Data protection rules are changing - get ready for the GDPR
First publishedin Aggregates Business Europe
Jowanna Conboye of Stephens Scown highlights recent security breaches at mineral companies and sets out guidance on the upcoming change in the law around data protection.
In April 2016 Goldcorp Inc, based in Canada, announced to the public that its computer network had been compromised and the gold mining company had not yet figured out the scope and impact of the security breach.
The hackers posted a vast amount of data about Goldcorp’s employees and company data online, including payroll information, bank account information and contact details. This serious breach of the company’s system is yet another example of why the constant fight against hackers and security breaches is getting harder and why the law needs to change to keep up.
Companies in the mining and minerals sector are particularly vulnerable to hacks and security breaches due to the large amount of personal data most companies hold on their employees, suppliers and customers as well as their cross-border practices and in some cases, politically sensitive operations which could lead to being a target for hackers.
Why the law is changing The current law on data protection is widely held to be out of date and no longer fit for purpose. Across the European Union, data protection law in individual member states is based on the Data Protection Directive 95/46/EC which was passed in 1995. In the UK the directive was implemented as the Data Protection Act 1998. In the late 1990s the majority of communications were still carried out on paper or by phone; the internet, Google and widespread email communication as standard did not happen across the business sector until the end of the 1990s.
This pre-digital law is still in force now, meaning businesses and their advisors have to try to make an old-fashioned law fit the new technological age.
In May 2016 a new law with wide-ranging implications for all businesses was passed at European level. The new General Data Protection Regulation 2016 (or GDPR) comes into force on 25 May 2018 and represents an explosion in the landscape of the rules around protecting personal data. For many operators in the mining and mineral industry this new law will necessitate huge changes to the way their internal processes are run.
Mandatory breach notification The GDPR implements a new mandatory data breach notification requirement. Where an organisation suffers a security breach leading to destruction, loss, alteration, unauthorised disclosure or access to personal data, they must report that breach to the supervisory authority. This supervisory authority is likely to be a central European body which may issue that organisation with a fine for the security breach.
Particularly difficult for businesses will be the additional rule that security breaches need to be notified to the authority within 72 hours of the organisation becoming aware of the breach. This means that businesses will need to have robust and reliable systems for identifying and reporting security breaches, particularly where those breaches are caused by human error.
Higher fines The fines across EU member states are set to increase dramatically with a tiered approach to penalties for breach of the rules. The current maximum fine in the UK is £500,000. Under the GDPR the European supervisory authority will be able to issue fines of up to €20m or 4% of worldwide turnover, whichever is bigger, for the worst offences, including breach of requirements on international transfers or getting the conditions for processing wrong.
A lower set of fines of up to €10m or 2% of worldwide turnover, whichever is higher, is applicable to issues such as failure to report a breach within the time limit. In these cases, it should be noted that organisations can be fined both for a security breach and the failure to report the breach.
Greater accountability Perhaps the greatest change in the law and the hardest for companies to comply with is the greater accountability requirements. The GDPR requires companies to not only comply with the requirements but to be able to demonstrate with comprehensive documentation and evidence their compliance with the rules.
For organisations with more than 250 employees, detailed internal written records of processing activities must be kept, including the purpose of the processing, the security measures used and the extra safeguards put in place for dealing with sensitive personal data (including information on people’s health, religion, race and sexual orientation).
Tips for preparing now Companies in the mining and minerals sector can take the following steps now to help prepare for the upcoming GDPR:
1. Prepare for data security breaches
The mining and minerals industry is particularly vulnerable due to the amount of data most businesses hold and the danger posed by hackers. Put into place clear policies and procedures to enable you to react quickly to any security breach and comply with the mandatory notification period. Make sure your IT systems are robust enough to withstand hacking to the extent you are able.
2. Create a system for recording accountability
You will need to prove that you have comprehensive records of all aspects of data protection compliance, including collection, storage, use and sharing of personal data of employees, suppliers and customers.
3. Conduct a data audit
Review all your data processing activities and what data you hold in the company. Make sure you are clear on the basis on which you are processing data and that you are prepared to design all your projects with data protection at the heart.