Allan Christian from KPMG’s Risk Advisory team provides a light summary of incoming General Data Protection Regulation. Whilst EU-driven, it is a likely mainstay even after Brexit concludes. Of particular relevance to Gibraltar’s public sector, financial services and gaming companies, GDPR itself will “go-live” in May 2018.
KPMG’s recent research suggests over half of us have decided against an online purchase due to privacy concerns. We are perhaps a couple of generations into a world where we accidentally or begrudgingly hand personal data to “selected third parties”, safe in the knowledge that at some juncture, our inboxes will start to swell with unwanted approaches.
So how comfortable are we that the personal data we entrust with both the public and private sector is, and continues to be, used as originally intended?
The General Data Protection Regulation (GDPR) driven from the EU has turned a few heads in its approach to the refresh of what is ultimately a pre-internet approach to the accumulation, management and disposal of EU citizens’ personal data. Existing European legislation was codified at a time before our personal data was such a demonstrably marketable commodity, illustrated by some of the rather shocking cases recently highlighted by the UK’s Information Commissioner’s Office.
GDPR itself will be supplemented by revised e-Privacy Regulation which goes into much more detail on specific matters such as cookies, messenger apps and spam to create a “data protection package”.
GDPR helps clarify responsibilities of Data Controllers (those who are ultimately responsible for why and how your data is used) and Data Processors (those who might deal with technical elements of data management). Ambiguity, particularly within intra-group relationships, left a fairly grey area previously, so we might expect a suite of contractual reviewing and redrafting over the next year!
But why would Gibraltar care about EU Regulation in the shadow of Brexit? GDPR comes with an extra-territorial angle – regardless of where the personal data of an EU citizen is processed or controlled, the Regulation is applicable, on paper at least. Needless to say, a great number of the 852 Data Controllers registered in Gibraltar control or process EU citizens’ personal data, be it that of their employees, customers or targets.
Extra-territoriality has indeed been seen in action before GDPR, with Facebook embroiled in a legal dispute which ultimately saw the US data protection standard (known colloquially as “Safe Harbor”) effectively demoted by the EU off the back of a European High Court case in 2015.
Therefore, as an example, the UK’s Crown Dependencies have all committed unequivocally to maintaining an “equivalent” position to that of the EU on this matter irrespective of Brexit, with the Isle of Man, Jersey and Guernsey all having been formally equivalent since 2003. If Gibraltar’s businesses wish to keep targeting EU consumers, the effective application of GDPR by next year should make a future equivalence assessment a fait accompli.
What exactly is changing? Some of the improvements driven through GDPR and actively enforced through more aggressive national data commissioners will include:
• In gaining your consent, a much higher bar to ensure you “opt in” to providing personal data in the first place;
• The privacy of your data being considered in the design of all data controller and processor activity, rather than an afterthought;
• An obligation to perform impact assessments if the technology or processes used to control your personal data is high risk, as well as maintain personal data inventories;
• Confirmation of the individual’s rights, including faster and free access to personal data held, upon request;
• All personal data breaches to be reported to the Gibraltar Regulatory Authority, and potentially the data subjects themselves.
A new obligation, if not a new concept, will be the requirement for all public sector entities, and many commercial enterprises, to have Data Protection Officers to help manage this activity. This is not a role which can be filled with spare hands; it requires independence, expertise and professionalism, and can be outsourced.
Changes which more represent revolution, rather than evolution, include:
• The right to demand the erasure of personal data being held by a controller;
• A sea change in how data controllers and processors must demonstrate compliance with GDPR at the request of their supervisor, newly empowered for enforcement purposes; and,
• Perhaps most dramatically, an increase in the financial penalty ceiling from a range of varying yet modest levels to a maximum of €20m or 4% of global turnover (as a current example, the UK has a ceiling of £500,000, while we have a more modest £5,000!) .
For the hundreds of small-scale data controllers in Gibraltar, we are particularly blessed to have the GRA on our side, who frequently release useful guidance so that you can adjust to these pending obligations in good time (http://www.gra.gi/). For those with multi-jurisdictional considerations whose current data controlling and processing arrangements are more complex or intimidating, there is ample time to plan, staff and execute your preparatory work, with KPMG delighted to help wherever we can.
© 2017 KPMG LLC, an Isle of Man limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.