The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.
Part 1 of this GDPR Series is brought to you by FIDAL, a French law firm. Subsequent blog entries in this series will be brought to you by the law firms of Mills & Reeve, Graf von Westphalen (Germany) and VanBenthem & Keulen (Netherlands) as well as Robinson & Cole (United States).
GPDR Effective Date & Geographical Scope of Application
The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures – which means that any personal data processing ongoing at this date must comply with the GDPR. This leaves one year for companies to ensure compliance.
The GDPR provides for a scope of application wider than processing undertaken in EU countries. It will also apply to data controllers or subcontractors not established within the EU, but which process data with the aim of providing goods and services to EU residents or monitoring EU residents’ behaviour.
Several steps should be taken by businesses in order to achieve compliance with provisions of the GDPR:
- Changes to internal processes to comply with the accountability rules
In order to effectively manage personal data protection within your business, an individual should be nominated to take charge of information and counsel, as well as organization of personal data activities. For many organisations, it will make sense to appoint a Data Protection Officer or "DPO" as of now in order to assess compliance as soon as possible, even outside the three mandatory legal circumstances imposed by the GDPR (public bodies, large scale monitoring and large scale processing of criminal convictions etc). In any event, an audit of personal data held and processing undertaken makes sense.
The nominated person can then map data processing within the business and build a record of all ongoing data processing. On the basis of this information, a list of necessary actions can be prepared and prioritized in the light of risks to data subjects’ rights.
In practical terms, the principle of accountability means that businesses must track and document their compliance with data protection rules and keep these records available to respond to an inspection by state authorities.
- Promoting a risk-based approach
If any processing is identified as carrying a high risk to data subjects’ rights, the business should then conduct a Privacy Impact Assessment (PIA).
In addition, internal processes should be developed in order to respond to events likely to trigger the controller’s liability, such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.
Data protection safeguards shall be built into products and services from the earliest stage of development ("Privacy by Design"), making use of techniques such as pseudonymisation and encryption.
- Data transfers
Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield scheme may still be used for transfers outside the EU.
- Agreements between data controllers and their subcontractors
Data controllers’ agreements with their subcontractors agreements will have to incorporate new mandatory elements set out by the GDPR. Existing long-term agreements may need to be redrafted. Subcontractors will now have their own direct obligations in certain key areas such as record-keeping and security, separately from the obligations on data controllers.
- A single data protection authority
In future, businesses will deal with one single supervisory authority in the EU country in which they are mainly based, rather than having to engage with authorities in all relevant countries. The lead authority will then work with other national data protection authorities to achieve an EU-wide approach.
- Negative impacts in case of a legal breach
Whereas the existing EU legislation (Directive 95/46/EC) leaves to Member States the task of determining and applying sanctions, the GDPR is more prescriptive. It provides for administrative fines to be imposed on data controllers and subcontractors. The amount of those fines can go up to the greater of 20 million Euros, and 4% of annual global turnover.
In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority within tight timescales, as well as the data subjects themselves in the event of the most serious breaches.