Overview
The EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018.
The GDPR makes many important changes to European Union (EU) data protection law, but it is not a complete departure from existing principles. Many of the concepts with which organizations are familiar will continue to apply under the GDPR. Thus, the GDPR will apply to the processing of personal data (information relating to an identified or identifiable natural person); processing includes the collection, recording, storage and structuring of that data or other operations performed with respect to it. However, one of the principal differences under the new regime relates to its extra territorial application.
In this update, we therefore seek to address the questions of whether the GDPR will apply to your organization and, if so, what immediate steps need to be taken to ensure compliance.
Does It Apply?
The GDPR applies to all organizations that are established in the EU. This is a test that may be satisfied by a relatively minimal presence in the EU, for example through the use of a local agent or representative, a postal address and a bank account used for business purposes. If a business is established in the EU, the GDPR will apply to the processing of personal data in the context of that establishment’s activities, whether or not the processing takes place within the EU.
The GDPR also applies to non-EU organizations if they: (i) offer goods or services to EU residents; or (ii) monitor the behavior of EU residents.
For organizations that are not established in the EU, the question of what constitutes "offering" goods or services to EU residents is determined on a case-by-case basis, having regard to factors indicating that the organization envisages that its activities are directed towards data subjects in the EU. Thus:
- Mere website accessibility of a service in the EU is not sufficient to trigger application of the GDPR, as a greater degree of intent to direct activities at EU customers is required.
- Conversely, factors such as offering a service in the languages or currencies used in a Member State (if not also used in the country outside the EU from which the website operator principally conducts its business), the ability to place orders in that other language, or mentioning customers or users in a Member State may trigger application of the GDPR, as may other evidence of an intention to target EU customers.
The question of what constitutes "monitoring" is determined on a case-by-case basis:
- "monitoring" may include tracking an EU resident on the Internet with websites that use tracking cookies and apps that track usage with respect to EU residents constituting monitoring (if the aggregate information collected renders an individual identifiable).; and
- "monitoring" may also include the use of data processing techniques to profile individuals, their behaviors or their attitudes (e.g., in order to analyze or predict personal preferences).
Given this expanded application, many organizations that are not currently subject to existing EU data protection law will be subject to the full range of compliance obligations under the GDPR, especially online businesses.
The GDPR confers new rights on data subjects and extends existing ones. Under the GDPR, data subjects have the right to request access to their data, the rights to seek rectification of inaccurate personal data and to be notified of breaches of data security, the right to restrict data processing and to require the erasure of personal data and the right not to be subject to automated decision-making, in certain circumstances.
The GDPR requires that personal data be processed in a manner that is broadly similar to existing EU data protection rules. These require that any personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to data subjects;
- collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to that which is necessary for its processing purposes;
- accurate and kept up to date;
- maintained in a form which permits identification of data subjects for no longer than is necessary for the original processing purpose;
- processed in a manner that ensures appropriate security of that personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, (using appropriate technical or organizational measures).
The data controller (the entity that determines the purpose and means by which the personal data is processed) is responsible for ensuring compliance (and must be able to demonstrate compliance) with these principles.
Given that the potential effects of non-compliance are much more significant under the GDPR (such as increased monetary sanctions for compliance violations, which are up to EUR20 million or 4 percent of annual global net revenue for serious breaches) and given that it explicitly confers a right to obtain compensation from a controller or processor, it will be important that organizations take their new data protection responsibilities seriously.
What Immediate Steps Should be Taken to Ensure Compliance?
1. Appoint Data Protection Officer (DPO) or Other Data Protection Leader
A significant aspect of the GDPR is demonstrating compliance. One of the ways in which organizations can demonstrate this is through the appointment of a person who is formally tasked with ensuring that an organization is aware of, and complies with, its data protection responsibilities.
- Determine whether the GDPR requires the business to designate a DPO. A DPO will be required if the business's core activities consist of personal data processing operations on a large scale that:
- require regular and systematic monitoring of data subjects;
- involve special categories of personal data (sensitive data); or
- relate to criminal convictions and offenses.
- Consider voluntarily appointing a data protection leader, even if the GDPR does not require appointing a DPO. Centralizing privacy and data protection functions under a designated leader improves accountability and provides a structure to help demonstrate compliance with the GDPR's requirements.
2. Determine if the Business Must Appoint EU Representative
A business that is subject to the GDPR, but which is not established in the EU, must appoint an EU representative in one of the member states where the organization offers goods or services or monitors behavior, as a point of contact for EU data subjects and National Supervisory Authorities, unless the processing of the personal data regarding those EU residents:
- is only occasional;
- does not involve on a large scale special categories of personal data (such as health data or data revealing ethnic origin and political beliefs); or
- does not involve personal data relating to criminal convictions or offenses; and
- is unlikely to result in a risk to a natural person's rights and freedoms, taking into account the processing's nature, context, scope, and purposes.
