The new EU General Data Protection Regulation, which is also referred to by its acronym, the “GDPR”, is placing the onus for compliance on companies, on a ”risk-based approach”. Rather than being a completely new regulation, the new regime is a continuation of the existing European set of rules, with some notable changes, notably regarding the severity of the potential financial sanctions that will face companies found guilty of non-compliance and the territorial scope of the rules.
So, how did we land up with the new EU General Data Protection Regulation? It took four years and roughly 4,000 amendments to come up with the compromise text, so the discussions about the regulation were intense. The result is a compromise since European member states came to the negotiating table with different views as to what the future of data protection should look like.
The application date is 25 May 2018 so this leaves very little time for companies to become compliant. It might seem like a long timeframe but it’s not very long considering two things. The first is that compliance with data protection laws requires a precise understanding of data processing activities, including knowledge of the cross-border outsourcing of data processing that can take place.
The second aspect which makes this timeframe seem short is the fact that some provisions of the GDPR require a further interpretation to be applied in specific sectors.
Consequently, companies located in the EU must ask themselves the questions about their future compliance now, in order to determine their strategy in relation to the GDPR.
Asian groups of companies with a presence in Europe, as Asian companies targeting European customers, will also be concerned by these rules. The GDPR indeed applies to businesses established outside of the EU when those businesses offer goods or services to data subjects located in the EU or when they monitor the behaviour of data subjects in the EU.
EU General Data Protection Regulation – Where to start?
The first question to answer is to determine who is a data controller and who is a data processor. This is a crucial question to define the obligations and the responsibilities of your company. If a company is a data controller, the main responsibilities rest on the company to ensure compliance with theEU General Data Protection Regulation, even though data processors also have specific obligations that apply to them in relation to the data processing. It should be borne in mind that the data controller, as it is the case at the moment, really bears the main responsibilities.
One novelty under the EU General Data Protection Regulation is the fact that the concept of joint data controllership is expressly set out. The content of the joint data controller agreement must be made public and each data controller remains fully liable in relation to the data subjects.
An important consideration for data controllers and data processors established outside of the EU is that they have to designate a representative in one member state in which data subjects that are concerned by the data processing are located.
The representative is the point of contact for the competent supervisory data protection authorities and for the data subjects. The data controller and processor remain fully liable even though the representative may also be subject to enforcement proceedings.
Data controllers and processors may also need to appoint a data protection officer, who will be in charge of advising them on data protection issues, and on controlling the compliance with the GDPR. The data controller and processor remain however fully liable.
Data controller obligations under the GDPR
The core obligations of the data controller under the EU General Data Protection Regulation do not fundamentally change, the main considerations being the lawfulness of the data processing. The fact that you can only process personal data on a legal basis as set out in the GDPR still applies the same way. Proportionality, transparency of processing and so on stays roughly the same.
What the GDPR does is insisting on the principle of accountability of the data controller. That means that the data controller has the obligation to demonstrate that he has taken all appropriate technical and organisational measures in order to ensure the protection of the information and that he has to document this.
The GDPR also sets out some new means by which the data controller can prove compliance with the GDPR in the sense that the data controller can adopt codes of conduct, pass through certification mechanisms or use seals or marks which have been approved by the competent supervisory data protection authorities in order to prove compliance.
Another novelty of the GDPR are the concepts of privacy by design and privacy by default which epitomises the new integrated approach to data protection. What do those concepts mean? In a nutshell, the data controller has to put in place the appropriate technical and organisational measures such as pseudonymisation to minimise the data and to limit the data processing to what is strictly necessary in relation to the really specific purpose that the data controller is pursuing.
It is interesting to note that the GDPR abolishes the current general obligation to notify data processing to the supervisory authorities. At the moment, except in certain limited cases, a data controller has to notify all its data processing activities. This obligation is now replaced in the EU General Data Protection Regulation by an obligation to keep internal records of the data processing activities.
There’s a very limited exception for small and medium sized enterprises but it only applies when the processing is occasional and when there’s no sensitive information involved.
Privacy Impact Assessments (PIA)
The data controller will have to make a minimal assessment in all cases in order to determine what the risk is in relation to the data processing activities. If the data processing presents a significant risk, a fully-fledged PIA will be required. The exercise will actually be to distinguish the cases in which a fully-fledged PIA is required, from the ones where a more light audit will be sufficient.