What does GDPR mean for you and Office 365
By now you will have heard about the new General Data Protection Regulation (GDPR) that will be coming into effect shortly. This was started by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016. This new plan is to replace the current Data Protection Directive 95/46/ec.
Most companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018. There are some core areas that are of great importance when trying to understand this new policy, as well as seeing how it fits into existing policies and also platforms that you may be using.
Some of the core areas that are covered by this new plan are:
- Cybersecurity and data breach notifications
- Data protection officer requirement
- Data consent
- Cross-border data transfers
- Data Profiling
- Data portability
- Vendor management
- Pseudonymizing of personal data
- Codes of conduct and certifications
Looking at these topics you may wonder how this fits into Office 365 and what you as an organization can do about it?
In reality, if you are already using Office 365 and Azure Services then you are part way there.
Office 365 combined with Azure services provide you with the services you need to meet the GDPR requirements. Office 365 offers core features such as Data Loss Prevention, eDiscovery, Customer Lockbox and Advanced Data governance services for controlling the data that you store within all components. To meet some of the core protection GDPR policies, Office 365 provides Advanced Threat Protection, Advanced Security Management, Audit Logs and overall Threat Intelligence.
To learn more about these areas of Office 365, head over to these posts:
Security and Compliance
Data Loss Prevention
Advanced Threat Protection
Advanced Security Management
Advanced Information Protection
In reality, we are yet to see how this will impact businesses, or you as an individual. What we do know is that every organization that does business in Europe is affected. GDPR will fundamentally change the way you do business by enforcing the regulations listed below. The biggest three to affect companies here in the US, will be “Consent“, “Right to be forgotten” and “Privacy by Design“. This will be an interesting year as you head into the new GDPR-world, I am sure there will be many lessons to learn over the next few months into next year.
Each of sections within the GDPR cover a vast array of areas, the following paragraphs outline at high level what each category covers.
This information has been gleaned from the following sources, some copied as is, some just used for reference.
Sources and Citations
Cybersecurity and data breach notifications
Data security is of upmost importance for all companies or at least should be, based on the events over the past few years. The GDPR imposes much stricter rules around data processors and controls for data security. The GDPR separates responsibilities of data controllers and then data processors ensuring and in reality, forcing each to provide assurances that sufficient technical and organizational measures are taken with data security. Article 32 of the GDPR outlines the list of appropriate measures.
As well as ensuring that these are met, in the event of a breach the GDPR rules differ slightly from current rules. Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This broad definition differs from that of most U.S. state data breach laws, for example, which typically are triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information. Article 33 or the GDPR outlines the requirements.
One of the goals of the GDPR is to harmonize the data breach notification approaches. Within the US, most states have different notification laws, which of course can and has caused many issues. The GDPR, at least within EU member states will provide a predictable and efficient process for breach notifications.
Data protection officer requirement
Under Article 37, of the GDPR, organizations must designate a data protection officer, for all public authorities. Article 37, does not outline the credentials that data protection officer must carry, but does require they have “expert knowledge of data protection law and practices“.
As listed within Article 37, the core data protection officer tasks are:
Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
Advising with regard to data protection impact assessments when required under Article 35.
Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
Under the Regulation, data protection officers have many rights in addition to their responsibilities. They may insist upon company resources to fulfill their job functions and for their own ongoing training. They must have access to the company’s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line “to the highest management level” of the company. Data protection officers are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest.
When working with data, one area that is of utmost importance is that of “consent“. Consent is the lawful basis to transfer personal data. Within the existing policies, controllers were allowed to rely on implicit and “opt-out” consent in some circumstances. The new GDPR changes what is currently used in three specific ways. First, the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
Second, the GDPR adds a presumption that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service.
Third, the GDPR adds that consent must be specific to each data processing operation. To meet the specificity requirement under Article 7, a request for consent to data processing must be “clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily accessible form, using clear and plain language.” However, the law exempts controllers from obtaining consent for subsequent processing operations if the operations are “compatible.” Recital 50 states that compatibility is determined by looking at factors including the link between the processing purposes, the reasonable expectations of the data subject, the nature and consequences of further processing, and the existence of appropriate safeguards for the data.