The GDPR indicates that the types of harm that create a risk to the rights and freedoms of natural persons include physical, material or non-material damage such as subsequent discrimination against that individual, identity theft or fraud and financial loss or reputational damage.
3. Audit and Map the Business's Data Processing Activities
Businesses must first understand what personal data they collect, hold, use, share, and otherwise process before they can create a plan for implementing the GDPR's requirements.
- Develop and review a personal data processing map documenting:
- the business's personal data processing activities, such as how the business collects, uses, shares, and otherwise processes personal data;
- the different types of personal data involved in those processing activities;
- the different types of data subjects and where they reside;
- why the business engages in the processing activity;
- the parties that may access the personal data, such as data processors and other third parties, and the types of personal data disclosed;
- the different business systems that store or process personal data, including electronic databases and the people responsible for those systems;
- the geographic locations where the business stores personal data;
- the electronic personal data flows, including data transfer, sharing, storage, exit, and destruction points;
- how long the business retains personal data; and
- the security controls and safeguards deployed to protect personal data.
Consider whether personal data is being transferred to third countries where safeguards for that data may be inadequate. At present the EU-US Privacy Shield (a binding legal instrument under European law) can be used as a legal basis for transferring personal data to the US. In the absence of the existence of a Commission “adequacy decision” with respect to a third country, the GDPR permits transfers outside the EU where a company has adopted binding corporate rules. These must commit the members of the relevant corporate group to specific standards with respect to data transferred outside the EU. Alternatively, appropriate safeguards might be put in place between contracting parties by the adoption of European Commission-approved standard, or model, clauses, in order to ensure adequate levels of protection with respect to the transfer of personal data outside the EU.
4. Review and Document the Business's Legal Basis for Processing Personal Data
- Ensure each processing activity meets at least one of the GDPR's legal processing grounds. For example, is the business relying on consent to process personal data, or is the processing necessary for the performance of a contract, for compliance with a legal obligation or for the pursuit of the organization’s legitimate interests?
- Without a lawful basis, the processing of personal data is unlawful and runs the risk of incurring substantial fines.
The concept of legitimate interests requires a delicate balancing exercise and is one that should take into account the original purpose for which the personal data was supplied and what might be thought to be the reasonable expectations of the data subject. Moreover, reliance on this as a ground for any processing should be linked to necessity (e.g. intra-group transfers of data or the submission of data to a debt collection agency in the event a contractual breach). Any business relying on this, as a lawful ground for processing, must do so having regard to the fundamental rights and freedoms of the data subject, including the risk that processing poses to the data subject with respect to matters such as discrimination, identity theft or fraud and the possibility of financial loss or reputational damage. The business will need to establish that it considered how necessary its actions were, having regard to the privacy consequences for and possible harm to the data subject.
5. Review and Update Consent Mechanisms and Language
Consent, as a legal basis for processing, becomes harder for organizations to obtain and rely on under the GDPR. Any consent that is obtained must be a "freely given, specific, informed and unambiguous" indication of the data subject's wishes. Notably, the GDPR states that consent is not valid where there is a "clear imbalance" between the controller and the data subject. The GDPR cites the example of a public authority as possessing a degree of power that would demonstrate such a clear imbalance. Employees are likely to be similarly disadvantaged when dealing with their employers. However, beyond these clear-cut examples, much will depend on context and the degree of freedom to choose whether to contract with a commercial entity and conversely the detriment that will befall an individual should he or she refuse to provide his or her consent.
Identify all processing activities that currently rely on the data subject's consent as the legal basis for processing.
- Consider whether the business could rely on a different legal basis for the processing.
- If relying on consent, ensure that:
- data subjects are provided with a clear explanation of the processing to which they are consenting;
- the consent mechanism is genuinely of a voluntary and "opt-in" nature;
- data subjects are permitted to withdraw their consent easily;
- the organization does not rely on silence or inactivity to collect consent (g., pre-ticked boxes do not constitute valid consent), rather, some type of affirmative action is provided (such as checking an unchecked box; actively selecting a technical setting; or answering a specific yes or no question); and
- present the consent request separately from other written matters, so the data subject clearly understands the consent request.
6. Review and Update Privacy Notices
One of the key changes under the GDPR is the level of information that organizations are required to provide to data subjects. This information takes the form of a “privacy notice.”
