The General Data Protection Regulation (GDPR) will come into effect in the European Union in less than a year from now, on 25th May 2018. (1) The GDPR is a thorough and complex reform of data privacy law, which means that companies have to get organised to be compliant and ready by May 2018.
There are many differences between the existing European data privacy legal system based on the 1995 Data Protection directive and the new GDPR. Whereas, the 1995 Data Protection directive had to be transposed into the legal systems of each member-state, with national data protection laws which didn’t come into effect at the same time (France transposed the 1995 directive in 2004!) and with some differences between the national data protection laws, the GDPR will apply (almost) identically across the European Union from 25th May 2018.
The 1995 Directive was outdated regarding certain processing activities not available at the time, or regarding the development of the role of processors, especially those providing cloud computing services. The GDPR takes into account the evolution of technology and of data processing activities and aims to reinforce the rights of the individuals (data subjects) on their personal data with clearer rules regarding consent for data collection and processing and more stringent obligations on the data controllers and processors.
With the GDPR, companies will be subject to a new “accountability” regime. Accountability under the GDPR includes the implementation of new procedures such as the privacy-by-design principle which implies that data privacy must be included into the design stage of a new product or service; data privacy impact assessments when new data processing is likely to result in a high risk for the rights of the data subjects; the obligation to maintain a record of processing activities listing the processing and procedures implemented and the obligation to notify personal data breaches to the supervisory authority (following a security breach or a cyber attack for example).
The fines for breaching GDPR obligations will be much higher than before since depending on the nature of the breach, administrative fines may reach between 10 million euros or 2% of the worldwide revenue of the company and 20 million euros or 4% of the worldwide revenue of the company…
The data privacy agencies of the member-states, and the members of the Article 29 Working Party (representatives of the data privacy agencies of the member-states) are working actively to help companies get prepared for GDPR. For example, the French data privacy commission (CNIL) has published a plan to help companies get organised to prepare GDPR compliance. And the members of the Article 29 Working Party (WP29) have adopted guidelines providing more detailed information on the new principles of the GDPR.
1. The compliance plan recommended by the French data privacy commission
The French data privacy commission (CNIL) has published a plan to help companies work on GDPR compliance. (2) This plan is comprised of six steps, as follows:
- Step 1: Appoint a “compliance pilot”
Given the complexity of implementing a GDPR compliance plan, an individual - or depending on the size of the organisation, a dedicated task force - should be specifically appointed to drive this phase. This individual, who may be an existing or future data privacy officer (DPO), or an external consultant, shall have several tasks, including informing, advising and consulting the internal teams. He/she should also perform internal audits and should be key in organising and coordinating the compliance tasks to be performed.
- Step 2: Map out the processing activities
The compliance team should carry out an inventory of the data processing activities carried out by the company and record them. This will allow the compliance team to assess the practical impacts of the GDPR on the data processed by the company.
- Step 3: Prioritise the tasks to be carried out
Based on the types of data processing activities, the team will then be able to identify the compliance tasks to be implemented. These tasks should be prioritised, taking into account the risks of the processing on the rights and freedoms of the data subjects.
- Step 4: Manage risk
If the team has identified data processing activities that are likely to generate high risk on the rights and freedoms of the data subjects, a data privacy impact assessment (DPIA or PIA) must be carried out for each such processing. Companies can use the PIA guidelines to help them implement these new procedures (see below).
- Step 5: Develop or update your internal procedures
The company’s internal procedures will have to be updated to be able to apply a high level of protection to personal data. These procedures must protect data at any time taking into account all the events which may happen during data processing (such as a data breach, managing correction or access requests, modification of the data collected, etc.).
- Step 6: Document compliance
To be able to prove that the company complies with the GDPR, the necessary documents must be drafted and regularly updated. These documents shall include the company’s internal procedures, data privacy impact assessment, internal audit reports, etc.
2. The Article 29 Working Party guidelines
The WP29 has published several support documents to help with GDPR compliance. The purpose of these documents is to clarify the new principles that must be implemented by the companies by May 2018. At the end of June 2017, the following guidelines were published:
- Guidelines on Data Protection Impact Assessment (“DPIA” or “PIA”) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679
These guidelines provide details on the types of processing activities that should trigger a privacy impact assessment, the existing methods to carry out a PIA, the rules governing the release of a PIA and/or notification to the supervisory authority and when the supervisory authority should be consulted in case of a potentially risky processing. Typically, a PIA will include the following four features: i) a description of the proposed processing and its purpose; ii) an assessment of the necessity and proportionality of the processing; iii) an assessment of risks to data subjects; and iv) the measures to address the risks and demonstrate compliance with the GDPR.
The data protection impact assessment principle is defined under article 35 of the GDPR. PIAs are one of the mechanisms included in the principle of accountability. When performing a PIA, data controllers adhere to the GDPR and can demonstrate that appropriate measures have been developed to ensure GDPR compliance. Failure to carry out a PIA is subject to an administrative fine of up to 10 million euros or 2% of the worldwide revenue of the company for the preceding year.
- Guidelines on Data Protection Officers (“DPOs”)
These guidelines provide details on how a Data protection officer should be appointed, as well as the role and responsibilities of the DPO.
Although this role is not new, the appointment of a DPO was not mandatory under the 1995 Directive. To be compliant with the GDPR, certain companies, data controllers and processors, will have to appoint a DPO. The role and responsibilities of the DPO are described under articles 37 to 39 of the GDPR.
The DPO allows companies to ensure GDPR compliance (including, for instance, for internal audits, to act as a liaison between the different internal departments, and with the data subjects). However, DPOs are not liable in case of non-compliance to the GDPR. The data controller or the processor are responsible for GDPR compliance and implementation.
- Guidelines on the right to data portability
These guidelines define the data portability principle, identify the main aspects of this new right, identify when this right should apply, define how the rules concerning the data subjects apply to data portability, and define how the data should be conveyed to the data subject or to a new data controller.
Data portability is slightly different from the right of access under the 1995 directive. Data portability allows the data subjects to receive the data provided to the data controller in a structured and machine-readable format, and to transfer this data to a new data controller. The right to data portability will typically be used when a consumer switches service providers. The right to data portability is defined under article 20 of the GDPR.
- Guidelines for identifying a controller or processor’s lead supervisory authority
The GDPR set up another new principle: the lead supervisory authority, to take into account transborder data processing.
These guidelines identify the supervisory authority competent for transborder processing, especially when the principal place of business of the data controller is different from its European headquarters, when several companies within a multinational group of companies are concerned or when there are several joint data controllers. The issue of data processors is also addressed by the guidelines.
Other guidelines are being developed and should be published before the end of 2017. These include guidelines on certification, guidelines on data privacy breach notifications, guidelines on consent by the data subjects, and guidelines on profiling.
* * * * * * * * * * * *
(1) Regulation (EU) 2016/619 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(2) Available on the CNIL website (in French)
(3) The WP29 Guidelines are available on the CNIL website (in English) : Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 ; Guidelines on Data Protection Officers (“DPOs”) ; Guidelines on the right to data portability ; Guidelines for identifying a controller or processor’s lead supervisory authority
Bénédicte DELEPORTE
Avocat
Deleporte Wentz Avocat
www.dwavocat.com
August 2017