Scott Appleton: GDPR - Big Bang or Data Evolution?
- 1. GDPR – Big Bang or Data Evolution?
- 3. OVERVIEW Moore Law • What’s the fuss? • Big Bang Theory? • Reality = Evolution? • Accountability • Compliance / Privacy by Design • Demonstrating Consent • ‘Appropriate’ Measures • Opportunities (& Competitive Edge) Contacts
- 4. What’s the Fuss? “GDPR affects anyone holding data on EU citizens. A survey of 1350 companies around the world by cybersecurity firm NTT found that a lot of them have no clue about this yet, even Europeans seemed unaware. The Brits were the worst. 39% of UK companies realised that they were subject to the regulation.” TheRegister.co.uk ‘Personal Data' – Employees, clients, users / suppliers Presumption of application to businesses Enhanced enforcement / fines for data protection breaches Deadline for implementation = 25 May 2018
- 5. Big Bang Theory? 1995 EU Data Protection Directive –>DPA 98 Applies broadly to the collection and processing of data able to identify living individuals (filing system) = ‘Person Data” DPA 98 introduced 6 x Data Principles: Lawfulness, fairness and transparency Purpose limitation Data Minimisation Accuracy Storage Limitation Integrity & Confidentiality Definitions: ‘Data Controller’ / ‘Data Processor’ / ‘Sensitive Personal Data’/ ‘Consent’ Roles: Data Protection Officer (DPO)
- 6. Reality = Evolution GDPR = accepts the world has moved and extends the existing Principles: • All EU-based businesses • Any business targeting EU citizens (USA, Australia, etc) • All EU citizens Regulation vs Directive • GDPR = Direct Effect • No domestic Member State law required • Intended to promote greater harmonisation and consistency across EU in terms of application and interpretation Reverses DPA 98 position • Register with Information Commissioner’s Office (ICO) –> inference of application • DPA 98 -> Data Protection Bill (Post-Brexit)
- 7. Accountability Accountability • Move away from mere lip service. Businesses have to demonstrate (ongoing) compliance, often in written form: • Internal policies and processes that are GDPR-compliant • Implementation of the policies and processes • Effective internal compliance measures. • External controls & contracting (model clauses) Demonstrable protections for specific types of data / subjects: • Sensitive Personal Data (genetic, biometric) • Children (16+ / 13+) Introduces new concepts • Data Protection Risk Assessment • Pseudonymisation (vs anonymisation) to better protect data
- 8. Compliance/ Privacy by Design Day-to-day compliance –> Obligation to justify data position to Regulator (ICO) • What is the purpose the data will be used for • Retained solely to fulfil the stated purpose • Where it will be stored (UK / EU / EEA) • Not keep for longer than necessary (2 years?) • Uphold data subjects rights (right of access / right to be forgotten / data portability) • Data Controllers and Data Processers are treated equally (previous focus on DCs) • Data Controllers required to perform due diligence on Data Processers (supply chain) • DPO requirement (or justify why not have one) Breaches – Obligation to Report Regulator will look at what has happened, why, and whether ‘appropriate’ measures put in place to safeguard data. ICO extended powers £500,000 -> €20,000,000 / 4% Global Turnover (+ PR DAMAGE)
- 9. Specific (6) justifications for collecting data: performance of contract / compliance with legal obligation / vital interests / public interest / legitimate interests of DC / consent • Implied consent no longer valid – ICO / pre-checked boxes / ‘continue to use our site accept our Ts&Cs’ Have to be able to prove actual consent: ‘freely given, specific, informed & unambiguous’ Children: must be able to demonstrate steps to show capability • GDPR @ 16+ • Member State discretion @ 13+ (UK) Death of Data • Reassess sign-up / consent processes -> compliant • Death of data – can’t rely on past consent for post May 2018 Demonstrating Consent
- 10. Must be able to demonstrate ‘appropriate technical and organisational measures’ for data compliance / protection • Demonstrate how and why collect personal data • ‘Consent’ / Privacy Policy / Terms & Conditions / Terms of Use Internal processes • Data risk Impact Assessment / Data Use Policy / Data Retention Policy / Employment Contracts Awareness of GDPR principles - Staff training / DPO (qualified) Contractual Relationships - GDPR model clauses incorporated Breach Obligations • Requirement to log breaches • Report to the Regulator (and potentially data subjects) within 72 hours of a notifiable breach ‘Appropriate’ Measures
- 11. GDPR is a reality Brexit – GDPR continue to apply if businesses target EU will apply • -> Data Protection Bill • -> UK require an ‘equivalent’ regime Businesses need to assess own situation / audit • how & why collect data (consent, etc) / how protect data / enforcement policies (internal & external) / supplier terms. Case Studies • Clients wanting to get their house in order – Compliance = Biz Dev • Breach = costly (£££) + PR / Reputational risk Bigger businesses doing GDPR due diligence: • expect their supply chains to have ‘adequate’ measures in place • want to see policies (privacy / data protection / data retention) • expect awareness of GDPR implications • practical importance of new concepts – i.e. pseudonymisation Opportunities (& Competitive Edge)
- 12. Scott Appleton scottappleton@moore-law.co.uk T 01237 704789 M 07557 447054 @TalkingLawyer
Editor's Notes
- #9: DPO – scale of collection / processing / size / dealing with sensitive data / public body (+ adequately qualified -> reporting to Senior Management). Justify why not.
- #11: CONSIDER IF THERE IS SCOPE OR TIME TO EXPLORE REVOCATION, INVALIDITY AND GROUNDS FOR OPPOSITION. THIS WILL LIKELY FALL UNDER THE DUE DILIGENCE CATEGORY ABOVE. IT IS IMPORTANT FOR CLIENTS TO APPRECIATE THAT TRADEMARK APPLICATIONS CAN SOMETIMES DRAW ATTENTION FROM MUCH LARGER RIGHTS HOLDERS WITH DEEPER POCKETS WHO ARE AGGRESSIVE ABOUT PURSUING INFRINGERS. SMALLER ORGANISATIONS OPERATING UNDER THE RADAR MAY HAVE HITHERTO GONE UNNOTICED BUT APPLYING FOR A REGISTERED TRADEMARK MAY BRING YOU TO THEIR ATTENTION. ALSO THE POINT SHOULD BE MADE THAT IT IS NOT UNUSUAL TO BE SURPRISED BY A CAUTIOUS EXAMINER’S VIEW WHICH MIGHT INCLUDE NOTIFICATION WHERE IT WOULD NOT SEEM TO BE MERITED.
- #12: Ketchup – more sales / bigger bottles = easier to use 112 iteration 1991 – 95 $13m Licensing NASA / HEINZ etc Patent Box - JCL (80% sales on patented driver)