Extra protections have been added to safe guard personal data of children, by limiting the ability to consent for data without parental authorization. The age of consent for children has been raised from 13 years old to 16 years old, but member states can lower the age not below 13 years, but must then require parental or guardian consent.
Cross-border data transfers
Chapter V (Articles 44 through 49) of the GDPR governs cross-border transfers of personal data. Article 45 states the conditions for transfers with an adequacy decision; Article 46 sets forth the conditions for transfers by way of appropriate safeguards in the absence of an adequacy decision; Article 47 sets the conditions for transfers by way of binding corporate rules; Article 48 addresses situations in which a foreign tribunal or administrative body has ordered transfer not otherwise permitted by the GDPR; and Article 49 states the conditions for derogations for specific situations in the absence of an adequacy decision or appropriate safeguards.
The GDPR provides mechanisms for cross-border data transfers in the absence of an adequacy designation if the controller or processor utilizes certain safeguards. Under Article 49, appropriate safeguards include:
- Legally binding and enforceable instrument between public authorities or bodies.\
- Binding corporate rules in accordance with article 47.
- Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).
- Standard data protection contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2).
- An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Controllers must provide certain information to data subjects when their information is obtained. This explicitly includes (a) that the controller intends to transfer personal data to a third country or international organization; and (b) that such transfer is pursuant to an adequacy decision by the Commission; or (c) reference to the appropriate or suitable safeguards and the means for the data subject to obtain them. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and as otherwise required by Article 12.
Perhaps the biggest change here from the original directors is that failure to comply with the GDPR international data transfer provision may results in hefty fines. Violations of the data transfer provisions in Articles 44-49 are subject to the steeper of the two administrative fine provisions in the GDPR. Such violations may result in “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.” The factors considered for imposing a fine include “the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.”
The current Directive was implemented nearly 20 years ago, technologies have proliferated that allow data controllers to gather personal data and analyze it for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions such as target marketing, price differentiation, and the like. Although the concepts of “profiling” or “target marketing” appear in the Directive, the precise terms do not. Under Article 4(4), data processing may be characterized as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”This definition implicitly excludes data processing that is not “automated.”
The GDPR, defines that “profiling” requires some sort of an outcome or action resulting from the data processing is underscored by the data subject’s rights to be informed of the “consequences” of profiling decisions as discussed in Recitals 60 and 63. Articles 13 and 15, which address information to be provided a data subject upon personal data collection and upon the data subject’s request, both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”
Data subjects are given the right to object to processing for direct marketing as well as to “profiling to the extent it is related to direct marketing,” further underscoring that profiling is not direct marketing per se but instead is something more. Recital 91 describes the obligation to conduct a data impact assessment and characterizes the “profiling of data” as follows: “A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data.”
Even when profiling is otherwise lawful, a data subject has the right to object at any time. Pursuant to Article 19, upon the data subject’s objection to profiling that is otherwise authorized under Article 6, the processing must cease unless the controller demonstrates “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”
When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.
The GDPR introduces two new rights for data portability. First, the regulation codifies a right to be forgotten. This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request. Second, the right to data portability requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.
The GDPR also augments the existing rights of data subjects to receive notice about processing activities, gain access to the information that is being processed, and to have the controller rectify inaccuracies. The data subject’s right to object to processing is broader than under the Directive, moreover, allowing her to object to processing at any time, unless the controller has compelling legitimate grounds.
One of the new rules is directly related to the term “Big Data“. The creation of a new right to data portability that aims to increase user choice of online services. Where controllers process personal data through “automated means,” Article 20 grants data subjects the right to receive the personal data concerning them. Controllers must provide the data in a commonly used and “machine-readable” format, and data subjects have the right to transmit that data to any other controller. Where feasible, the controller may even be required to transmit the data directly to a competitor.
The GDPR increases the number of disclosures a controller must make before collecting personal data. In addition to the identity of the controller, the purposes for processing, and any recipients of personal data, Article 13 requires controllers to disclose how long the data will be stored. Controllers also must inform data subjects of the right to withdraw consent at any time, the right to request access, rectification or restriction of processing, and the right to lodge a complaint with a supervisory authority.
The GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” The controller is the entity that makes decisions about processing activities, regardless of whether it actually carries out any processing operations.
Article 24 makes controllers responsible for ensuring that any processing activities are performed in compliance with the Regulation. Controllers must “implement appropriate technical and organizational measures” not only not only to ensure compliance, but also to be able to demonstrate the measures that they have in place. Controllers are liable for the actions of the processors they select and responsible for compliance with the GDPR’s personal data processing principles. Under the GDPR, the term “processor” means a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In the event of a personal data breach, processors are required to notify the controller without “undue delay” if it happens on the processor’s watch. The burden falls on the controller, then, to notify the supervisory authority within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, controllers are required to provide a reasoned justification for the delay. Controllers are also responsible for documenting personal data breaches, including the facts of the breach, its effects, and remedial actions.
Pseudonymizing of personal data
The GDPR introduces a new concept in European data protection law – “pseudonymization” – for a process rendering data neither anonymous nor directly identifying. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Pseudonymization, therefore, may significantly reduce the risks associated with data processing, while also maintaining the data’s utility. For this reason, the GDPR creates incentives for controllers to pseudonymize the data that they collect. Although pseudonymous data is not exempt from the Regulation altogether, the GDPR relaxes several requirements on controllers that use the technique.
- The Regulation recognizes the ability of pseudonymization to help protect the rights of individuals while also enabling data utility.
- Pseudonymization may facilitate processing personal data beyond original collection purposes.
- Pseudonymization is an important safeguard for processing personal data for scientific, historical and statistical purposes.
- Pseudonymization is a central feature of “data protection by design.“
- Controllers can use pseudonymization to help meet the GDPR’s data security requirements.
- Controllers do not need to provide data subjects with access, rectification, erasure or data portability if they can no longer identify a data subject.
- The GDPR encourages controllers to adopt codes of conduct that promote pseudonymization.
Codes of conduct and certifications
Articles 40 and 41 are the primary sources of authority for establishing approved codes of conduct to serve as compliance-signaling tools for controllers and processors.
The GDPR’s adoption of codes of conduct and certification mechanisms is a welcome development for controllers and processors seeking efficient means for compliance. There are of course upfront administrative burdens of establishing and maintaining compliance with a code of conduct or earning certification status. But these costs are offset by the ease of finding compliant processors, for example, via screening for those adhering to a code or displaying a certification seal. The codes and certifications also may serve as marketing tools, allowing data subjects to choose controllers signaling GDRP compliance via their membership in associations or their certified status. They also will likely play a significant role in facilitating cross-border data transfers.
The GDPR empowers supervisory authorities to assess fines that are “effective, proportionate and dissuasive.” It sets forth both mitigating and aggravating factors to help DPAs assess the amount of a fine. For example, intentional violations are worse than negligent ones. Mitigating factors include adherence to a code of conduct or certification mechanisms, minimizing the use of sensitive categories of data, and employing appropriate technical and organizational safeguards. In the event of non-compliance, moreover, controllers or processors may limit the amount of a fine by mitigating “the damaging nature, gravity and duration of the violation,” reporting the violation as soon as possible and cooperating with the supervisory authority. Aggravating factors generally include the opposite actions – not seeking to mitigate harm or acting contrary to the mitigating factors.
The GDPR creates two tiers of maximum fines depending on whether the controller or processor committed any previous violations and the nature of violation. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower fine threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.
The Regulation empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The Regulation’s guidance on imposing fines replaces the patchwork enforcement structure of the Directive, while establishing accountability and consistency mechanisms also lacking under the Directive. The hefty fines and penalties for infringement not only encourage accountability, they may be the single most eye-catching feature of the Regulation, causing multinationals and local companies to invest more in compliance. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringement decisions, empowering the Board for dispute resolution, making final decisions binding – will ease burdens on controllers and processors doing business across Member State states by offering more efficient enforcement solutions.