After years of consulting, drafting and negotiating at various levels, on 15 December 2015 the final compromise text of the EU General Data Protection Regulation (“GDPR”) was agreed. What a milestone! Once the European Parliament and Council both adopt the agreed text, the GDPR will officially come into force. Businesses will have a two-year transitional period to adapt to the new regime.
ONE CONTINENT, ONE LAW
The GDPR will apply directly in each of the 28 EU Member States. With its wide territorial scope, the GDPR will not only apply to the data processing activities of EU-based businesses, but also to various data processing activities of businesses not established in the EU to the extent they target EU data subjects.
- Consent continues to be required to be freely-given, specific, informed and unambiguous (as well as explicit where sensitive data is processed). However, overall the GDPR takes a strikingly prescriptive approach in relation to consent and also (surprisingly) provides that the age of consent is 16, unless Member State law provides for a younger age of consent (which must not be below 13).
- A risk-based approach has been successfully inserted into various GDPR provisions by the Council. This, no doubt, will be welcome news for businesses. Consequently, some compliance obligations will only apply to those data processing activities that are likely to result in a risk (or even high risk) for the rights and freedoms of individuals (e.g., obligations to notify data breaches or carry out privacy impact assessments).
- One-stop-shop survives as a concept. What this means is, where a controller or processor has multiple establishments within the EU, the supervisory authority of the Member State where the controller/ processor has its ‘main establishment’ will be competent to supervise and enforce its data protection compliance across the EU. This is subject to the lead supervisory authority being required to consult and cooperate with supervisory authorities of other affected Member States. The rule is watered down considerably by exceptions providing that local supervisory authorities (other than the lead authority) will be competent to deal with subject matters that relate only to an establishment in their Member State or substantially affect only data subjects in their Member State.
- Data Protection Officers (DPOs) will be required for businesses that – on a large scale and as part of their core activities – regularly and systematically monitor data subjects or process sensitive data.
- Supervisory authorities will be equipped with broad enforcement powers, and fines for non-compliance will be substantial with a maximum fine of €20 million or 4% of the annual worldwide turnover (whichever is higher).
A GDPR GAME PLAN
While the GDPR may appear extremely prescriptive in comparison to the current Data Protection Directive (95/46/EC), the objective does not deviate far from the current Directive – assuring individuals’ fundamental right of personal data protection. Multinational companies should focus on devising a systematic approach that fosters a culture of accountability, privacy by design and by default (‘PbD’), to meet the rapidly changing technological challenges, such as Big Data and Internet of Things, while remaining compliant with the GDPR.
- DATA PROTECTION (PRIVACY) BY DESIGN AND BY DEFAULT
“[…], the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective way and to integrate the necessary safeguards into the processing […]. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed […] “– Article 23 GDPR
At any given time, controllers should be able to identify the 5 W’s (Who/Where/What/When/Why) of personal data under their control. By maintaining accurate data maps in real time, controllers can demonstrate that they have a comprehensive understanding of their data protection risks and the measures they are taking to mitigate them. Further, the data maps will contribute to creating the mandatory records required by the GDPR (Article 28). Companies must also consider implementing a comprehensive global records management program to help them meet their records retention requirements in a global context without compromising compliance with the GDPR.
- ACCOUNTABILITY – OBLIGATIONS OF THE CONTROLLER
“[…] the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation. These measures will be reviewed and updated where necessary.” – Article 22, GDPR
It will no longer be sufficient to simply have a policy in place, and review it every other year. To ensure compliance with the GDPR, controllers must adopt a consistent mechanism to monitor compliance with and evaluate the effectiveness of the data protection policies they put in place. By regularly reviewing the compliance evidence against each policy, controllers will be able to demonstrate their accountability in an organised and effective manner.
- DATA PROTECTION IMPACT ASSESSMENT (PIA)
“Where a type of processing […] is likely to result in a high risk for the rights and freedoms of individuals, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. […]” – Article 33, GDPR The PIA process needs to be embedded within the organisation’s operation strategy. While it is incumbent upon the data protection officer to support his or her organisation’s PIAs, controllers should establish general PIA training programmes and threshold analysis mechanisms to allow all individuals with access to personal data to be able to determine when and how a PIA should be carried out.
- CROSS-BORDER DATA TRANSFER STANDARDS
“In the absence of [an adequacy decision], a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for the data subject are available.” – Article 42, GDPR
As the data economy grows exponentially, controllers and processors face increasing challenges when transferring personal data to countries not yet recognised by the European Union as providing an “adequate level of protection” of personal data. Controllers and processors should carefully assess and identify the compliant mechanisms provided by the GDPR, and adopt a consistent approach which best meets their organisation’s needs.
- DATA BREACH INCIDENT MANAGEMENT
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority […], unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” – Article 31, GDPR
“When the personal data breach is likely to result in a high risk for the rights and freedoms of individuals, the controller shall communicate the personal data breach to the data subject without undue delay.” – Article 32, GDPR
It is no longer a matter of if but when a controller may experience a data breach. Controllers should devise a DBIM Plan that is effective and efficient in case of all eventualities. The DBIM Plan must include specific protocols that correspond with all requirements under the GDPR. A successful DBIM Plan will demonstrate to supervisory authorities the controller’s accountability and the maturity level of the controller’s data protection compliance framework.