The first data protection or information privacy law was passed by Sweden back in 1973, and since then over 80 countries have adopted similar legal frameworks. Data protection laws attempt to control the way that people’s personal data is obtained, stored and used.
Europe’s General Data Protection Regulation (EU) 2016/679 (GDPR) was implemented on 25th May 2018. It still applies and will continue to apply in the UK after the Brexit transition period, as it has been incorporated into UK law, sitting alongside the Data Protection Act 2018 with some technical amendments. GDPR applies to any organisation that operates in the European Economic Area (EEA), offers goods or services to individuals in the EEA, or monitors the behaviour of individuals in the EEA.
Important data protection frameworks that exist outside Europe include the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGDP). China is in the process of developing a national privacy law – a draft version of its Personal Information Protection Law (“Draft PIPL”) was released on 21st October 2020. All of these frameworks have been significantly influenced by GDPR.
EU GDPR is made up of 99 articles, of which the most relevant ones include:
- Article 5: Personal data should only be collected for good reason, in a transparent fashion, and for no longer than necessary. The data should be protected against “unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. The controller must be able to demonstrate compliance with Article 5.
- Article 6: Goes into detail about how or whether the data processing in question is considered lawful.
- Articles 15-17: This regarding the rights of subjects to access, rectify or erase the data (the ‘right to be forgotten’)
- Articles 25: The Data Controller should “implement appropriate technical and organisational measures” to ensure that data are processed appropriately – sometimes described as ‘privacy by design’.
- Article 30: Explains about the records that must be maintained about processing activities.
- Article 32 This is the one that refers explicitly to information security, requiring among other things that the confidentiality, integrity, availability and resilience of processing systems and services is ensured.
- Article 33: The Data Controller must notify any personal data breach to the relevant regulatory authority (in the UK this is the ICO) within 72 hours of becoming aware of it.
- Article 34: The subject(s) of the breach must be notified ‘without undue delay’. One way that this can be avoided is if it can be shown that the breached data was encrypted.
- Article 35: This refers to the DPIA (Data protection impact assessment). You don’t necessarily have to do a DPIA – there’s a checklist that you can use to help decide whether you need to do one on the ICO website.
- Article 44: Covers data transfers to third party countries.
- Article 83: The potential fines are set out here, and they are significant: There are two levels of fine, depending on the type of failure. Level 1 is the greater of €10M or 2% of turnover during the previous year; Level 2 is the greater of €20M or 4% of annual turnover. Note, however, that now we are starting to see class actions on behalf of affected consumers, legal fees seem likely to substantially exceed regulatory fines.
As of January 2021, a total of 272.5 million euros ($331 million) in fines have been levied since the law went into full effect, of which the largest ones were against Google (France, 50m EUR), H&M (Germany, 35m EUR) and Italian Telecom (Italy 28m EUR).
Article 42 of GDPR refers to ‘certification’, but is rather vague. The UK information regulator (the Information Commissioner’s Office or ICO) says on its website that “currently there are no ICO-approved UK GDPR certification schemes in operation”. However, one commonly accepted way to achieve a form of ‘GDPR certification’ is implementation and certification to the ISO/IEC 27001 Information Security Management System (ISMS) , as the controls in this framework overlap well with the requirements of GDPR, and indeed one control (A18.1.4) states that “privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. ”