The new EU General Data Protection Regulation, which is also referred to by its acronym, the “GDPR”, is placing the onus for compliance on companies, on a ”risk-based approach”. Rather than being a completely new regulation, the new regime is a continuation of the existing European set of rules, with some notable changes, notably regarding the severity of the potential financial sanctions that will face companies found guilty of non-compliance and the territorial scope of the rules.
So, how did we land up with the new EU General Data Protection Regulation? It took four years and roughly 4,000 amendments to come up with the compromise text, so the discussions about the regulation were intense. The result is a compromise since European member states came to the negotiating table with different views as to what the future of data protection should look like.
The application date is 25 May 2018 so this leaves very little time for companies to become compliant. It might seem like a long timeframe but it’s not very long considering two things. The first is that compliance with data protection laws requires a precise understanding of data processing activities, including knowledge of the cross-border outsourcing of data processing that can take place.
The second aspect which makes this timeframe seem short is the fact that some provisions of the GDPR require a further interpretation to be applied in specific sectors.
Consequently, companies located in the EU must ask themselves the questions about their future compliance now, in order to determine their strategy in relation to the GDPR.
Asian groups of companies with a presence in Europe, as Asian companies targeting European customers, will also be concerned by these rules. The GDPR indeed applies to businesses established outside of the EU when those businesses offer goods or services to data subjects located in the EU or when they monitor the behaviour of data subjects in the EU.
EU General Data Protection Regulation – Where to start?
The first question to answer is to determine who is a data controller and who is a data processor. This is a crucial question to define the obligations and the responsibilities of your company. If a company is a data controller, the main responsibilities rest on the company to ensure compliance with theEU General Data Protection Regulation, even though data processors also have specific obligations that apply to them in relation to the data processing. It should be borne in mind that the data controller, as it is the case at the moment, really bears the main responsibilities.
One novelty under the EU General Data Protection Regulation is the fact that the concept of joint data controllership is expressly set out. The content of the joint data controller agreement must be made public and each data controller remains fully liable in relation to the data subjects.
An important consideration for data controllers and data processors established outside of the EU is that they have to designate a representative in one member state in which data subjects that are concerned by the data processing are located.
The representative is the point of contact for the competent supervisory data protection authorities and for the data subjects. The data controller and processor remain fully liable even though the representative may also be subject to enforcement proceedings.
Data controllers and processors may also need to appoint a data protection officer, who will be in charge of advising them on data protection issues, and on controlling the compliance with the GDPR. The data controller and processor remain however fully liable.
Data controller obligations under the GDPR
The core obligations of the data controller under the EU General Data Protection Regulation do not fundamentally change, the main considerations being the lawfulness of the data processing. The fact that you can only process personal data on a legal basis as set out in the GDPR still applies the same way. Proportionality, transparency of processing and so on stays roughly the same.
What the GDPR does is insisting on the principle of accountability of the data controller. That means that the data controller has the obligation to demonstrate that he has taken all appropriate technical and organisational measures in order to ensure the protection of the information and that he has to document this.
The GDPR also sets out some new means by which the data controller can prove compliance with the GDPR in the sense that the data controller can adopt codes of conduct, pass through certification mechanisms or use seals or marks which have been approved by the competent supervisory data protection authorities in order to prove compliance.
Another novelty of the GDPR are the concepts of privacy by design and privacy by default which epitomises the new integrated approach to data protection. What do those concepts mean? In a nutshell, the data controller has to put in place the appropriate technical and organisational measures such as pseudonymisation to minimise the data and to limit the data processing to what is strictly necessary in relation to the really specific purpose that the data controller is pursuing.
It is interesting to note that the GDPR abolishes the current general obligation to notify data processing to the supervisory authorities. At the moment, except in certain limited cases, a data controller has to notify all its data processing activities. This obligation is now replaced in the EU General Data Protection Regulation by an obligation to keep internal records of the data processing activities.
There’s a very limited exception for small and medium sized enterprises but it only applies when the processing is occasional and when there’s no sensitive information involved.
