In less than four months, on May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) [1] will enter into full effect, bringing with it an array of new individual rights and regulatory requirements. This European regulation protects the rights of individuals, strengthens accountability, obligates organizations to set up self-assessment processes and, finally, increases the power of Data Protection Authorities (DPAs) through the implementation of potentially severe penalties.
Most organizations have already started to embrace this new challenge. However, it is not too late for others to join the race to compliance as long as the right questions are addressed.
Click on the image to view the entire infographic
Considering the broad scope of this subject matter, the key issues at stake and the need for robust governance, it is crucial for organizations to adopt a project-based approach led by a cross-disciplinary team composed of lawyers (internal and external) and cybersecurity and IT experts.
First and foremost, organizations must ensure that they clearly understand and document what personal data they actually hold and what data is processed and transferred—as the case may be, outside of the EU—and control data flow within the organization. Data “processing” is an expansive term that covers almost any operation performed on data, including but not limited to: collection, recording, organization, storage, modification, use, transmission and erasure.
Critically, the GDPR’s territorial scope is extensive. In addition to governing the control and processing of personal data by EU-based organizations, the GDPR applies even to organizations established and operating outside the EU, where the processing activities conducted outside the EU relate to the offering of goods and services to data subjects residing within the EU or to the monitoring of their behavior. (“Residency” is used as a criterion to determine whether an individual is considered as a “data subject within the EU.”)
Any organization that carries out cross-border processing and operates in several EU member states should determine its lead DPA and document the determination.
However, organizations should also verify whether other DPAs have competing jurisdiction. Indeed, where several entities of an organization determine the purposes and means of processing, they will be considered as “joint controllers” that may be located in multiple jurisdictions (e.g., where an employee’s file is processed by a subsidiary in one country, as well as by the parent in another country).
Organizations should define a plan to set up or assess their data compliance program and take the appropriate measures.
This methodology generally results in a four–step approach:
Organizations should carry out a global assessment of their current situation and analyze any existing legal or technical gaps or deficiencies in their processing of information. This generally starts with the mapping of all personal data and its processing within the company. The data mapping process is the cornerstone of the compliance project. Organizations should be able to identify what data is collected, where and how it is stored, and who has access to it. In addition, organizations should clearly identify situations where they act either as a controller, as a processor or as both. The controller determines the purposes and the means of the processing of personal data whereas the processor processes personal data on behalf of the controller. In addition, organizations that employ at least 250 employees need to maintain a formal and written record of processing activities. These activities must be recorded within a documented Register that will be made available at any time upon request from DPAs, especially in cases where a DPA conducts an audit of the organization’s GDPR compliance.
Organizations should carry out a legal analysis of the lawfulness of the collection and processing of data to ensure that they are based on one of the six legal bases established by the GDPR (consent, contract, legal obligation, vital interests, public task and legitimate interests).
Organizations should be particularly cautious when using consent as a legal basis to process personal data. Indeed, the GDPR requires a statement or clear affirmative actions by the data subject (for instance, pre-ticked boxes will no longer be sufficient to meet the legal basis requirements).
Organizations will have to determine whether they must conduct Data Protection Impact Assessments (DPIAs). The purpose of DPIAs is to evaluate the origin, nature, proportionality and severity of the risks induced by processing operations that appear to result in a high risk to the rights and freedoms of individuals.
Most importantly, the outcome of the assessment will have to be considered by the organization when determining the appropriate measures to take in order to demonstrate that the processing of personal data complies with the GDPR.
The GDPR obligates organizations to review all the contracts that include processing of personal data. Controllers and processors are under an obligation to enter into detailed agreements or to renegotiate existing ones to clearly set out roles, responsibilities and liabilities.
Under the GDPR, controllers are ultimately responsible for ensuring that all processing of personal data is compliant. Unless it is demonstrated that the controller is “not in any way responsible for the event giving rise to the damage,” it will be fully liable for any damage caused by a noncompliant processing and thus liable to pay compensation to the victims.
