Our business is worried about data breaches and notification obligations. Can you shed any light on the requirements?

  • Personal data breach is defined broadly
  • BUT notification not required in all cases
  • Notification of competent supervisory authority of breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless "the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons"
  • Notification to individuals if a "high risk to the rights and freedoms of natural persons," as soon as reasonably feasible.
  • Data processors must notify clients (data controllers) "without undue delay"
  • There is guidance about what needs to be put into a notice
  • Consider putting in place a Breach Notification Plan

I mentioned the maximum fines to our Board and it definitely made people stand up and listen. In reality though, is our business really at risk of such huge fines?

  • Potential for large fines for GDPR breaches (e.g., up to 20 million Euros or 4% of undertaking's total annual worldwide turnover, under certain circumstances
    • An undertaking comprises a single economic entity, which may cover where one company exercises "control" over another company.
      • Control = the ability to exercise decisive influence over another entity with the result that the latter does not enjoy real autonomy
  • DPAs consider "nature, gravity and duration of the infringement."
    • Intentional breaches (e.g., unlawful processing authorized by top management or in spite of advice from DPO) are more severe than unintentional ones
  • Reprimands and enforcement orders may be ordered instead of high fines.

I'm concerned that our business uses personal data for profiling. Shall I advocate that we stop profiling personal data altogether?

  • Technology and big data makes it easier to create profiles and make automated decisions
  • GDPR attempts to ensure profiling does not have an unjustified impact on individuals' rights
  • Ultimately must determine whether company engages in the type of "profiling" that the regulations are targeting
    • Profiling - analyzing or predicting "aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements"

The acronym "DPIA" keeps being brought up but I have no idea what it means or if I should be worried about it?

  • Data Protection Impact Assessment (DPIA) should be included in businesses' operations and can be useful, for example, in assessing the data protection impact of a technology product
  • DPIA is mandatory where a processing is "likely to result in a high risk to the rights and freedoms of natural persons"

Data Subjects seem to have so many rights. How should our business deal with them all?

  • Data subjects do have a number of rights but these only apply in certain cases.
  • Business will need to know where the data is kept in order to deal with the rights. This is why data mapping is important.
  • Protocols for dealing with data subject complaints/objections/requests will need to be reviewed and updated.
    • If large volumes of requests are expected, protocols should be automated
  • Rights will be exploited in litigious circumstances

The GDPR makes our business nervous about using consent. Can you offer any hints and tips?

  • Consent has always been difficult to rely upon. Now it will be even more difficult. Tick box not good enough.
  • More detailed conditions for using consent: "freely given, specific, informed, and unambiguous"
  • In cases of sensitive personal data it must also be "explicit"
  • There are a number of issues with obtaining consent such that we would recommend it is used if you cannot rely on any other legitimate basis for processing data.
  • Grandfathering consents acquired pre-GDPR presents issues
  • Depending on how your business wants to approach the use of consent, there are options when following a risk-based approach

Risk-based approach to GDPR

  • Factors to consider
    • Burden/cost of particular GDPR requirement
    • Likelihood of enforcement
    • Applicable fines associated with non-compliance

Is the GDPR the only regulation to be taken into account by companies to comply with data privacy in Europe?

  • Some legal aspects of data privacy are expressly excluded from the GDPR (e.g. employment related data) businesses need to consider local laws for conducting business in the EU
  • The GDPR provides for the possibility for EU member states to complete certain of its provisions (e.g. Art. 37 regarding the appointment of a DPO). In practical terms, this means that EU members states are passing local data privacy laws to complete the GDPR (e.g., Germany, France, Poland).
  • Also need to consider other data protection laws:
    • PECR (Privacy and Electronic Communications Regulations) contains rules on electronic marketing, cookies, security of electronic communications, customer privacy
    • NIS Directive (Directive on security of network and information systems)

Given that EU member states are passing local data protection laws, what are the consequences for companies doing business in the UK in the Brexit context?

  • GDPR will still apply for the foreseeable future.
  • UK Bill is putting GDPR into domestic law.

Is being in compliance with the GDPR enough for employee data or do we need to look at EU Member States local laws?

  • Potentially not enough. Being GDPR compliant may just be the first step.
  • Local laws already released set out differing requirements in relation to employee data
  • EU Commission Employee Data Protection Guidance

What approach should we be taking now with regards to vendor and supplier agreements?

  • Business will be both a controller and processor depending on who they are interacting with, so consider the approach you take with each.
  • Controllers remain ultimately liable. It is important to choose your processor wisely.
  • Consider limiting contractual liabilities when you are acting as a data processor
  • Consider indemnification if you are a controller
  • Agreements should contain certain minimum terms. Recent UK guidance helpfully sets these out.
  • That language should be included for May 2018 start now. Assess risk re agreements that will not necessarily be renegotiated before then.