Since January 2012, a spectre has been haunting Europe; the spectre of the European Commission’s Data Protection Regulation.
Now the legislative finishing post is in sight and the timetable for the final set of discussions set (see references), what can data controllers and data processors do to prepare? As I am speaking on this subject at the forthcoming Data Protection Forum/NADPO meeting in London (on Friday), I thought it would be useful if I wrote the main points up.
The quick answer to the question posed in the blog’s headline is “not much”. This is because there are still a lot of fine detail to be agreed by the European Parliament, Council of Ministers and Commission. This means there is no need to panic or rush into immediate changes in procedure. However, having said that the direction of travel can clearly be identified and it is this direction that allows some limited preparatory work to be done.
First someone in your organisation should follow the views of the various parties to the negotiations about the Data Protection Regulation; there are many blogs and news sources that report on how this Regulation is being finalised. Leaks of papers are usually via the invaluable Statewatch website.
In particular, watch out for changes to the terms used in the UK Act (e.g. “personal data”, “sensitive personal data”, “consent” and “filing system”) as these could broaden the scope of data protection compliance considerably from that of the current data protection regime.
For example, in the UK, I expect the difference between Relevant Filing Systems, Accessible Records and category (e) personal data to be replaced by a simple question; is a set of manual files structured or unstructured. If it the latter, a filing system containing personal information will be fully subject to the Data Protection law (unlike a filing system that does not possess the structure of a Relevant Filing System).
A review of the manual filings systems some organisations have will not go amiss; perhaps included with work undertaken when updating any Information Asset Register.
Transparency and consent becomes more important
Article 8 of the Treaty of Lisbon, signed by all EU Member States in 2007, states that “Everyone has the right to the protection of personal data concerning him or her” and that “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”.
In other words, the concepts of “fairness” and “consent” that are familiar in the existing UK data protection arrangements (e.g. in fair processing notices and website privacy policies), because of this Treaty, become components of a data subject right. This is an important change: it is the data subject’s right, subject to any exemption, to have transparency whenever his or her personal data are processed.
In other words, a review of whether data subjects currently receive complete information about the processing of their personal data, prior to the commencement of any processing, would be a useful exercise. If the processing of personal data is justified in terms of data subject’s consent, anticipation of the withdrawal of consent by a data subject should be included in any review as unconditional withdrawal of consent is to be part of the Regulation’s consent requirements.
There is a major disagreement which impacts on “consensual” processing of personal data. The European Parliament wants any data subject consent to be “explicit” and consent to be invalid if there is a significant imbalance of power between data subject and data controller (e.g. employee consent given to an employer for the processing of personal data would be invalid). The Council of Ministers, by contrast, merely want consent to be “unambiguous” (i.e. no change to the current consent arrangements).
Marketing with consent
All marketing by personal data has to have data subject consent; does this mean the death of “opt-out” much beloved of marketing folk? The answer to this question may depend on the resolution of the “unambiguous” or “explicit” consent divergence as identified in the previous paragraph.
However, it is certain that the European Parliament wants more protection for data subjects from intrusive marketing techniques (e.g. profiling); the Council of Ministers in the current economic climate wants more businesses to flourish and be able to perform marketing.
Irrespective of how the above is resolved, a review of the current status of data protection in the context of consensual marketing to meet current UK data protection standards might not go amiss. At the very least, any marketing “opt-out” given to a data subject has to be very prominent; it should specify the mode of marketing (e.g. post, email, and telephone), be more detailed in the items of personal data that are used for marketing, and identify other third party controllers who are using the data for a marketing purpose.
Security, data processors and data loss
The provisions in the Regulation concerning the security of personal data are examples of where actions under the current data protection regime become formalised and explicit obligations. For instance, under the Regulation, it looks like a significant loss of unencrypted personal data for whatever reason, this loss has to be notified to the relevant data protection authority within 72 hrs.
This notification includes the nature of the personal data lost, categories and number of data subjects concerned, the categories and number of data records concerned, possible adverse effects of the personal data breach and the measures proposed or taken by the controller to address the personal data breach. Processors are required by the Regulation to notify their data controller immediately a data loss has been confirmed.
Under the current UK Act, the Information Commissioner has issued guidance on data loss procedures. This guidance is close to the standard of the Regulation except, under the Regulation, any failure to notify a data loss becomes an unlawful activity (rather than a mere failure to follow guidance). So a useful step in anticipation of the Regulation would be to align current data loss procedures with the Commissioner’s guidance.
Under the current data protection arrangements, data controllers have to have a contract with data processors that contains certain details of a security guarantee that needs to be extracted from a data processor. This contract should cover matters such as how that guarantee is to be maintained, reported and audited. Under the Regulation, however, such items that are hitherto contractual become explicit obligations placed on a data processor and controller; there again it is a breach of the Regulation (rather than a breach of contract) not to have relevant details or obligations expressly set out.
