Data Protection Directive or General Data Protection Regulation: which one is for you?
With the EU's data protection reform measures coming into force imminently, INHOPE - the International Association of Internet Hotlines - discusses the differences between the new General Data Protection Regulation (GDPR) and Data Protection Directive with special reference to hotlines within the wider Safer Internet Centre (SIC) context. Read on to find out more.
The new General Data Protection Regulation (GDPR) comes into force in May 2018 as part of a package of reform measures; all organisations within the European Union need to be compliant. For the police and criminal justice sector, including law enforcement agencies (LEAs), the Data Protection Directive is applicable to ensure efficient exchange of information with only one set of data protection rules valid across all member states. With just one set of legal criteria in place for all EU member states, sharing data across countries makes it cost effective and saves on time. A European Commission fact sheet, titled "Questions and Answers - Data protection reform package", explains the changes in more detail.
How can you determine which of the two is applicable for hotlines and other organisations that make up Safer Internet Centres (SICs)? There is no "one-size-fits-all" response and whether the organisation needs to be compliant with the Directive or the GDPR is dependent on several criteria.
Ruben Roex, an attorney at law at time.lex (a law firm specialised in technology, intellectual property, media and e-business), explains that the first check to determine this is to gauge the national legal status of the hotline. The kinds of questions hotlines and other elements of Safer Internet Centres can ask themselves include:
- Has the organisation been mandated by law or is it a public authority?
- Does the hotline undertake the prevention of, investigation of, or prosecution of criminal offences or executing penalties?
If the answer to these questions is yes, then the Directive is applicable. Under the Directive, hotlines must make a distinction in the identities of suspects and victims. However, if the GDPR applies, then there must be a legal reason to process personal data.
Irrespective of which regime applies to a hotline, some commonalities exist:
- Data record: maintaining a data trail that can be accessed at any time in the future.
- Undertaking a Data Protection Impact Assessment.
- Data breach notifications must be provided within 72 hours.
- A Data Protection Officer should be appointed.
Sander de Gruijl, an analyst at EOKM, the Dutch hotline, comments: "There is a great level of difference in the current regulations across countries. The necessary actions to be taken by every hotline would differ based on the gap between the existing national laws and the GDPR. However, for all, it is essential to appoint a Data Protection Officer who can act independently and is the point of contact to the Data Protection Authority."
Talking further on this subject, Marco van den Berg, Quality Assurance expert at ZiuZ (developers of INHOPE's technology platform for supporting hotlines in their reporting and referral roles, including categorisation and hashing of content), said: "As an ICT company, we want to secure the ISO27001 certification, which is internationally recognised, stating that our information security policies, infrastructure and procedures meet the security standards. To obtain this certification, we will undertake risk assessments and define counter measures to bring risks to a manageable level. Anticipating the GDPR, we are already implementing the necessary measurements in order to be compliant by May 2018."
With May 2018 just around the corner, the deadline to be compliant with the regulation is fast approaching. The stringent reporting on data breach timelines, proof of burden on the data processor, age of consent for children and other items under the GDPR makes it a challenging and intricate issue for hotlines. By consulting with experts early on, hotlines can be sure to be compliant with the GDPR or the Directive, as may be the case.
For further information on the work of INHOPE, visit the INHOPE website.
For more information on the work of the joint Insafe-INHOPE network of Safer Internet Centres across Europe, visit the Better Internet for Kids (BIK) public portal.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of the Better Internet for Kids (BIK) portal, European Schoolnet, the European Commission or any related organisations or parties. Do not rely on this information only but consult with your experts on matters relating to GDPR and associated compliance issues.
- Eva Lievens and Ingrida Milkaité, Ghent University
Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children.
- BIK Team
On Friday, 23 June 2017, legislators, Data Protection Authorities (DPAs), industry, education stakeholders and civil society representatives from across Europe met in Brussels, Belgium, to discuss the General Data Protection Regulation (GDPR) with a particular focus on its implications for children's rights.
INHOPE, the International Association of Internet Hotlines, held its second members' meeting of the year in Lisbon on 3-5 November 2015. Hosted by the Fundação para a Ciência e a Tecnologia (FCT), the three-day conference was attended by delegations from over 40 countries.