At the BCS legal day, a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),
“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.
Jan Albrecht MEP”
It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances. The derogations also include employee privacy, which is a compromise between those that want stronger protection for employee personal data and those that don’t. The planned one stop shop, proposed to allow businesses to build relationships and for citizens to obtain clarity has also been compromised in the law-making process, another compromise between those who prioritise the exercise of citizen’s rights and those who prioritise business clarity and cost.
We reviewed the restatement of the DP principles,
At the heart of the principle of Lawfulness is the idea that the holding and processing of personal information must be justified and there are now six justifications, which I have summarised in the figure below.On lawful processing, it’s obvious that people’s CRM & HR systems are going to need to be rewritten to document the reason for holding each personal data item, and it needs to be remembered that if the reason is to support the processing of a contract, the data must be necessary also that the public sector may not use the legitimate interest purpose. Consent, which I feel will be of limited use in many areas of the private sector must be “freely given, specific, informed and unambiguous”, and revocable, the ICO have launched a consultation on consent. Most companies will look to use “contract” or even “compliance” before “consent” as their justification for lawful processing.
There was a slide on the new need to issue fair notice to data subjects, which is part of implementation of the principle of lawfulness; these must now include the contact details of the DPO, the legal basis (there are 6), who’s using the data, any cross-border transfers, how long it will be kept, where the storage is, and the fact or absence of automated processing.
There will be an overriding requirement to demonstrate compliance, I have written elsewhere of the scale of change needed to meet the obligations but each personal data fact will need to be available and document how its processing conforms to the principles. It will also be necessary to record any change in purpose, for instance when someone leaves the employment of a company, some of their personal data is likely to have to change purpose from contract to compliance, other parts will need to be deleted.
The law introduces some new rights, and older rights are retained. Access Requests and Data Portability will be challenging in systems terms. Access Requests can be demanded by everyone known to the controller.
The speaker also considered the relationship between controllers and processors, where the contracts will need to be more carefully written, breach reporting, which will now need to be done within 72 hours of discovery, and the enforcement powers, which I will cover in another article. The presentation was finished by a slide on the state of preparedness, covering sponsorship, programme design, compliance and control design, establishing transparency, contract review and internal organisation mobilisation.