Much has been written about the challenges and issues that companies will face when implementing new policies and adjusting to the obligations of the new European General Data Protection Regulation, GDPR in short. The following paragraphs will give you the gist of the new Regulation and the essential elements that you must take into consideration in your endeavors to adjust to the GDPR, which will take effect across the EU as of May 25, 2018. There is enough time for your organization to adjust, but work must start now. Our key approach in implementing new obligations and making the necessary adjustments to this new European framework for personal data collection and processing is based on two simple rules: simplicity and efficiency.
The rationale of the new GDPR
The current EU data protection framework is based on a 1995 Directive (95/46/EC) that precedes the age of social media and e-commerce. The new framework which was approved on April 27th of last year and focuses on giving EU data subjects more control over their personal data by expanding and clearly defining their rights. In doing so, the legislation has sought to make the purpose of data collection and the way in which data will be processed more transparent. And this will have to be clearly reflected in the policies that your organization sets forth. The GDPR also attempts to standardize some of the communication with the data subject (use of icons, visual simplification, access, etc.).
Broadly speaking, the core principles and rules are unchanged. The basic definitions of key concepts such as ‘processing’ or ‘personal data and sensitive data’ remain the same. So do the actors involved like ‘data subject’, ‘controller and processor’ and the ‘DPA – data protection authorities’. The processing of data is still conditional and the same rules of ‘purpose’ and ‘security’, for instance, remain valid*.
Among the fundamental changes are:
- the possibility for local DPAs to impose fines for violations (up to 20 million euro or 4% of a company’s global turnover);
- the implementation of collective action initiatives, by victims of data leaks for instance;
- the increased control of data by the data subjects; and
- the expanded geographic application of the Regulation to companies outside of the EU that offer services and products to persons and entities in the EU (e.g. web shops in China).
The most touchy subject will most probably be the control of personal data by data subjects. And we believe this is the area with the highest exposure to risk. It is therefore important to note that data subject’s consent should be explicit and affirmative (opt-in). This should be verifiable and the data subject must retain the right to change their mind at all times, update their data, and delete their data (and be forgotten). The data subject will also have the right to clear information on the processing of their data and the right to transfer data (portability).
Furthermore, the Regulation introduces two new responsibilities. The ‘privacy by design’ responsibility forces companies to take into account privacy measures when conceptualizing new information collection systems and to limit the data collection and processing to the strict minimum necessary for their legitimate purpose. This measure increases the accountability of companies and incites them to act in line with the GDPR. The second responsibility is the ‘privacy by default’ which stipulates that new collection and processing tools will by default be set to the maximum data protection level and that any deviation from this principle will require the explicit consent of the data subject. This means for instance that pre-filled fields are not recommended.
Which adjustments must you make?
There are three categories of adjustments your organization will need to implement.
- Legal adjustments: you will need to incorporate new and more defined guarantees and protections in your legal documents, including privacy policies and data processing agreements.
- Technical adjustments: new mechanisms will need to be built into your processes to request the explicit consent and allow data subjects to access their data and to save changes, for example.
- Organizational adjustments: you will need to ensure your company’s data handlers are properly informed and trained. For instance, you may need to implement a code of conduct or appoint a data officer.
Which steps should you take?
- Map out existing data streams and identify the different types of processing that your company engages in: describe the process, the purpose, the risks, including who has access, the flow (are third parties involved) etc.
- Assess the impact of the GDPR and devise the most efficient way to simplify and change processes and procedures, and to bring in additional technical and/or organizational safeguards in order to minimize exposure and avoid potential fines.
- Ensure your organization limits its involvement in data collections and processing to what is strictly needed. Ensure that the data is kept only for the duration needed. Review you privacy policies in light of full transparency and clear communication with the data subjects.
- Set in place internal policies to raise awareness and have various departments involved in data collection and processing accountable.
- Appoint a data protection officer that will play a central role in ensuring the above is being implemented and to act as a liaison with the various actors involved.
We are all awaiting more guidance from the Article 29 Working Party to understand how certain provisions will have to be implemented in practical and executable ways. Again, a lot of scary tactics have been used in ushering the new GDPR, but the most important hurdles will be practical ones. For instance, how will companies implement the right to be forgotten? What about the portability of personal data and standard setting? What will be the exposure of data processors in the future? We will know more in the weeks or months to come. Stay tuned!
*As a reminder, to be compliant with the data protection rules in the EU, you must:
- Process personal data in a transparent, compliant and comprehendible manner for the data subject.
- The collection should be pertinent and limited to a clearly stated objective.
- This objective should be specific, explicit and legitimate.
- The collected data should be correct, up to date and relevant.
- The data should be kept only for the period necessary for the processing.
- Security measures should be put in place to protect the data.