The European Union opened a new chapter for data protection in 2015. After almost four years of intense negotiation and public debate, the General Data Protection Regulation (GDPR) was adopted in April 2016. We are now on track to change data protection for the next generation.
The GDPR reinforces a wide range of existing rights, and establishes new ones for individuals. It is fundamental to find new ways of applying data protection principles to the latest technologies, and the cooperation of businesses is crucial in order to achieve this goal.
The GDPR comes into force on 25 May 2018, and preparations for ensuring compliance require close attention. The new regulation sets out the need for a solid data protection policy for firms working within the EU. Such measures include, among others: adequate documentation on what personal data is processed, how, for what purpose, and for how long; documented processes and procedures; tackling data protection issues at an early stage when building information systems; responding to a data breach; and the presence of a Data Protection Officer integrated into the organisation.
Six General Principles
The GDPR aims to entrench privacy on the ground, and allows different sectors to contribute to new norms and best practices appropriate to specific circumstances. The GDPR also aims to make it easier for companies operating within EU borders to comply with data protection policies.
There are six general principles in the regulation that have to be respected when processing personal data: fairness; purpose limitation; data minimisation; accuracy; storage limitation and security.
Security is an important principle of data protection. In fact it is an enabler of data protection. (Information) security provides organisations with control: control to actually behave as they want even in the presence of external factors or threats. It is not a new principle and has always been based, as in any security framework, on the implementation of a mature risk management process. (More information on information security and data protection can be found in EDPS’ publication ‘Security Measures for Personal Data Processing – Guidance on Security Measures for Personal Data Processing – Article 22 of Regulation 45/2001’)
At the same time, the GDPR introduces an important new concept into the data protection framework: accountability. The concept first appeared in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and was more recently promoted at the 2009 International Conference of Data Protection and Privacy Commissioners in the ‘Madrid International Standards’, in the ISO draft standard 29100, and in the APEC privacy framework and its cross-border privacy rules. Article 22 of the latest version of the GDPR requires controllers to implement appropriate technical and organisational measures to ensure and demonstrate compliance (the term ‘accountability’ is defined in Article 5(2). Accountability is a common principle for organisations across many disciplines. The principle embodies the idea that organisations live up to expectations, for instance in the delivery of their products and their behaviour towards those they interact with. Accountability is already present in any IT governance framework, and is also the basis for control and auditing.
The GDPR integrates accountability as a principle, which requires that organisations put in place appropriate technical and organisational measures, and that they are able to demonstrate those measure – and their effectiveness – when requested. Accountability is the best way to move data protection from theory to practice.
In other words, if accountability is incorporated into business activities, it will ensure effectiveness in applying other data protection principles. However, in order to ensure that this happens, businesses have to change their culture when complying with data protection rules. In concrete terms, accountability requires organisations to be able not just to comply with data protection principles, but also to demonstrate how they ensure compliance with the GDPR. Therefore, businesses should start reviewing their data processing activities and implementing proper data protection policies as a new routine, to be able to demonstrate compliance with the regulation upon request from individuals (customers) or supervisory authorities.
Linked to accountability are the principles of data protection by default and by design, which will also become a legal obligation under the GDPR. Data protection by design can be assimilated to the principle, well known by IT practitioners, that implementing security or data protection is more effective and efficient the sooner it is done. Data protection by default asks organisations to consider the most data protection-friendly option possible when any decision is taken. (To facilitate the implementation of data protection by design and by default, the EDPS participates in the Internet Privacy Engineering Network (IPEN) whose purpose is to bring together developers and data protection experts with a technical background from different areas in order to launch and support projects that build privacy into everyday tools and develop new tools which can effectively protect and enhance our privacy.)
These two principles together with accountability are already a very strong guide when tackling data protection issues.
Stronger Rights For Individuals
The GDPR provides individuals with stronger rights, giving them more control over the processing of their personal data, such as a stronger right to rectification, a broader right to erasure (also known as the ‘right to be forgotten’), a new right to the restriction of processing in certain circumstances, and so on. Therefore, in order to make this new set of rights effective, it is necessary to both establish transparent internal data protection and privacy policies – approved and actively endorsed at the highest level of the organisation’s management – and to inform and train everyone in the organisation on how to implement these policies.
If they are not already doing so, all businesses, large and small, should be considering the way in which they interact with personal data, and how the GDPR will impact on them and the sector in which they operate.
We would not recommend a ‘sit on your hands’ and ‘wait-and-see’ approach.
Ultimately, we believe that GDPR is an opportunity for businesses, inside and outside the EU.
The regulation will help firms consolidate personal data into an integrated business platform. This constitutes a unique opportunity for businesses to get closer to customer requirements and expectations, in both the digital economy and wider society.
Mr. Giovanni Buttarelli has been European Data Protection Supervisor since December 2014. He was appointed by a joint decision of the European Parliament and the Council on 4 December 2014 for a term of five years. He previously served as Assistant EDPS, from January 2009 until December 2014. Before joining the EDPS, he worked as Secretary General to the Italian Data Protection Authority, a position he occupied between 1997 and 2009. A member of the Italian judiciary with the rank of Cassation judge, he has attended to many initiatives and committees on data protection and related issues at international level.