Introduction and overview
GDPR effective date and geographical scope of application
The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire EU, without the need for national implementing measures, which means that any personal data processing ongoing at this date must comply with the Regulation.
The GDPR provides for a scope of application wider than processing undertaken in EU countries. It will also apply to data controllers or subcontractors not established within the EU, but which process data with the aim of providing goods and services to EU residents or monitoring EU residents’ behaviour.
Several steps should be taken by businesses in order to achieve compliance with provisions of the GDPR:
Changes to internal processes to comply with the accountability rules
In order to effectively manage personal data protection within your business; an individual should be nominated to take charge of information and counsel, as well as organisation of personal data activities. For many organisations, it will make sense to appoint a data protection officer or ‘DPO’ as of now in order to assess compliance as soon as possible, even outside the three mandatory legal circumstances imposed by the GDPR (ie, public bodies; large-scale monitoring; and large-scale processing of criminal convictions, etc). In any event, an audit of personal data held and processing undertaken makes sense. The nominated person can then map data processing within the business and build a record of all ongoing data processing. On the basis of this information, a list of necessary actions can be prepared and prioritised in the light of risks to data subjects’ rights.
In practical terms, the principle of accountability means that businesses must track and document their compliance with data protection rules, and keep these records available to respond to an inspection by state authorities.
The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire EU, without the need for national implementing measures
Promoting a risk-based approach
If any processing is identified as carrying a high risk to data subjects’ rights, the business should then conduct a privacy impact assessment (PIA). In addition, internal processes should be developed in order to respond to events likely to trigger the controller’s liability, such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.
Data protection safeguards shall be built into products and services from the earliest stage of development ('privacy by design’), making use of techniques such as pseudonymisation and encryption.
Data transfers
Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard contractual clauses, binding corporate rules and the privacy shield scheme may still be used for transfers outside the EU.
Agreements between data controllers and their subcontractors
Data controllers’ agreements with their subcontractors’ agreements will have to incorporate new mandatory elements set out by the GDPR. Existing long-term agreements may need to be redrafted. Subcontractors will now have their own direct obligations in certain key areas, such as record-keeping and security, separately from the obligations on data controllers.
A single data protection authority
In future, businesses will deal with one single supervisory authority in the EU country in which they are mainly based, rather than having to engage with authorities in all relevant countries. The lead authority will then work with other national data protection authorities to achieve an EU-wide approach.
Negative impacts in case of a legal breach
Whereas the existing EU legislation (Directive 95/46/EC) leaves to member states the task of determining and applying sanctions, the GDPR is more prescriptive. It provides for administrative fines to be imposed on data controllers and subcontractors. The amount of those fines can go up to the greater of €20m, and 4% of annual global turnover.
In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority within tight timescales, as well as the data subjects themselves in the event of the most serious breaches.
In any major project, there is an analysis phase involving a careful examination of your organisation’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organisation, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018. So, what can be done to get started? Perhaps the best first step is to conduct a self-assessment audit. This will help organisations map the likely impacts of the changes in data protection law on their activities. A few key points are worth looking at in detail:
Management awareness
The development and implementation of a GDPR strategy requires strong leadership and the most effective strategies will be those that begin life as a boardroom priority, not least because fines of €20m or more may be issued under the new legislation. Organisations should be updating their risk register and organising work flows to ensure compliance – recording any issues and allocating responsibility from senior management downwards. Depending on the scale of your activities, this might include the appointment of a DPO under GDPR article 37.
Accountability
'Accountability’ is a ‘red thread’ that runs throughout the GDPR. Article 5(2) states that controllers ‘shall be responsible for, and be able to demonstrate compliance with’ the data protection principles, while article 24(1) refers to controllers being able to ‘demonstrate' that processing is performed in accordance with this regulation’.
Organisations ought to be reviewing their framework of policies and procedures as well communicating those policies to staff and monitoring compliance. ‘Introduction and overview’ above mentioned the importance of promoting a risk-based approach and changing internal processes to comply with accountability risks. The right documentation will be key.
Know your data flows
Mapping data flows should be a priority.
Identify which of your data flows pose the highest risk to individuals. Some examples are already being heavily scrutinised under the current law, for example, international transfers, large-scale marketing, profiling, behavioural analytics and fundraising activities are all typically deemed high-risk activities.