- Updated privacy notices will need to be provided to all data subjects to include the enhanced information that is required to be provided to data subjects under the GDPR. This information includes:
- The identity and contact details of the data controller (and where applicable, the controller’s representative) and any data protection officer
- The purpose of the processing and the legal basis for the processing
- The legitimate interests of the controller (or any third party, where applicable)
- Categories of personal data
- Any recipient or categories of recipients of the personal data
- Details of transfers to third country and requisite safeguards
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right of the data subject to withdraw consent at any time, where relevant
- The right of the data subject to lodge a complaint with a supervisory authority
- The source the personal data originates from and whether it came from publicly accessible sources
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
- The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences of this.
- Privacy notices should use real, tangible examples in the privacy notice to make information meaningful and understandable, particularly when discussing potential consequences, profiling, or explaining technology.
7. Review and Update Vendor and Service Contracts
Under the GDPR, the concept of a "processor" does not change. However, whereas the current EU data protection regime generally imposes direct compliance obligations only on controllers, the GDPR imposes direct compliance obligations on both controllers and processors, and both controllers and processors will face direct enforcement and serious penalties if they do not comply with the new EU data protection law. The GDPR also imposes a significant duty of care on a data controller when choosing a third party processor. The GDPR spells out a number of matters that must be covered in contracts with third party processors, which must accept obligations relating to security matters, responsibility for assistance with security breaches and audit obligations.
- Whether they are data processors or data controllers that engage other entities as data processors, organizations should carefully review their existing data processing agreements and consider whether any amendments are required to reflect the new contractual provisions that are mandated by the GDPR such as the need to ensure that the processor provides assistance relating to the controller’s GDPR obligations toward its data subjects, to ensure processor data security, the acceptance of responsibility for assistance with security breaches by the processor and for compliance audits. The processor must also agree not to appoint any sub-processor without the controller’s prior written authorization.
8. Prepare for New Data Breach Notification Requirements
The GDPR requires businesses to report data breaches to the relevant National Supervisory Authority within 72 hours of detection. There is a further requirement that a data subject should be promptly informed of any personal data breach that is likely to result in a high risk to his or her rights and natural freedoms. As indicated above, this includes tangible or intangible damage such as subsequent individual discrimination, identity theft or fraud and financial loss or reputational harm.
- Ensure that there are appropriate processes and templates in place for identifying, reviewing and (to the extent required) promptly reporting data breaches.
9. Data Protection Impact Assessments
Data Protection Impact Assessments are another tool that can be used to help organizations demonstrate that they are complying with the GDPR. They are designed to enable organizations to work out the risks that are inherent in proposed data processing activities before those activities commence. This, in turn, enables organizations to address and mitigate those risks before the processing begins.
- Review data processing activities and consider whether any of them present compliance risks from a data protection perspective. Each processing activity that presents such risks should be the subject of a Data Protection Impact Assessment.
High-risk activities are likely to include:
- Automated profiling – Profiling activities (g., automated refusal of credit card applications; tracking customers' browsing habits to offer discounts etc.) by their nature, affect the privacy of individuals. They therefore present an elevated level of risk.
- Systematic monitoring – Systematic monitoring of individuals is generally high-risk from a privacy perspective.
- CCTV monitoring of public spaces – The GDPR specifically identifies the systematic monitoring of public spaces as a high-risk activity.
Activities that are likely to be of medium risk include:
- Processing the personal data of vulnerable individuals – It is important to take extra care when processing the personal data of children and other vulnerable individuals.
- Large-scale processing of personal data – Some organizations process personal data on a very large scale. A degree of risk is inevitable, because of the large number of individuals affected by issues such as database errors or data breaches.
How Can Steptoe Help Organizations Prepare?
We have dedicated teams in our London, Brussels and New York offices that can assist with any questions that you may have with respect to GDPR compliance. Their details can be found below:
- Paul Hughes a solicitor (Ireland and England & Wales), based in the firm’s Brussels office, holds a Certificate in Data Protection Practice from the Law Society of Ireland and focuses his practice on privacy and data protection as well as UK and EU competition law, with an emphasis on compliance and enforcement issues.
- Yves Melin is a Belgian-qualified international trade, customs, and EU regulatory lawyer. He advises companies on data protection compliance and the interaction between export control rules and data protection law. He holds the CIPP/E certification as a Certified Information Privacy Professional from the International Association of Privacy Professionals (IAPP).
- Philip Woolfson concentrates on EU re/insurance law and regulation. He has unique experience of the legal issues facing the sector, in particular in a cross-border context within the EU. He advises EU and foreign re/insurance undertakings, intermediaries, and associations on prudential supervision, regulatory, and corporate-commercial questions arising out of their operations. He also advises on compliance issues, such as protection of personal data, anti-money laundering, and on EU tax law.
- Michael Vatis leads Steptoe’s Privacy and Cybersecurity Group. He regularly advises clients on compliance with US and international data privacy requirements and on prevention of, and response, to data breaches. He also represents clients in litigation and regulatory enforcement actions arising from data breaches.