Rashda Rana, a senior counsel in the UK, told iTWire in a detailed interview that management consulting firm Oliver Wyman had estimated that the EU would reap about US$6 billion in fines from organisations that were not in compliance during the first year of the GDPR. This, despite all parties having had two years to fall in line with the regulation.
A high-profile lawyer in the UK, Rana (above) has also had extensive experience in international commercial litigation and arbitration as counsel and arbitrator in other jurisdictions including Australia, New York, Paris, Milan, Brazil, Hong Kong, Singapore, Malaysia and China.
She has significant in-house experience as general counsel at one of the world’s leading project management, design and construction companies which operates in more than 30 countries.
She has functioned as arbitrator in many domestic and international commercial disputes, both institutional and ad hoc, and is an experienced CEDR-accredited mediator who has conducted mediations around the world. In September 2017, she was appointed to the ICSID Panel of Conciliators by the chairman of the World Bank.
An active member of a number of significant industry associations, she was co-founder of The Alliance for Equality in Dispute Resolution, a past president of ArbitralWomen, founding secretary of the Society of Construction Law Australia and the first female president of the Australian branch of the Chartered Institute of Arbitrators (CIArb).
At what must be an incredibly busy time for her, Rana was gracious enough to agree to a detailed interview by email.
iTWire: What is the GDPR? Why is it needed?
Rashda Rana: GDPR is the new EU directive, General Data Protection Regulation, that provides a new framework for data protection laws. It requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the export of personal data outside the EU. The GDPR’s overall aim is to give European residents greater control and visibility over their personal data, thereby also strengthening data protection.
What will the penalties be for not falling in line and what are the deadlines?
The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52% of companies believe they will be fined for non-compliance.
Management consulting firm Oliver Wyman predicts that the EU could collect as much as US$6 billion in fines and penalties in the first year. There are some areas in which there remains some room for interpretation.
How will penalties be assessed? For instance, it provides that companies must provide a “reasonable” level of protection for personal data, but does not define what constitutes “reasonable". This may leave open the possibility of fines being levied where it is deemed that protection of personal data was not reasonable in the circumstances.
For example, how will fines differ for a breach that has minimal impact on individuals versus one where their exposed PII (personally identifiable information) results in actual damage? The consensus is that the regulators will quickly act on a few companies found to be not in compliance early on, to send a message. Then, organisations can make a better assessment of what to expect in the event of a non-compliance finding.
For now, the ability to show a good-faith effort to comply should protect companies from harsh penalties. In a recent speech, Elizabeth Denham, the UK information commissioner, had this to say to organisations concerned about GDPR fines:
“…I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s (Information Commission Office’s) proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law. Those organisations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.”
Is there something wrong with existing data protection laws in the EU? Is that why the change was needed?
The existing data protection laws are outdated and have not kept abreast of changes in technology and data collection/data protection. The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. After publication of the GDPR in the EU Official Journal in May 2016, it will come into force on 25 May.
The two-year preparation period has given businesses and public bodies covered by the regulation time to prepare for the changes. The change was needed because of public concern over privacy. The amount of data we produce now wasn't foreseeable when current data protection laws were drawn up in the late 1990s.
For instance, according to the RSA Data Privacy & Security report, (comprising a survey of 7500 consumers in France, Germany, Italy, the UK and the US), 80% of consumers said lost banking and financial data is a top concern. Lost security information (e.g., passwords) and identity information (eg, passports or driving licences) was cited as a concern of 76% of the respondents. The report’s authors concluded that, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.”
Rashda Rana: "By now, companies should have thought of and implemented the requirements of GDPR".
What would be the likely effect of the GDPR on the UK after Brexit?
Currently, the provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer. The UK introduced a new Data Protection Bill in August 2017, which largely includes all the provisions of the GDPR. There are some small changes but the UK law will be largely the same.
The laws will obviously affect international companies doing business in the EU. How will it affect them?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees: there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. For instance, a PwC survey showed that 92% of US companies consider GDPR a top data protection priority.
Under GDPR, the "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data has to be reported to a country's data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
What kind of companies/organisations, if any, will be exempt from the laws?
There are some who claim that the GDPR will add to lack of digital security by allowing people to hide details of things like domain registrations which they now have to display. Do you subscribe to this view?
No, I don’t. The Data Protection Bill in the UK, for instance, proposes to modernise current data protection regulations by expanding the definition of personal data to include IP addresses, Internet cookies, and DNA.
In addition, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. "Lawfully" has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is "essential for the life of" the subject; if processing the data is in the public interest; or if doing so is in the controller's legitimate interest - such as preventing fraud.
At least one of these justifications must apply in order to process data. The GDPR gives users/consumers greater access and control. For instance, not only does it impose obligations on companies collecting personal data but also gives individuals greater power to access the information that's held about them. Currently, for instance, in the UK a Subject Access Request allows businesses and public bodies to charge £10 for disclosing information held about individuals.
Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge. When someone asks a business for their data, they must stump up the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information. This means that companies, regardless of size (the tech giants as well as start-ups), will have to comply by giving users more control over their data.
As well as this the GDPR bolsters a person's rights around automated processing of data. The ICO says individuals "have the right not to be subject to a decision" if it is automatic and it produces a significant effect on a person. There are certain exceptions but generally people must be provided with an explanation of a decision made about them.
The new regulation also gives individuals the power to get their personal data erased in some circumstances (the right to be forgotten). This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if it was unlawfully processed.
Does the GDPR make a distinction between personal data and commercial data?
The GDPR covers various types of data:
- Basic identity information such as name, address and ID numbers;
- Web data such as location, IP address, cookie data and RFID tags;
- Health and genetic data;
- Biometric data;
- Racial or ethnic data;
- Political opinions; and
- Sexual orientation.
The GDPR and other data protection laws rely on the term "personal data" to discuss information about individuals. In the UK, for instance, there are two key types of personal data and they cover different categories of information. Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass information which has been “pseudonymised” if a person can be identified from it.
In addition, sensitive personal data falls into "special categories" of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
Companies that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer. For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. It means the data protection will be a boardroom issue in a way it hasn't in the past combined.
There's also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in".
How will the GDPR affect data which is in the cloud – for example, say the data of an Australian company being stored in a server which is physically located in Germany?
The relevant element is whose data is it and to what use is it being put? The GDPR targets personal data regardless of where it is held. If the company which collected the personal data is caught by the regulations then it doesn’t matter where it is stored.
The GDPR includes an accountability principle, which requires companies to document how they’ve become compliant. "Controllers" and "processors" of data need to abide by the GDPR. A data controller is responsible for stating how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Take, for example, ADP, which is a company that provides cloud-based human capital management and business outsourcing services to more than 650,000 companies globally. ADP holds PII for millions of people around the world, and its clients expect the company to be GDPR-compliant and to help them do the same. If ADP is found non-compliant with GDPR, it risks not only fines but loss of business from clients expecting ADP to have them covered.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents.
It is the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under earlier legislation.
What about the financial costs of compliance? Would governments be aiding companies in any way with this?
No, and by now they should have thought of and implemented the requirements of GDPR!!
In your view, what is the most important part of the legislation?
The overall protection of personal data in an uncertain and insecure cyber world.