On Tuesday, November 25th 2014 Peter Hustinx, the former European Data Protection Supervisor [EDPS], published a report containing Guidelines on data protection in EU financial services regulation, with great information on how to process personal data and become compliant with the new complex rules on data protection … While the title of the Guidelines suggests that it is for financial services in particular, I think that the easy-to-follow, practical steps can be applied to any organisation that is involved in the management of personal information.
This blog post is an attempt to condense the steps that the guideline proposes, as well as modifying them to be applied to any kind of business, not only financial. If you have comments or want to add something, feel free to use the comments below!
Since the financial crisis in 2008, the European Commission has been taking many regulatory steps in order to prevent a repeat of the economic downfall. It is needless to say that most of the legislative steps have been directed at financial services. Over forty new laws have been introduced since 2008 with the aim of increasing accountability and transparency of the financial market. While it is justified and in everyone’s best interest to increase regulation, in practice it means that financial institutions and regulatory/governmental bodies will be collecting and retaining large amounts of personal information. The report containing the Guidelines can be seen as a practical toolkit for ensuring that the individuals’ right to data protection is respected and incorporated during the development of future EU financial policy and laws. Since the dawn of the Digital Age, personal data has become incredibly valuable. Viviane Reding has even said that personal information is the predominant current and future currency. Therefore, in addition to delivering a report with practical value, Buttarelli stated that the report also aims to demonstrate that the protection of the rights of the individual is necessary – and compatible – with effective financial services regulation. In other words, the EDPS is saying that increased regulation in the financial industry can coexist with data protection rights.
Step 1: Identify the personal information to be processed
In this first step you need to assess whether it is likely that your activities will involve personal information to be collected, analysed and/or used in some way. And if so, what information?
Data protection law broadly defines personal data i.e. personal information. This is an important fact to take into consideration when developing services, products or policies that involve personal information of any kind. Due to the broad definition it is not necessary for the information to directly identify an individual, for example by name or address. Location data and IP addresses are good examples of data that may indirectly lead to the identification of a single person.
Policies and other regulatory documents that regulate the processing of personal data should include a clause requiring the processing to be in compliance with EU and national data protection rules. This clause should describe with precision:
a) the type of information to be processed, and particularly any sensitive data,
b) how long the information will be retained
c) who will have access to the information, and
d) appropriate safeguards for protecting the rights of the individual.
Step 2: Assess whether information processing interferes with the right to privacy
It is important to realise that the right to data protection and the right to privacy are two separate rights. The right to privacy comes into play when you need to enter private premises, for example when competent authorities need to seize documents on a business premises for the purpose of investigation. This step is written particularly for legislators and policy makers and is not relevant to the majority of the readers of this blog and will therefore not be elaborated on.
Step 3: Define the purpose for processing of personal information
This step is aimed at ensuring compliance with the ‘purpose specification’ principle. In short this means that personal data may only be collected for ‘specified, explicit and legitimate’ purposes. Furthermore, the data may not be ‘further processed in a way incompatible’ with those purposes. From a practical perspective this means that you need to take this into consideration when writing your clause and/or policy referred to in step 1. You must clearly and precise define why you are processing or storing the personal information and you may only store and process it for that specific purpose.
Step 4: Establish a legal basis for the data processing
In addition to the purpose specification requirement, the law requires that processing personal information is only lawful when it is done on the basis of the consent of the person concerned or some other legitimate basis laid down by law. The legal grounds for the processing of personal data are specified in the Data Protection Directive and in Regulation 45/201. In the business world consent is by far the most commonly used legal ground. In the light of the upcoming Data Protection Regulation you should bear in mind that consent must be explicitly given, implied consent is no longer sufficient. To summarise, step 4 requires you to either obtain consent from the individual whose data you are processing or establish that one of the other legal grounds applies to your activity. These legal grounds can be found in Article 7 of Directive 95/46/EC and Article 5 of Regulation 45/201.
Step 5: Evaluate and justify an appropriate retention period for the information
While this step is specifically directed at legislator, it is vital to apply this in every organisation involved in the processing of personal information. It is more consistent with best practice to specify the data retention period. Furthermore, it provides all parties involved with clarity it is likely to serve your business well as your customer will appreciate the transparency of your policy. Personal information should be deleted from your systems as soon as it is no longer necessary for the purpose you specified in step 3. There is one exception to this rule and this becomes relevant when specific EU or national rules apply that require you to store the data for a longer period of time. For example some tax laws require certain information to be retained.
Step 6: Identify who, within the EU, may have access to the personal information
This step is aimed at the transfer and/or exchanges of personal information between private and/or public bodies. These transfers are considered ‘processing of personal data’ for the purpose of data protection law. Specific laws are in place depending on the organisations involved in this type of processing, but they fall outside the scope of this article [ see page 16 of the Guidelines]. It is sufficient to say that with regard to this step you should specify the authorities who may have a right to access the personal data and specify what data they can access and for what purpose. Lastly you must specify and provide safeguards against access to the information by other external authorities or third parties which have an interest in the personal information.
Step 7: Establish a correct legal basis for any transfer of personal information outside
The Commission has established a general rule stating that personal data may only be transferred to a third country if the recipient country is deemed by the Commision to have an adequate level of protection. When you anticipate tranferring data to third countries you must be clear on the legal basis for the transfer, and should provide for case-by-case decisions which respect the principle of data minimisation. This principle means that only data which are adequate, relevant and not excessive for the defined purpose are collected and used. While it is not mandatory, the Guidelines suggest that it may be appropriate to provide explicitly for safeguards ensuring data quality, relevance, and confidentiality.
Step 8: Provide appropriate guarantees of individuals’ data protection rights
This step governs a number of rights that individuals have when their information is being processed. The first is the right to information, you are required to inform the individuals of the identity of the organisation who is responsible for the processing, the purposes of the processing, and any further information that may be relevant. The second right is Right of access, rectification and erasure. The individual may at regular intervals require you to provide information on the data that is being processed and information relating to that processing i.e. how and the ‘logic’ behind it. Furthermore, if the processing does not comply with data protection rules because, for example,information is incomplete or inaccurate, individuals may obtain rectification, erasure or blocking of the data. The third right is the Right to Object: individuals have the right to object to processing of information concerning him or her at any time on compelling legitimate grounds relating to his or her particular situation. If the objection is justified, the processing must cease.
Step 9: Consider appropriate data security measures
When you process data on a large scale with the aid of large IT systems you must carefully consider whether the processing the personal data is necessary. You must put appropriate technical and organisational safeguards in place to ensure the protection of the personal data. This is even more relevant when you are processing sensitive data.
Step 10: Provide for specific procedures for supervision of data processing
This step builds upon step 9. The processing of personal data is supervised by national data protection authorities such as The Data Protection Commissioner and, for EU institutions and bodies such as European financial supervisory authorities, by the EDPS. When your organisation is involved in an operation which poses substantial risk to the rights of the individuals involved you must notify the relevant data protection authority and seek prior checks of personal information processing. For most businesses the relevant authority will be the data protection commissioner of the country in which your company is based.
That concludes my summary of the 10 steps provided by the EDPS. I hope you found it useful. If you require more detailed information I highly recommend taking a look at the complete document you can find here.