Guest post by Tim Maiorino, Counsel of Osborne Clarke
The newest EU legislation on data protection is the General Data Protection Regulation (GDPR) which will be enforceable from May 26th 2018. It will bring several important changes, altering the requirements of data protection law in the European Union.
The GDPR will replace the EU-Directive on Data Protection and, by extension, all transposing national regulation. The GDPR´s objective is to harmonise data protection legislation across the EU and to “protect the fundamental rights of natural persons to the protection of their personal data”, while promoting free movement of data within the EU.
An examination of the GDPR and its rules is inevitable for any business involving personal information, as it provides a uniform standard for data protection throughout the EU and is directly applicable in all member states. Content-wise, German law has served as a role model to the GDPR. Although it replaces most of the current data protection laws across the EU, the changes – though far-reaching – do not override the fundamental principles of the current regime. Rather, it preserves the basic principles while implementing stricter and more extensive rules.
The most significant changes regard the scope and applicability, data governance and allocation of responsibilities, data subjects´ rights (facilitation and expansion), and sanctions, which include heavy fines. The fines in case of non-compliance may be up to EUR 20 Mio. or 4 % of your worldwide turnover within the previous financial year.
Therefore, further action is required by businesses regarding the handling of personal data.
1. Interacting with Data Subjects
The GDPR establishes detailed requirements for both internal and external facing processes and policies, which can be divided into several steps.
Firstly, the internal processes should be identified and any possible information on the future use of personal data gathered.
Secondly, current policies and any external measures taken or information given with regard to the collection and use of personal data should be identified. You should be aware in which circumstances and at what point data is collected and what information the data subject is given on the use of their data. It is also necessary to identify the method used to obtain the data subjects consent, where applicable, and what channels are used by data subjects to file access requests.
Hereafter, discrepancies between internal and external processes can be recognised. It is essential to validate that the external facing policies match the internal processes and actual use of data. Controllers thus need be aware what the data subject (which includes staff, if their data is concerned) is told about how their data is used. When all internal and external processes and policies are known, they can be updated to comply with the detailed requirements in the GDPR. Only if you know your policies and processes, you will be able to ascertain the necessary steps to meet the extended requirements and to provide guidance and training to your representatives and staff.
2. Managing Compliance
You might now consider this more trouble than it´s worth, but there are several ways to facilitate compliance with the GDPR.
For example, there is the option (and sometimes obligation) to appoint a Data Protection Officer who will, amongst others, monitor and work towards compliance with the GDPR. The contact details of the Data Protection Officer should be published and provided to the Data Protection Authorities.
Any data controller should undertake impact assessments and privacy by design as required. All existing processing operations should be identified and current record-keeping arrangements reviewed.
With regard to external policies, controllers have the possibility to use industry codes, which may provide an orientation for handling certain situations to their employees. Also, for reasons of facilitation, using templates for external notifications in case of data breaches may be helpful.
3. Processors and Transfers
Generally, where data is used, it will also be transferred to third parties or processors. As this is regulated by the GDPR, controllers should be aware of and map their (international) data flow.
As requirements for data transfers change, standard form contracts and addenda need to be updated and / or prepared. Also, updates of procurement processes are required and procurement and IT-teams need to be trained accordingly to identify potential issues. Moreover, it is always advisable for customers and suppliers to work together to address changes and potential issues as well as conduct customer and supplier audits to safeguard both parties´ interests.
Although, essentially, it evolves the current data protection law, the GDPR brings several important changes to the obligations of data controllers and processors and to the corresponding rights of the data subjects.
Hence, not only is data protection and the requirements it sets our for business dealing with any type of personal information lifted to a significantly higher (meaning: more detailed, stricter and even more complex) level. The prominence of the GDRP brings significantly more attention to the topic and potential breaches are sanctioned more strictly than ever before.