EU General Data Protection Regulation: key issues for your compliance game plan
August 2016 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
In April 2016, after lengthy negotiations, the European Union finally adopted a major piece of legislation for the processing of personal data: the EU General Data Protection Regulation no. 2016/679 (GDPR). The GDPR represents the most significant change in EU data protection regulations since the Data Protection Directive of 1995.
The GDPR is a far-reaching legal instrument and will have a significant impact for companies that are involved in the processing of personal data. As the GDPR will be applicable from 25 May 2018, it is critical for businesses processing personal data to assess the impact of the GDPR on their activity, and to define a game plan for compliance with the GDPR. This contribution points out some of the key changes that will result from the GDPR as well as related actions that should be taken to ensure compliance.
First of all, like the Data Protection Directive, the GDPR applies to the automated processing of personal data, as well as to the processing of personal data which form part or are intended to form part of a filing system. However, the material and territorial scope of the GDPR are significantly broader. Concerning the material scope, the GDPR directly applies not only to the controllers of personal data, but also to the processors of personal data, i.e., those who process personal data on behalf of the data controller.
Concerning the territorial scope, the GDPR applies not only to the processing of personal data in the context of establishments in the EU, but also to the processing of personal data of data subjects who are in the EU when a controller or processor is not established in the European Union but: (i) the processing relates to the offering of goods or services to such data subjects; or (ii) the processing relates to the monitoring of the behaviour of data subjects. In light of the significantly extended scope of the GDPR, it is critical for businesses involved in the processing of personal data to determine whether the GDPR is applicable to them, as well as their role, as a data controller or processor.
As concerns the legal bases for processing personal data, those under the GDPR are to a wide extent similar to those under the Data Protection Directive. However, the GDPR sets new restrictions for consent, processing based on legitimate interests and further processing. In particular, for processing based on consent, the request for consent must be clearly distinguishable, consent must be specific, freely given by the data subject and withdrawable at any time. The controller will have to be able to prove that consent has been given by the data subject. As consent requires a clear affirmative act by the data subject, ‘opt-out’ consent will no longer be an option. It is therefore key for controllers to assess the current legal bases for lawful processing and to determine if they remain valid under the GDPR. When relying on consent, controllers should ensure that the consent from the data subject meets the new standard and can be demonstrated.
With respect to the rights of individuals, data controllers must be more transparent with data subjects under the GDPR. Data subjects have extended and new rights to control their data, including important new rights to require erasure of their personal data and to obtain the portability of such data. Additional information on the data processing has to be provided to the data subjects, including on the legal basis for processing, any legitimate interest relied upon as the basis for processing, the data retention period, and the various rights of the data subjects, including the rights to erasure and to data portability. Controllers should therefore carefully review and adjust existing information notices and processes to ensure they comply with the strengthened data subject’s rights. Rights such as the right to data portability that need to be addressed by also changing IT processes require special attention.
The GDPR creates important accountability and governance mechanisms. Controllers must implement appropriate technical and organisational measures to ensure compliance with the GDPR, and must maintain records of their processing activities in order to be able to demonstrate compliance. Controllers must be able to demonstrate compliance to supervisory authorities and to data subjects. Controllers must also ensure privacy by design and by default, and carry out data protection impact assessments for processing activities that present high risks for data subjects. The appointment of a data protection officer by controllers is necessary when their core activities require large scale regular and systematic monitoring of data subjects or the large scale processing of sensitive data. Consequently, controllers should assign in-house responsibilities for data protection compliance, review existing compliance level and conduct a gap analysis with respect to the GDPR.
Data processing activities are also strongly regulated under the GDPR. First, the GDPR specifies more detailed requirements for data processing agreements, i.e., agreements pursuant to which a controller entrusts a processor with the processing of personal data on its behalf. Second, the GDPR provides new obligations directly applicable to processors. In particular, and with only few exceptions, processors must maintain in writing a record of all categories of processing activities carried out for a controller. In any case, a processor’s direct obligations include implementing appropriate technical and organisational measures to ensure an appropriate level of security, and notifying the controller without undue delay after becoming aware of a personal data breach.
In similar cases as mentioned for controllers, processors are also required to appoint a data protection officer. In order to ensure compliance with the GDPR, controllers should ensure all their agreements with processors are in line with the GDPR. Processors should: (i) implement appropriate technical and organisational measures to ensure an appropriate level of security; (ii) determine if records relating to the personal data processing they carry out have to be maintained; (iii) implement a data breach reporting policy; and (iv) determine if they must appoint a data protection officer.
In terms of data security and personal data breaches, the GDPR provides an obligation for both controllers and processors to report data breaches. Controllers must notify breaches to the relevant supervisory authority without undue delay, which means no later than within 72 hours, if the breach is likely to result in a risk to the data subjects’ rights and freedoms. Controllers must also notify affected data subjects of a breach where there is a high risk to their rights and freedoms. Concerning processors, the GDPR provides that, in all cases, they must report personal data breaches to controllers without undue delay. As a result of these provisions, it is key for both controllers and processors to regularly evaluate their security processes, and to implement their own data breach response plan, identifying the internal stakeholders and related actions and responsibilities.
As under the Data Protection Directive, cross-border data transfers under the GDPR to a destination country outside of the EEA either require to ensure an adequate level of protection on the part of the data recipient or shall take place only if certain exceptions are met (including the explicit consent of the data subjects to the proposed transfer). The GDPR provides new justifications for data transfers carried out in accordance with approved codes of conduct and certification mechanisms. To ensure compliance, controllers should review their justifications for transferring personal data and map them with the available justifications. For controllers envisaging data transfers to the US, developments relating to the Privacy Shield should be monitored.
Last but not least, the GDPR dramatically increases the remedies, liabilities and sanctions applicable in case of non compliance with the GDPR. Data subjects have the right to seek remedies against controllers and processors, and controllers and processors will have to compensate the entire material and non-material damage resulting from an infringement of the GDPR. Controllers and processors will be jointly and severally liable to the data subject for the damage. Finally, data protection authorities will be able to impose significant administrative fines: depending on the type of infringement, fines could go up to €20m or, in the case of undertakings, 4 percent of global turnover, whichever is higher.
As a conclusion, it is critical for businesses processing personal data to assess the impact of the GDPR well in advance of its effective date – 25 May 2018 – and to accordingly adjust their compliance processes. The above mentioned issues and recommended actions should be taken into consideration but, most of all, it is critical for each business impacted by the GDPR to determine its own, tailored, compliance game plan for the GDPR.
Olivier Haas is counsel, and Philippe Marchiset and Evgenia Nosareva are associates, at Jones Day. Mr Haas can be contacted on +33 1 56 59 38 84 or by email: email@example.com. Mr Marchiset can be contacted on +33 1 56 59 38 83 or by email: firstname.lastname@example.org. Ms Nosareva can be contacted on +33 1 56 59 39 04 or by email: email@example.com.
© Financier Worldwide
Olivier Haas, Philippe Marchiset and Evgenia Nosareva