One new area will surprise UK based data controllers; the Regulation permits Member States to enact legislation that requires a data processor to disclose personal data to the authorities without the knowledge of the data controller. Controllers in the UK are well advised to consider how this change could impact on their business or any confidentiality claims they make to their data subjects.
For UK data controllers, there will be a major change with respect to the transfer of personal data outside the European Economic Area (EEA); this change needs some thought.
Under the 1998 Act, a data controller established in the UK can assess the adequacy of protection in the territory outside the EEA; this option will no longer be available except on a case-by-case or exceptional basis. The options for compliance with the transfer provisions under the Regulation can be summarised as:
a) Ensure the transfer qualifies for an exemption from the need to assess adequacy; the problem here is that this exemption only applies on a case-by-case basis (e.g. obtaining the consent of the data subject for each specific transfer).
b) Implement Binding Corporate Rules (BCRs) to cover the transfer or seek approval or authorisation from the Information Commissioner for the transfer; the problem here is that establishing BCRs under the current data protection regime is time consuming and that the UK’s Commissioner does not, in practice, approve or authorise transfers.
c) Use the European Commission’s assessment of the country; the problem is that the number of approved countries is less than twenty and excludes the USA in many circumstances (only 10% of countries have been assessed!).
d) Use the European Commission’s standard contract conditions for transfers; the problem is that one cannot amend these contracts and they have to be incorporated without change
Suppose you are about to sign a five year deal for a Cloud Service with a data processor based in the USA; how do you “future proof” the contract so that any new obligation under the Regulation does not need the contractual position to be re-negotiated? Well I think option(d) needs careful consideration; it may not be the “best” option, but I suspect it is the “least bad” option.
Codes of conduct
Codes of practice (or “codes of conduct” to use the correct Regulation-speak) become more important. As the Regulation standardises data protection, then if one data protection authority produces a code of practice it can be more or less adopted in other countries.
In the UK there are Codes of Practice in areas such as marketing, CCTV, Human Resources, Direct Marketing, Subject Access, Privacy Impact Assessments, Personal information online and Data Sharing. A useful first step in meeting the requirements of the Regulation would be to first align current data protection procedures with the content of these Codes of Practice.
Fines and penalties
The Regulation identifies fines that can be levied if there is an intentional or negligent breach on the part of a data controller or data processor; the level of fines is high (between 2% and 5% of turnover) and this has attracted much media attention. In other words, the risk profile of any data protection breach to large data controllers will definitely increase.
However, for many data controllers, I expect the penalties to remain more or less the same. For instance, the UK has a maximum monetary penalty fine of £500,000; if this sum represents 2% of turnover, then the total turnover has to exceed more than £25 million before for the risk of an increased fine arises (for 5% the turnover is £10 million before the maximum penalty increases). For a public sector body data controller the maximum fine is expected to be about two thirds bigger (£800,000).
Documentation and notification
Registration (or notification) with a data protection authority is being abolished in favour of stronger and more immediate powers for the authority to find out what is going on. To assist this objective, the data controller and any data processor will be obliged to maintain comprehensive records of compliance available for inspection.
Many of these details can easily be collected as part of current business practices whenever a new processing project is initiated, when there is an audit of the existing processing of personal data, or when compiling Information Asset Registers. The details to be collected include contact details of responsible staff within the controller, any data processor, and the data protection officer (if appointed) as well as details of the processing (e.g. purposes of the processing, description of the types of data subjects; details of the personal data processed, sources and recipients of the personal data, transfers of personal data etc).
A complete list of items that need documenting can be found in the drafts of the Regulation text that are publically available; the European Parliament, European Commission and Council of Ministers have more or less agreed on the contents of this list.
Conclusion: a three step action plan.
So what can be done to prepare for the Regulation? I think the following is reasonable, practical and doable:
1. The Regulation requires more compliance work for data controllers; ensure therefore that compliance with the current UK Data Protection regime is in place (this article contains several suggestions).
2. Identify someone to be responsible for monitoring the forthcoming tri-partite negotiations between Commission, Parliament and Ministers and to identify the changes that would impact on your organisation’s services.
3. Consider the options for change but only implement actual change to procedure when a final Regulation text emerges in early 2016.
Timetable for trilog discussions (optimistic in my view as far as I can see the Council of Ministers still does not agree): https://www.eppgroup.eu/fr/news/Data-protection-reform-timetable
Statewatch website for Regulation leaks: https://www.statewatch.org/news/2015/may/eu-dp-reg-may-2015.htm