As it is widely known, the General Data Protection Regulation (216/679 (EU)) (GDPR) was announced on April 27, 2016 and will be applicable as of May 25, 2018. Simultaneously the 95/46 EC directive (the “Directive”) will be set aside. Although the GDPR’s main concepts and principles are much the same as those of the Directive and thus the national data protection acts, the GDPR does prescribe certain new obligations (such as the DPO, the right to data portability, etc.) and a much higher limit of fines, suggesting that privacy will be taken more seriously in the future.
As the effective date approaches, more and more companies are having to consider how to prepare for the new regulation. There are multiple memos, lectures, and professional events designed to draw the attention of general counsels and in-house lawyers to the rules which have to be implemented within their organizations in the coming year. In order not to be lost in this jungle of information and highlights, it is important to set up your own systematic plan for how you will carry out this task. In this article I would like to give you some tips and suggestions in this regard.
The UK Information Commissioner’s Office (ICO) summarized in 12 points the main steps that have to be taken in order to be prepared for the end of the GDPR’s lead-in period (the “Preparatory Guidelines”). The Preparatory Guidelines may be a very good starting point and may help you to think over and plan your approach to GDPR compliance. It suggests, as a first step, raising awareness within your organization to the fact that the applicable law is changing to the GDPR, and considering what this change may mean for your organization, as it is immensely important for you to enjoy the support of the top management.
Beside communicating the relevance of the GDPR within the organization, it is also essential to assess the current status of data handling across the organization. This may be done by some kind of “internal privacy audit” or “data mapping,” which includes a review of the current privacy notices, and the way interviews are held in all particular business areas (e.g., HR, recruitment, marketing, customer care, etc.). As a result of this data mapping you will gain a clear picture of what kind of personal data the company holds, where the data come from, who the company shares it with, what the legal grounds and aims of data handling are, whether the methods of data handling are truly necessary to reach those aims, and what kind of technical measures need be taken to keep the data safe.
Once you have the results of the data mapping, the necessary measures to rectify the revealed shortcomings should be carefully designed. The good news is that if you are complying properly with the currently applicable data protection law then most of your practice will remain valid under the GDPR, as the main principles are unchanged from those in the Directive. Nevertheless, there may be certain issues or areas where some kind of fine-tuning may be needed. Irrespective of the quantity of the actual work, it is practical to divide the steps necessary to be taken into three main areas: 1. Substantive requirements, 2. Procedural requirements, and 3. Technical requirements.
Substantive Requirements
In terms of substantive requirements the most important thing is to make sure that all data processing being carried out has an appropriate legal basis that and that the data subject is appropriately notified of all those circumstances which are relevant from a privacy point of view (i.e., the legal basis is carefully selected and identified and a privacy notice is appropriately drafted).
Furthermore, the GDPR sets out a new obligation for the data controller if the data processing is likely to result in a high risk to the data subject. In this case the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a “Privacy Impact Assessment” or “PIA”). Among the circumstances in which the PIA shall be carried out is when the data processing entails automated individual decision-making, including profiling processes. Although the obligatory PIA is a new acquis of the GDPR, it existed beforehand as a “best practice,” which entailed and facilitated the application of the privacy by design approach. So within the substantial requirements it is highly recommended to carry out and document the PIA appropriately, in case such documentation is required. The code of practice of the ICO may serve as a great help both for identifying when a PIA is needed and finding out how to produce a PIA report.
Procedural Requirements
Compared to the current regulation, the GDPR places greater emphasis on the administration and documentation on the data controller side to serve as evidence that the controller is complying with the accountability and transparency principles. This means that data controllers should review and improve their internal governance and data handling processes. In this regard the first thing to be arranged is the revision or implementation (as the case may be) of an internal privacy policy, to ensure that the data handling procedure is fully in compliance with the GDPR across the entire company.
It is necessary to implement procedures which ensure that the company handles the enforcement of the individual’s fundamental rights based on the GDPR appropriately (e.g., by implementing smooth procedures for when a data subject asks for data erasure or requests information regarding the data that has been processed). These rights are the same as those that already exist under the Directive: For example, the right to have information about all data handled, the right to have inaccuracies corrected, and the rights to have personal data erased and to prevent direct marketing. However, certain rights are broadened or introduced by the GDPR, such as the right to prevent automated decision-making and profiling, the right to be forgotten, and that of data portability. This last right is closely related to the right of access, but it differs in the sense that it ensures that the personal data be transmitted in a structured, commonly-used, and machine-readable format per the request of the data subject and thus facilitates the change between different service providers. The guideline on the right to data portability issued by the Article 29 Data Protection Working Party sets forth the main factors in this regard.
The procedural requirements also pertain to the rules applicable in the event someone intends to launch a new service, tool, or application within the organization which entails or affects personal data handling. In this case, it should be determined how the IPA will be carried out and by whom, who will be in control of the implementation of the privacy by design principle, and so on. The procedural rules also have to regulate the documentation and filing method of all privacy-related documents (such as privacy notices, consent of the data subjects, test on legitimate interest, etc.) in order to be accurately presented in case of a contingent authority investigation. Moreover, the privacy policy has to consider also the technical requirements regarding data storage, processing, and transmission, and the steps to be followed in case of a privacy incident (with special regard to the mandatory notification to be sent to the competent authority or to the injured data subjects). And with this criterion, we have arrived the last requirement that I wish to mention in my article: The technical requirements.
Technical Requirements
The GDPR obliges data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, among others, the pseudonymization and encryption of personal data, ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, and the ability to restore the availability of the data in the event of a physical or technical incident. The effectiveness of these measures shall be regularly tested, reviewed, and evaluated. These requirements are primarily technical in nature and thus are mainly the responsibility of those colleagues who deal with technical issues for the company – presumably somewhere outside the legal department. However, these requirements can only be implemented and regularly reviewed with the effective assistance of the legal department and followed by the guidelines which entail the legal factors and requirements. Therefore, in this field the close cooperation of the technical and legal staffs is indispensable.
With this short article I aimed to draw attention to the importance of setting up a plan to prepare for the GDPR and to tailor it to the specific circumstances and distinctive traits of your company, and to give some guidelines and assistance regarding the factors which should be taken into account when you are planning the milestones to lead to a fully compliant privacy practice within your organization by May 25, 2018. I wish you a very successful preparation!
This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
