“A Cyber Week in London” Part 1, By Jane Lo

Just weeks ahead of the new European Data Protection law which came into effect on 25th May 2018, its parent SCL Elections Ltd. And Cambridge Analytica filed applications to commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook users as far back as in 2014.

“The siege of media coverage has driven away virtually all of the Company’s customers and suppliers,” the firm said in the statement. “As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the company into administration.”

Heavily embroiled in the scandal and determined to win back trust, Facebook said in full-page ads in European newspapers, “New EU legislation means more data protection for you.”

The new EU legislation is the General Data Protection Regulation, or GDPR in short. What is GDPR, why does Data Protection matter, and what are the implications for Singapore?

To answer these questions, we spent a week in London, speaking with Security Professionals with extensive experience in the European private and public sectors, and Cyber specialists from the OSP Cyber Academy.

 

Day 1 – 30th April – An Introduction to GDPR

What is Personal Data?

Data protection of personal data refers to the ability of a person to control, edit, manage and delete this information, and to decide how and to what extent such information is communicated to others. Common personal data such as race, age, gender come immediately to mind.

How did EU and UK Data Privacy and Protection laws come about?

“When we speak about social media, apps and the digital economy, it’s easy to forget the world that the UK’s current Data Protection Act was forged in. No Google. No Facebook. Clunky desktop computers with less processing power than we all have now in our pockets and purses.” – UK ICO (Information Commissioner’s Office) Elizabeth Denham.

With the appearance of mainframe computers which facilitated data banks in the 1960s, the collection and processing of personal data became widespread.

Elizabeth Denham, Commissioner UK ICO

Data protection principles were devised.

The German region of Hesse passed the first law in 1970; the US Fair Credit Reporting Act 1970 also contained some elements of data protection. In the UK, the Data Protection Act became law in 1984 Updated in 1998 to align with the EU 1995 Data Protection Directive, it became law on 1st March 2000.

How have they evolved since?

GDPR brings a 21st century approach with mandatory data breach reporting, higher standards of consent, and significantly larger fines (up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher).

Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU. Effective from 25th May 2018, GDPR puts new obligations on companies and public bodies that collect data while giving consumers new rights over how their data is handled.

What does GDPR mean for UK businesses, after Brexit takes effect?

As UK is not yet out of EU on 25th May 2018, the legal reality, made explicitly clear by the UK Secretary of State, is that, UK businesses, like businesses in any other EU Member Sate, will need to comply with GDPR.

The Queen’s Speech to parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

This latest law, enshrining the GDPR and built on the UK Data Protection Act of 1998, was the UK Data Protection Bill. The text of the Bill received Royal Assent on 23rd May 2018 and is now an Act of Parliament (law).

 

Day 2 – 1st May – Demonstrating GDPR Compliance

What are the Key Principles underpinning the GDPR?

The European Court of Justice emphasized that even where there is a legitimate basis, processing must meet the principle of proportionality, and necessary to achieve stated purpose.

These key principles of “legitimacy”, “proportionality” and “transparency” in the EU Data Protection Directive of 1995, are retained in the GDPR Article 5 – Principles relating to processing of personal data:

1. Lawfulness (Data must be processed lawfully, fairly and in a transparent manner);
2. Purpose limitation (Data must be collected for specified, explicit and legitimate purpose);
3. Data minimization (Data should be limited to what is necessary)’
4. Accuracy (Data should be accurate and up to date);
5. Storage limitation (Data should be kept for no longer than is necessary).

What Rights do Data Subjects have?

The right of individuals to access their data is already an important part of the existing EU data protection law. Examples are the Right to request rectification of inaccurate personal information; the Right to restrict the processing.

GDPR also introduces the Right to data portability, seen as an important tool to facilitate the exchange of information necessary in the digital era. This right to transfer personal data from one organisation to another, or to the data subject, in a structured, commonly used and machine-readable format also encourages healthy competition between EU data controllers.

Some other key changes?

Where individual EU members had the ability to set specific detailed regulations in the old regime, GDPR sets explicit rules. Old rules specified data requests to be handled “without excessive delay” – but GDPR sets a deadline of one month.

Another is where previous rules allowed countries to set maximum fees in responding to requests – but GDPR rules that information be provided free of charge unless requests are “manifestly unfounded or excessive”.

What are the financial penalties?

Headline grabbing figure of €20 million, or 4% of the worldwide annual for non-compliance had attracted much attention.

But the penalty to be handed down may be lower, depending on the nature of data breached, and “the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them”.

What do all these mean in practice?

GDPR is principle-based to cater for the varying processing and technological approaches. Flexible though explicit, the interpretation depends on social and cultural attitudes to privacy. For example, “fair” in Germany may not be regarded as “fair” in Spain.

Differences in the resources and attitudes of national supervisors are likely to result in variations in enforcement.

 

Full article (Part 1) can be found here

Full article (Part 2) can be found here

Shopping Basket