Fair processing information
Article 5 of the GDPR requires that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject. One of the best ways to comply with this will be to provide clear and full information up front to individuals about how, where and why you will be using their data.
A self-assessment exercise should focus on what fair processing information is currently given to individuals at the point of acquisition of their data. Information can be collected from various platforms: marketing lists; credit reference checks; Facebook/website sign-ups ; or apps.
Each platform may collect the data through different means, and require different processes. What is your condition for processing the data? Are you relying on consent and, if so, how is that consent obtained? Organisations should assess whether current consents are sufficient to meet the requirements under GDPR. In particular, review whether any new projects are being planned and take a look at how privacy can be built into these from the start, particularly if they are likely to result in a high risk to the rights and freedoms of individuals.
Know your escape routes
There are a few ways in which the effects of the GDPR can be mitigated or disapplied. Remember that the GDPR only applies to data that falls within the definition of ‘personal data’ : if you can effectively anonymise the data so that individuals are no longer identifiable then the principles of data protection will not apply (GDPR Recital 26).
Implementing technical and organisational security measures can also provide a safety net in the event of a data breach: article 32 notes the importance of encryption of data and making backups. A strong self-assessment will look at what techniques are already being used to secure data, how these can be improved and how new techniques (for example, pseudonymisation) can be harnessed. Achieving GDPR compliance is a challenge and an early self-assessment is vital.
Consent as a lawful basis for data-processing
Every data processing activity requires a lawful basis. Such lawful basis may be provided directly by law, or by consent granted by the data subject, both according to the statutory requirements set out in Directive 95/46/EC and, importantly, national data protection laws. This general principle remains unchanged under the GDPR; however, the new regulation provides for new or additional requirements for such consent to be a lawful basis for processing and transfer of personal data.
Pre-requisites for valid consent: fair processing notices
First, the GDPR requires that any consent of the data subject regarding the use of its personal data must be ‘freely given, specific, informed and unambiguous’ and, in comparison to the Directive, it puts additional hurdles in front of the controller seeking consent (article 4(11)) : the consent must be specific to the respective data-processing action, and therefore needs to be ‘clearly distinguishable’ from any other matters that may be covered in the same document (article 7(2)). And article 7(4) and Recital 43 make it clear that a consent is not given freely if the performance of a contract or provision of the service is made conditional upon such consent, or if there is ‘a clear imbalance between the data subject and the controller’. Further, article 7(3) requires that the data subject is given the right to withdraw its consent at any time and as easily as giving it, and the right to have their personal data erased and so removed from further processing (article 17).
Second, these requirements come with the strict obligation of the controller to fully inform the data subject on the relevant issues and their rights before the consent is given. As already required under the Directive, the individual must be informed about the categories of personal data to be processed, the purposes and term of processing, the identity of the controller and any possible recipients of the data. The lack of transparent, complete and timely information would make the consent invalid.
Third, the GDPR requires the data subject to signal its consent by ‘a statement or clear affirmative action. Thus, where under Directive 95/46/EC controllers could rely on implicit or ‘opt-out ’ consent, the GDPR requires that the consent must be expressed ‘by a statement or by a clear affirmative action’ (see article 4(11)). As long as the individual’s consent is clearly indicated, such action might consist of ‘choosing technical settings for information society services’ or ‘another statement or conduct’, including, for example, ticking a box on a website (Recital 32). But, silence, inactivity, or pre-ticked boxes will no longer serve as valid consent by the data subject.
Where explicit consent is one of the possible grounds for compliance
The GDPR extends the definition of special categories of personal data that are particularly sensitive ‘in relation to fundamental rights and freedoms’ of the individual and require ‘specific protection (see article 9). Besides those already mentioned under the existing Directive, like information on racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the GDPR in article 4 also includes genetic data, biometric data, and data on the individual’s sexual orientation. The processing of those sensitive data in each case requires ‘explicit’ consent, probably excluding consent by the individual’s conduct or use of technical settings.
The same will apply under the GDPR with regard to consent required from children. Article 8 sets out the default position that children may only give consent in relation to online services without parental authorisation from the age of 16. However, the regulation allows member states to deviate from that rule, as long as the minimum age is not below 13 years. Explicit consent may also be required where the controller plans to make decisions about the data subject based solely on automated processing, including profiling (article 22) or where the personal data is transferred to countries which do not provide a level of protection assessed as adequate (article 49).