GDPR’s Global Effect: Why It Applies to You
The internet is currently overflowing with information about GDPR. Everyone is trying to make it easier to process because essentially the law will affect almost all businesses operating in and out of the European Union. As a global organisation, we are already gearing-up to account for GDPR ourselves. We have offices all around the world and customers from various different continents, but if you are an organisation solely based in the United States, this doesn’t mean GDPR doesn’t apply to you too.
To be clear, the Information Commissioner’s Office and Article 29 (the cross-border working group), have and will continue to issue notes which will help define the full regulations over the next 11 months. You should look to these and your own legal counsel to ensure you are aware of all of the implications of GDPR. Here are some notes from our review of the information currently available:
The basics of a complex regulation
GDPR stands for the General Data Protection Regulation and will ensure organisations better protect the personal data that they hold on individuals. The new regulation goes further than the current UK Data Protection Law, calling for better process and actions from both data processors and data controllers and amongst other things, GDPR clearly states that citizens have a ‘right to be forgotten’. GDPR will be implemented on 25 May 2018, regardless of Brexit and will supersede all local data regulations
Consent
If it’s not daily, then at least weekly, we all tick boxes to agree to some kind of ‘privacy policy’, to download software, sign up for a newsletter or download a document. This type of consent can soon be easily revoked. With GDPR, consent needs to be explicit and not implied. So a pre-ticked box would not be enough.
Principles of the GDPR are that data needs to be processed lawfully, fairly and in a transparent manner. You already need a good reason to process data, but from May 2018 you will need to be able to prove your rationale. Data should be collected for specified, explicit and legitimate purposes. If you have a legal obligation of using data, this could save you the effort of having to obtain or demonstrate specific, informed and freely-given consent before you can have or start using data.
If you made the mistake of asking for consent, instead of using legitimate reasons for data processing, this could put you in a difficult position. If an individual were to revoke their consent, you would either be in a breach of privacy law or the legal obligation.
Who does GDPR apply to?
The new regulations apply to both data controllers and data processors. As a processor, GDPR places legal obligations on you, for example, you will be required to maintain records of personal data and processing activities, not just store data. Unlike the current UK Data Protection Act stipulates, as a controller you are also required to abide by the new law. Controllers must ensure they comply with contracts they have in place with processors.
GDPR is the biggest change in Data Protection Laws in over 20 years. We spoke to Joe Hancock, for his views on GDPR. Joe is the Cyber Security Lead at Miscon de Reya and has a wide range of expertise in cyber risk and security, data protection and resilience, with first-hand experience of some of the UK’s largest cyber incidents.
“The long reach of GDPR to all of those who provide services to European citizens brings an unprecedented amount of organisations into its scope. The broad principles approach to privacy taken by the EU clashes with more sectoral regulations and will have a global impact.”
Global Impact
If your company is based outside the EU, but you process information of European citizens, you will have to make sure you are GDPR compliant. Recently the data protection law has been repealed in the United States, but this does not mean the United States is off the hook. As a global company, with headquarters in the United States, we still process data from customers in the EU and other countries.
“It is likely that many other countries will implement similar regulations, putting them on a par with the EU and also increasing the need for organisations to protect privacy. Many countries also now realise the economic value of data, and will want to control it within their borders.” Joe Hancock, Cyber Security Lead at Miscon de Reya
Why we are looking forward to it
Often regulations of this scope are seen as infringes on business processes or unnecessary bureaucracy, but essentially the regulations raise the bar of protection over individual data rights, which overall should be seen as a positive and necessary step to protect consumers and clients in this digital age.
When you are GDPR compliant, have the right processes and people in place, you will be better able to respond in in the event of a data breach. The regulation basically takes the minimum requirements for data processing to a higher standard.
Being GDPR compliant can positively impact your reputation and reinforce customer trust. Of course, not being compliant can either have financial or reputational risks, as well as cost you in lost business. Having a good GDPR process in place can significantly reduce cyber risk, but of course, these are separate topics. Read how using the cloud can reduce cyber risk.
One way to see what personal information is currently available on the web is to visit a privacy tracking site like WebAware.com. Enter the name of a major site like Facebook.com to see what information they are trading between websites.
Please note that all of the information we have discussed in this blog is our interpretation of the notes given by ICO and Article 29. This is not legal fact and should not be treated as such. We will keep you posted over the cause of the next 11 months with updates but you should also conduct your own research as the new year isn’t that far off!
About Joe: Joe Hancock is the Cyber Security Lead at Mishcon de Reya, working within the Dispute Resolution team. He focuses on providing strategic cyber advice, helping organisations to develop and optimise their investments in cyber risk management, and protect their reputation and stakeholders.
Joe is a recognised industry expert in emerging areas such as Operational Technology Security and Cyber Insurance. He began his career in the Defence and National Security sector and was one of the first cyber specialists in the Lloyds insurance market, supporting the underwriting of cyber risks.