The EU’s new General Data Protection Regulation will enter into force in spring 2018. The purpose of the Regulation is to strengthen and harmonize the rights of individuals within the EU, to respond to unlawful processing of personal data and respond to international misuse of personal data. For example, for every company operating in Finland, the Regulation will mean a redefinition of current operations, as well as new responsibilities and obligations. Attorney-at-Law Pekka Kiviniemi of Kalliolaw advises Finnish companies to familiarise themselves with the Data Protection Regulation immediately.
Personal data “contaminates” entire data set furtively
Any data relating to the subject of the personal data is classified as personal data: if a certain individual is directly or indirectly identifiable on the basis of data which is being processed, the information is personal data. Processing means, for example, that the data is viewed or that the data is stored in a log of an information system.
Personal data contained in an information system very often and easily contaminates all data in the information system. When personal data is combined with the data set in the system, the whole data set becomes personal data. Kiviniemi gives an example:
“If, say, a company’s work equipment, such as work overalls, are collected in a data set in the company’s information systems, which set includes the employees, the names and the sizes, the list of work equipment has become personal data.”
“It is advisable to avoid using personal data whenever possible. And to use it minimally, only upon actual need,” Kiviniemi advises.
“For example, at one of our client companies they previously used personal identity numbers to book meeting rooms. This is completely beyond what is necessary and goes beyond management of all risks. This sort of usage is a definite no.”
How to prevent contamination of information systems
“In case personal data is made pseudonymous and is encrypted, that is, it is processed in such a way that the data can no longer be related to a registered individual without using additional information such as an encryption key, and the data set can only be accessed by few, selected users with certain user rights and in a certain situations only, some of the problems related to processing of personal data can be avoided,” Kiviniemi explains.
“For instance in HR functions, a particular data set concerning personnel can be isolated methodologically and technically by creating unique number series for the personal data in the data set, from which series an individual cannot be identified nor does the number series refer to the individual in any way. When this random, unique identifier is used to operate other information, in short, contamination can be avoided.”
Making data pseudonymous and data encryption are also one of the few ways to transfer data related to individuals outside the EU. If there is a service in which personal data is processed in a server centre located in Asia, the data must be transferred pseudonymously and using unique series in such a way that the data cannot be legally opened and unpacked in Asia at all. In that case, the data processed in the Asian data centre is, in fact, no longer personal data, but only character sets. Of course, other methods to transfer personal data can be used as well.
New responsibilities and obligations for companies and other controllers
As a result of the Regulation, companies and other controllers are forced to check their policies on privacy protection, since there will be new, significant obligations and responsibilities ahead.
In short, processing of personal data is prohibited without the explicit consent given by the personal data subject, a contract between the subject and the controller, a justification set forth in mandatory legislation, protection of a vital interests, necessary duty carried out by public authorities, or processing which is necessary due to legitimate interests.
Requirements for obtaining consent from an individual will tighten. The subject of personal data must give, at his or her own free will, a consent based on an explicit act. The consent must be explicit, that is, the controller must be able to prove that the person gave his or her expression of will for the very specific purposes of personal data processing.
According to Kiviniemi, terms and conditions being hundreds of pages long and complex, which contain hidden provisions of how personal data and location data is processed are going to change.
“It is advisable for the companies to take into account the tightening requirements to obtain consent, for example, in their future contract terms regarding supply of goods and services and electronic services: The service can rarely even be delivered without the consent to personal data processing.
Personal data may only be collected and processed for a specifically agreed purpose.
Processing of special types of personal data such as race, ethnic origin, political opinion is prohibited, with a few exceptions.
Right of individual to access all data related to himself or herself immediately
The rights of an individual being an object of processing of personal data are listed in the General Data Protection Regulation. These include, inter alia, the right to access one’s own personal data, the right to be forgotten, as well as the right to erasure of the data.
The individual’s right to access the data means that the individual has the right to know at any time, whether the controller is processing any data related to himself or herself, and if so, which data.
The controller is obliged to provide, at request, without delay and in a clear and typical file format a copy of the personal data that it processes. These include, for example, address, purchase history, customer loyalty information, means of payment and information on the customer’s classification, in case the controller processes this kind of personal data.
An individual has the right to be forgotten by obligating the controller to destroy the personal data concerning him or her in the register e.g. when cancelling his or her consent to collection of data. Removal of consent must be possible in the same way and just as easily as giving the consent.
“In order for the controller to be able to continue using data already collected e.g. for business volume purposes in a case where an individual has requested erasure, the data must be anonymised and other data from the person’s identity must be separated in a final manner. In many cases, this means manual work. Fast and documented destruction of the data is also in the interests of the company,” Kiviniemi clarifies.
“If there is personal data on a server more than for example three years old, which data the company has not touched, alarm bells should start ringing.”
Neglecting leads to sanctions
The Data Protection Ombudsman is already carrying out specific audits today and will continue to do so in the future. In addition, the EU will have its own data protection authority.
Neglecting the Data Protection Regulation is punishable by significant penalties. The controller may be adjudged to compensate the subject of personal data for direct and indirect damages. In addition, the controller shall pay administrative fines of up to 2% of its global annual turnover. Also, a criminal penalty is possible, as is already today.
The sanctions for wrongful processing of personal data of individuals residing in EU are the same for all controllers, also for companies having their registered office in the United States, when certain preconditions for providing services specifically for Europeans are met. Thus companies operating outside the EU no longer have a competitive advantage.
“Even if the neglecting of personal data processing rules was the error of a subcontractor, all obligations would always fall upon the controller in the end. However, with good agreements the risk can be managed,” Kiviniemi reminds.
“With good agreements obligations can be passed on to subcontractors or partners. This may cover damages or potential losses in part.”
Read more about the Data Protection Regulation here: http://ec.europa.eu/justice/data-protection/
For further information, please contact: Ineo Oy, Timo Seppänen, +358 40 9000701