Privacy Impact Assessments (PIA)
The data controller will have to make a minimal assessment in all cases in order to determine what the risk is in relation to the data processing activities. If the data processing presents a significant risk, a fully-fledged PIA will be required. The exercise will actually be to distinguish the cases in which a fully-fledged PIA is required, from the ones where a more light audit will be sufficient.
GDPR’s view of data breaches
Another obligation of the data controller under the EU General Data Protection Regulation is the fact that he will have to notify the competent data protection authorities about data breaches. This obligation already exists under the current European data protection rules but only for electronic communication companies.
There’s an exception for these notifications in the case where it is unlikely that there’s any risk for the data subject, but this exception again will be of limited use.
Data subjects will also have to be notified without delay if there’s a high risk in respect of their rights and freedoms.
The GDPR provides for some exceptions for public communication. It has to be weighed whether the public communication is better than a notification of the data subject given also the potential reputational risk for the company.
The data processor
Turning now to the data processor. There are a number of points that are mentioned in the GDPR regarding the data processor.
The data controller has an obligation to choose the right data processor. He has to perform the necessary verifications before appointment.
The agreement between the data controller and the data processor needs to be much more detailed. The agreement needs to set out in detail the nature of the data processing, the purposes of the processing, the data that is concerned, the transfer of data to third parties / countries, etc.
The data processor needs to ensure that he puts in place the appropriate security and confidentiality measures. The data processor must also in the future return or delete the personal data after the end of the provision of the services to the data controller.
An obligation for the initial data processor to enter into an agreement with the sub-processors. This agreement has to reflect the obligations that are contained in the first agreement between the controller and the processor. The initial data processor remains fully liable for the actions of the processors that he appoints in turn.
The data processor has to keep records of the data processing activities in relation to each data controller for which he acts. In certain cases, he has to assist the data controller in relation to his obligations, e.g. in relation to the impact assessments, breach notifications, etc.
It’s worth noting that the data subject has a direct judicial recourse against the processor and has the right to obtain damages for any violations by the processor of his own obligations. The data processor must cooperate with the supervisory authorities.
Data transfers outside the EU
Transfers of personal data in the EU are free provided that the other legal conditions are duly fulfilled.
Data transfers outside of the EU are allowed if the country to which the data is transferred offers an adequate level of protection according to a decision that is taken by the EU commission, or if one of the exceptions listed by the EU General Data Protection Regulation applies.
There are some new developments in that regard under the GDPR. It is indeed now possible to transfer data to third countries which do not offer an adequate level of protection if appropriate codes of conduct or certifications are in place to secure the data, or where they are based on compelling legitimate interest of the data controller.
Financial sanctions under the EU General Data Protection Regulation
The most spectacular novelty under the EU General Data Protection Regulation is the introduction of very serious financial sanctions to be applied by the data protection supervisory authorities. At the moment, sanctions may differ from one country to another.
In Luxembourg, for instance, criminal law sanctions apply (i.e. imprisonment and fines), but, in practice, nobody is sent to prison and the fines are low. It is noteworthy that, in Luxembourg, criminal sentences may only be imposed by a court, and not by the national data protection supervisory authority.
In other countries, such as Spain, the national data protection supervisory authority is competent to impose financial sanctions, and quite active to do so
The new financial sanctions are significant The most serious breaches may trigger a financial sanction up to 4% of the global turnover or 20 million euros. Data transfers to third countries which do not offer an adequate level of protection fall under this highest threshold of potential sanctions.
The EU General Data Protection Regulation applies to Asian companies that target Europe and to all groups of companies that have a presence in Europe. It is thus important to understand the challenges raised in terms of compliance with the GDPR now, and to proceed without delay to an analysis of the current compliance level (audit) to determine the appropriate and required compliance measures to be adopted.
Companies will have to put in place proper data privacy management. That doesn’t go without the appointment of a person in charge, within the company, of data protection matters (either a data protection officer or someone else). The personnel will also have to be trained.
Companies will also need to implement a regular follow-up assessment of compliance, because the data processing activities are changing. As a practitioner, vigilance and focus are required.