The General Data Protection Regulation is the sort of document that one needs to read more than once to get a really good feel for it. The Regulation comprises 91 Articles; each Article in the main containing several clauses. In general, I like the document – it’s well-structured and pretty easy to read. It’s actually a lot easier to follow than the Data Protection Act and having read through the text a couple of times the juggernaut hammering towards us is plain to see!
I don’t want to be alarmist but I exaggerate not.
There are some massive changes contained in the Regulation. Some of the material is familiar – such as the concept of “data subject, data controller, data processor etc.”; some is similar to the Data Protection Act – such as Data Protection Principles; and some is brand new like many of the statutory obligations on data controllers and data processors, new powers for the ICO or its replacement authority, and new rights conferred on data subjects. Even the familiar stuff contains new twists: there are only six data protection principles for instance rather than the familiar eight. But the first principle adds the words “and in a transparent manner” to the familiar fairly and lawfully. The sixth principle is brand new, Personal data must be: “processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation”. Wow!?
I’ve heard people rejoicing the demise of the requirement to Register with the Information Commissioner – but Article 14 sets out the bones of a replacement mechanism for providing similar information to data subjects. Article 14(c) requires data controllers to provide data subjects with an indication of the period for which the personal data will be stored. This strikes me as putting pressure on database vendors to enhance the metadata around records to enable a robust retention policy to be implemented. And just in case you might think that retention policies might be a minor point to the regulator – the stratified sanctions in Article 79 detail a fine of up to Euro 500,000 or 1% of annual worldwide turnover for intentional or negligent failure to comply with a bunch of Articles including Article 14! And these are the middle-ranking fines. Given the regulator’s new powers to enter premises and access equipment (Article 53 (2)) – there is a very strong case emerging for getting properly organised for the Regulation pronto!
Perhaps the biggest change contained in the GDPR which will come as no surprise to those who have followed its progress through the legislative process is the onus being placed squarely on data controllers and data processors to be able to demonstrate how they are complying with the Regulation. In several clauses, the GDPR refers to “documentation”, “audit and compliance controls”, “reasoned justification”, “evaluation of the risks”, “description of mechanisms” etc. and several articles set out the need to have a well-organised business operation in respect of data protection and privacy. I have been working in the data protection field for over a decade and I have not yet seen anything that comes close to what will need to be implemented and operational within the two-year lead-in period – i.e. by 2018.
There are provisions that attempt to spare micro, small and medium-sized organisations from some of the necessary internal bureaucracy but, if you are in a pubic authority, or an enterprise employing more than 250 people, or an enterprise employing fewer than 250 people who are only processing personal data as an ancillary business activity – you need to start reading up on the Regulation.
The GDPR will bring many benefits but it will take a few painful years I fear. It will create a far more certain environment in which to be processing data. It will bring data processing operations under the same types of management and process control as other business processes and it will actually make our lives a lot easier. But the transition could be hard work and tricky.
Data Protection People will be running a regular Blog to encourage discussion, consideration, and understanding about the changes but please contact us if you have any questions.