General Data Protection Regualtion (GDPR) | KPMG | IM
close
Share with your friends

General Data Protection Regulation - "Private" on Parade

General Data Protection Regulation (GDPR)

KPMG’s Risk Advisory team provides a light summary of incoming General Data Protection Regulation. Whilst EU-driven, there is a local equivalent currently in draft phase. The Isle of Man Government has publicly committed to maintaining an equivalent level of legislative protection by May 2018, when GDPR itself will “go-live”.

1000

Key Contacts

Also on KPMG.com

data protection

KPMG’s recent research suggests over half of us have decided against an online purchase due to privacy concerns. We are perhaps a couple of generations into a world where we accidentally or begrudgingly hand personal data to “selected third parties”, safe in the knowledge that at some juncture, our inboxes will start to swell with unwanted approaches. 

So how comfortable are we that the personal data we entrust with both the public and private sector is, and continues to be, used as originally intended?

The General Data Protection Regulation (GDPR) driven from the EU has turned a few heads in its approach to the refresh of what is ultimately a pre-internet approach to the accumulation, management and disposal of EU citizens’ personal data. Existing European legislation was codified at a time before our personal data was such a demonstrably marketable commodity, illustrated by some of the rather shocking cases recently highlighted by the UK’s Information Commissioner’s Office.

The General Data Protection Regulation (GDPR) driven from the EU has turned a few heads in its approach to the refresh of what is ultimately a pre-internet approach to the accumulation, management and disposal of EU citizens’ personal data. Existing European legislation was codified at a time before our personal data was such a demonstrably marketable commodity, illustrated by some of the rather shocking cases recently highlighted by the UK’s Information Commissioner’s Office.

GDPR itself will be supplemented by revised e-Privacy Regulation which goes into much more detail on specific matters such as cookies, messenger apps and spam to create a “data protection package”.

GDPR helps clarify responsibilities of Data Controllers (those who are ultimately responsible for why and how your data is used) and Data Processors (those who might deal with technical elements of data management). Ambiguity, particularly within intra-group relationships, left a fairly grey area previously, so we might expect a suite of contractual reviewing and redrafting over the next year! 

But why would the Isle of Man care about EU Regulation? GDPR comes with an extra-territorial angle – regardless of where the personal data of an EU citizen is processed or controlled, the Regulation is applicable, on paper at least. Needless to say, a great number of the 2,090 registered Data Controllers on the Island control or process EU citizens’ personal data, be it that of their employees, customers or targets. 

Extra-territoriality has indeed been seen in action before GDPR, with Facebook embroiled in a legal dispute which ultimately saw the US data protection standard (known colloquially as “Safe Harbor”) effectively demoted by the EU off the back of a European High Court case in 2015.

It is on that basis that the Isle of Man has committed unequivocally to maintaining an “equivalent” position to that of the EU on this matter, with it featuring in the Programme for Government this year. We have been formally equivalent since 2003, with our existing data protection legislation being very similar to that of the UK.

What exactly is changing? Some of the improvements driven through GDPR and actively enforced through more aggressive national data commissioners will include:

• In gaining your consent, a much higher bar to ensure you “opt in” to providing personal data in the first place;

• The privacy of your data being considered in the design of all data controller and processor activity, rather than an afterthought;

• An obligation to perform impact assessments if the technology or processes used to control your personal data is high risk, as well as maintain personal data inventories;

• Confirmation of the individual’s rights, including faster and free access to personal data held, upon request;

• Obligations to report all personal data breaches to our Information Commissioner, and potentially the data subjects themselves.

A new obligation, if not a new concept, will be the requirement for all public sector entities, and many commercial enterprises, to have Data Protection Officers to help manage this activity. This is not a role which can be filled with spare hands; it requires independence, expertise and professionalism, and can be outsourced.

Changes which more represent revolution, rather than evolution, include:

• The right to demand the erasure of personal data being held by a controller;

• A sea change in how data controllers and processors must demonstrate compliance with GDPR at the request of their supervisor, newly empowered for enforcement purposes; and,

• Perhaps most dramatically, an increase in the financial penalty ceiling from a range of varying yet modest levels to a maximum of €20m or 4% of global turnover (as a current example, the UK has a ceiling of £500,000, while we have a more modest £5,000!) .

For the hundreds of small scale data controllers on the Island, we are particularly blessed to have an Information Commissioner’s office which is prolific in releasing useful guidance so that you can adjust to these pending obligations in good time (https://www.inforights.im/). For those with multi-jurisdictional considerations whose current data controlling and processing arrangements are more complex or intimidating, there is ample time to plan, staff and execute your preparatory work, with KPMG delighted to help wherever we can.

 

Connect with us

 

Request for proposal

 

Submit