On December 15, 2015, the European Parliament and the European Council agreed the EU Data Protection Reform, promising to make Europe fit for the digital age, but what is the General Data Protection Regulation (GDPR), what is its scope, and what do organisations need to do to comply with this new regulation. In part one of this two-part article, Darren Wray discusses the scope and some of the differences between the existing European data protection legislation and the changes that the GDPR brings.

Some background

The GDPR is an update to the European Data Protection Directive (DPD) which first came into force in December 1995, with the aim to provide protection for individuals and the processing of their personal data in the European Union. Considering that at the point of its implementation the internet was still something used by geeks and tech hobbyists, the directive could never have predicted how the world would change over the following 21 years, so despite having been amended a few times, this directive is long overdue for an update.

What is the scope of the GDPR?

The scope of the GDPR is global. Anywhere private information that relates to people residing in the European Union is processed (this includes, collection, storage, updating, viewing, reporting or use of), it must be safeguarded and treated in accordance with the tenants of the GPDR. Failure to do so could result in fines being levied against the company, particularly if their actions lead to a loss of information or a data breach. It is important to remember that private information does not just relate to information that is captured for the purpose of providing a service, but also includes information that your organisation holds about its employees that reside in the EU.

How is the GDPR Different from Existing Data Protection?

Many of the basics of GDPR and its predecessor the DPD are similar, there are some key differences that mean that an organisation that is compliant with the DPD won’t necessarily be compliant with the GDPR.

Fines

Fines could be issued under the DPD, but they were not what many considered to be punitive in their size. Under the GPDR, fines can be up to 20 million euros (approximately $22.8 million) or 4 per cent of global annual turnover whichever is the higher.

This results in a far more serious fine structure and will no doubt have organisations taking the GPDR a little more seriously.

Simplified breach reporting

If a data breach, or data loss should occur, the process for reporting has been simplified under the GPDR, which requires data controllers to notify the appropriate supervisory authority about the personal data breach within 72 hours of it being discovered. The notification must describe:

• The nature of the personal data breach.

• The categories and approximate number of data subjects effected.

• The likely consequences of the breach.

• The measures the data controller has taken or proposes to take to address and mitigate the breach.

The data controller should also provide the contact details of their Data Protection Officer when reporting a data breach.

Some data definitions

Data protection is full of terms that can be confusing, the following defines a few phrases that those new to data protection may be unfamiliar with:

Personal data: This is data that can identify a living individual, and includes personal identifiers such as device identifiers, cookies, as well as the more traditional combinations of name, address, date of birth, etc.

It is also important to understand that as well as these structured information examples, unstructured information can also identify a living individual, for example: the man at number 17 Victoria Street, London, who drives the red car. If there is only one man who lives at number 17, or only one man at number 17 who drives a red car, this information identifies a living individual.

Sensitive personal data: this is a special class of Personal Data that relates to things like biometric data, or genetic information.

Explicit or unambiguous consent: consent to process personal data must be unambiguous. In the case of processing sensitive personal data there must be explicit consent from the individual.

Data subject: the individual who is the subject of the personal data.

Data controller: a person who (either alone or with others) determines the purpose and the manner in which the personal data are, or are to be, processed. For example, companies collecting information about individuals for the purpose of providing a service.

Data processor: means a person or company (other than an employee of the data controller) who processes the data on behalf of the data controller.

For example, the data controller hires a company to provide contact centre service to process calls about insurance claims. The contact centre staff would have access to some of the insurance company’s policy holders in order to provide the service. In this example the contact centre company would be a data processor.

Data protection officer, DPO: a person who is responsible for the creation and maintenance of the data orientated controls, and the reduction of risk, ensuring compliance, responding to requests and reporting breaches should they occur.

The purpose: the purpose is the reason the personal data is collected. For example, a life insurance company would collect personal data for the purpose of underwriting, pricing and providing life insurance.

The data collected for a purpose cannot be used for another purpose, without the consent of the data subject. So the life insurance company from above could not start to use the data they had collected to market a new insurance product, unless the data subject had consented to this use.

Darren Wray is the chief executive officer of Fifth Step and has more than 25 years of IT and management experience within the financial services and other sectors. Fifth Step operates globally from its offices in Bermuda, London and New York, providing IT leadership, change management, governance services to executives and senior managers within insurance, investment, legal and banking organisations of all sizes.