how to comply with the GDPR, the General Data Protection Regulation by which the European Union intends to strengthen and standardise protection for data that relates to the citizens of its countries and to regulate the export of personal data from EU countries to other countries. This international edict, which automatically appears on the statute book in each subject country of the EU, is timed to take effect on 25 May 2018. A new directive, not discussed here, waives people's data protection for police forces. The GDPR was the most requested topic at the MetricStream conference.

On the panel were Bojana Bellamy and Steve Durbin, both heads of information think-tanks; Renzo Marchini, a partner at the City law firm of Fieldfisher; Anthony Lee, a partner at DMH Stallard, the hundredth-largest law firm based in the UK; and the moderator Kabir Barday, the CEO of OneTrust, an American privacy management software firm. It is rare to find a more eminent group of experts on the subject.

New rules and old

The regulation gives EU countries discretion in some areas of data protection, such as data about children and employees, but it promises a far greater standardisation of rules than heretofore. It contains many rules from the existing directive and adds more, notably the principle of 'accountability' (which obliges firms not only to comply but also to be seen to comply) and that of 'transparency' (the idea that firms must keep the key people informed about the purpose for which their data is being collected, what is being done with it, where it is being stored and the basis upon which that happens). Not only will data controllers have statutory responsibilities as they do now, but data processors will as well.

The regulation is going to tighten up the rules that govern the consent that firms have to obtain from people when processing their data. As Anthony Lee put it: "The consent, in summary, must be informed and freely given. Having a pre-tick box to say 'I consent' buried in a set of Ts and Cs on a privacy policy is a complete no-go."

The area of breach notification is the most talked-about part of the regulation among financial firms. If there is a security breach or some other breach of the regulation, the bank or asset management firm will have 72 hours to tell the government unless it can convince itself that the individuals in question will not be harmed. It will also have to inform those people about the problem straight away so that they can take appropriate measures, perhaps changing passwords.

Broadly speaking, then, security and data exporting requirements will remain substantially the same. There will, however, be a profusion of new obligations to do with consent and breach notification.

Key GDPR changes at-a-glance

Bojana Bellamy produced a graphic table that summarised the main changes that the new regulation will bring in. It listed them as follows.

Harmonisation and progressive aspects

harmonised rules, but not fully (e.g. employee data, children data)
one-stop shop: lead data protection authority for pan-European matters, in co-operation with others; local data protection authority for local matters and redress for individuals
risk-based approach
some reduction of administrative burden (no national registration of processing, or prior authorisation)
BCR (binding corporate rules, to be used for lawful cross-border data transfers within the same group of companies), seals and certifications
greater co-operation and consistency.

Broader scope

obligations for both controller and processor
extraterritorial application to foreign controller and processor
wider definition of personal data and sensitive data; anonymous data and pseudonymisation
processing of data about children under 16 to require parental consent

Increase in obligations

data protection principles tightened (consent, transparency/notices)
profiling rules
privacy impact assessment
privacy by design
breach notification - to data protection authorities and individuals
direct obligations and liability for processor
accountability - privacy programme
internal record of processing
data protection officer

Stronger rights for individuals

right to erasure of data
data portability
right not to be subject to automated profiling/right to object

Increase in enforcement, fines and liability

regulatory fines up to 4% of annual worldwide turnover
individual action
class action
criminal sanctions (in national laws)
larger role for Europea Data Protection Board (EDPB)

Bojana Bellamy said that she had asked people what sort of things they had in place at present for breach notification, and 60-75% told her that they had policies and procedures that detected breaches. Only a third or a quarter had cyber insurance, paid forensic experts and did dry runs and table-top exercises, putting their companies through simulated security breaches.