In the event of an infringement of the GDPR by a processor, the controller’s liability or the joint liability of the controller with its processor cannot be limited unless the controller proves that (i) it has selected a processor able to provide sufficient guarantees; (ii) the processor has infringed its written instructions while having been subject to regular monitoring by the controller; and (iii) the controller has duly controlled the ability of the processor to subcontract.
Organizations will necessarily have to rethink their data access management, tighten their access control and tracking, and rethink their confidentiality strategy.
Besides, data protection and privacy principles will have to be integrated at the early stage of the conception of a data processing. This requires the adoption of robust internal policies and the implementation of technical and organizational measures arising out of the principles of “privacy by design and by default.” These concepts mean that privacy should be a fundamental component in the design and maintenance of information systems (e.g., privacy by design could be implemented via pseudonymization, and privacy by default would require data controllers to ensure that only personal data necessary for the specific purpose of the processing is processed).
The GDPR enshrines existing rights for data subjects and also creates new rights, such as the right to erasure, the right to data portability and the right to restriction of the processing. Organizations should consider the likelihood that data subjects will with increasing frequency exercise their rights, and should be especially mindful that a wide array of people may have standing to file a complaint in the event of a data breach (e.g., customers, former employees, unions, users, nonprofit data protection organizations etc.) with the potential for class action lawsuits.
Organizations should, thus, set up appropriate and clear processes for recording and dealing with requests based on data subjects’ rights. In addition, organizations will be required to be more transparent and to provide significantly more information to data subjects about their processing activities than was required prior to the GDPR’s implementation.
Management of a data breach is crucial both for individuals and organizations, in particular, given the possibility of cyberattacks that could result in serious liabilities, such as identity theft, financial loss, discrimination on the basis of sensitive personal data obtained in the breach, etc. Consequently, organizations must report certain types of data breaches to the relevant DPAs and, where a breach is likely to result in a high risk to the rights and freedoms of individuals, directly notify those concerned.
This requires that a proper internal breach policy be in place in order to facilitate timely notification (in principle, within 72 hours). Given this very short notice period, it is critical that organizations include a proper data breach notification provision in contracts with their processors (e.g., reporting of breach within 60 hours) and have the ability to organize, where appropriate, a multidisciplinary crisis unit.
As a first step, organizations should consider whether they are obligated to designate a Data Protection Officer (DPO) (i.e., whether the organization’s core activities involve (i) the regular and systematic monitoring of individuals on a large scale, or (ii) the large-scale processing of special categories of sensitive data—health records, biometrics, criminal convictions, etc.; or (iii) if the designation of a DPO is specifically required by local law). Furthermore, organizations that are not established in the EU will be required, under certain circumstances, to appoint a representative within the EU.
In any case, organizations are highly encouraged to appoint a DPO, whose status has notably been reinforced. According to the GDPR, the DPO not only must be given sufficient autonomy and resources (e.g., budget, board of directors’ support, staffing resources), but he/she must enjoy a direct reporting line to the highest management level (e.g., board of directors’ level).
Organizations should also keep in mind that DPOs are the first point of contact for both DPAs and individuals whose data is processed.
Organizations will have to implement a global data protection compliance program and integrate it within the internal audit plan. To that effect, they are under a specific obligation to set up an appropriate training plan relevant to their organization and the different functions and tasks of its employees.
They might also adhere to an approved code of conduct and/or certification scheme to demonstrate compliance with the GDPR.
Last but not least, the board of directors must be regularly informed about the risk assessment mechanism put in place to prevent and detect a data breach. The board should be involved in the case of a serious data breach that may harm individuals and the organization. Board members should be made aware of their responsibilities and potential liabilities in that regard.
Similarly, depending on national labor law, unions may be entitled to offer input regarding the establishment of new data protection policies and processes, which must be easily understandable and accessible to employees and third parties.
[1] http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=FR