Jones Day’s Dr. Undine von Diemar and Mauricio Paez look at the changes being driven by the EU’s new data-privacy rules.
Let’s start off with some background on the GDPR, the General Data Protection Regulation in the European Union (EU). When does it go into effect? What is the scope in terms of who and what it applies to?
Regulation (EU) 2016/679, the GDPR, will be applicable as of May 25, 2018, in all member states of the EU. In general terms, the regulation is applicable to businesses in the EU that act as data controllers (organizations that decide on the means and purpose of data processing) or data processors (organizations that process the personal data on behalf and under the direction of the data controller). The regulation is also applicable to businesses established outside of the EU that process the personal data of individuals located in the EU in relation to the offering of goods or services or the monitoring of such individuals’ behavior in the EU.
How does the GDPR differ from the Data Protection Directive that has been in place in the EU?
While the GDPR contains concepts and principles similar to those in Directive 95/46/EC (the Data Protection Directive), the GDPR represents a significant change from that directive in several areas:
- The Data Protection Directive placed obligations on EU member states and was transposed into 28 national laws in the EU, resulting in some differing approaches across member states. In contrast, the GDPR is directly applicable to all member states and provides one set of data protection rules across the EU, although certain provisions permit member states to expand on a few requirements.
- The GDPR’s scope is global. If a company, regardless of where it is established, is handling personal data in connection with an offering of products or services to, or with the monitoring of the behavior of, EU residents, it is subject to the jurisdiction of the GDPR, even if it is established outside of the EU.
- The GDPR highlights the EU’s preference to avoid reliance on consent as the underlying legal basis for the processing of personal data by imposing a heightened standard for companies to obtain valid consent from data subjects. Data controllers must request and receive consent from data subjects that is “freely given, specific, informed and unambiguous.” Furthermore, the request for consent must clearly explain what data is being collected, how and why it is being used, and what rights and means a data subject has for reviewing or revoking the data. Entities that rely on consent for their business activities need to be mindful that the data subject may revoke consent at any time.
- The GDPR retains existing rights of data subjects, such as access, rectification, erasure and the right to object. It also provides new rights, such as data portability, restriction of processing and the right to be forgotten. With respect to transparency, the regulation creates additional categories of information that must be provided at the point of data collection, or within a reasonable period thereafter, and requires that clear and plain language be used, adapted to the individual data subject.
- The GDPR strengthens accountability by introducing new responsibilities that include:
- Implementation of data protection policies and measures to ensure that data processing activities comply with the GDPR;
- Data protection by design and data protection by default;
- Record-keeping obligations by controllers and processors;
- Cooperation with supervisory authorities by controllers and processors;
- Data protection impact assessments for operations that present specific risks to individuals due to the nature or scope of the operation;
- Prior consultation with Data Protection Authorities (DPAs) in high risk cases; and
- Mandatory data protection officers for controllers and processors engaged in certain big data processing activities.
- Unlike the Data Protection Directive, which only applied to data controllers, the GDPR imposes new compliance obligations and potential sanctions on service providers (data processors). These new obligations include:
- Securing consent from controllers to subcontract a service;
- Executing revised agreements with controllers, including specific terms;
- Maintaining records for processing activities;
- Implementing appropriate security measures;
- Cooperating with supervisory authorities if requested to do so;
- Appointing a Data Protection Officer in certain circumstances; and
- Complying with international data transfer requirements.
- Similar to the Data Protection Directive, the GDPR requires appropriate safeguards and conditions for transfers of personal data out of the EU to jurisdictions that have not been officially recognized as offering an adequate level of protection of personal data by the EU Commission. The GDPR expands the range of measures that can be used to render such transfers compliant, such as explicitly including Binding Corporate Rules, standard contractual clauses (SCCs) adopted by the Commission, SCCs adopted by a DPA and approved by the Commission, an approved code of conduct, an approved certification mechanism, and other contractual clauses a DPA deems in accordance with the “consistency mechanism.”
- While the obligation to incorporate and maintain appropriate technical and organizational measures to protect personal data already existed for controllers, the GDPR expands this obligation to processors. It also introduces a new requirement for controllers to report data breaches, within 72 hours of becoming aware of a breach, to relevant DPAs, unless the breach is “unlikely to result in a risk for the rights and freedoms of natural persons.” If the risk to individuals is high, then the individual data subjects must also be notified.
- Beyond a significant increase in the potential severity in fines, individual data subjects (or consumer bodies on behalf of individuals, when permitted under member-state law) are now granted the right to compensation for breaches of the GDPR for material or immaterial damages. Individuals are also granted judicial remedies against decisions of a DPA that concern them and the right to compel a DPA to act on a complaint and against data controllers and processors that breach their rights by not complying with the GDPR.
What should our readers know about the rights of individuals?
As referenced above, the GDPR significantly reinforces individuals’ rights. A data subject is referenced as an identified or identifiable natural person. Data subjects can include a company’s employees, customers or potential customers. Expanding on the above, the new right to portability gives individuals who have provided information to businesses on the basis of their consent or as part of a contract the right to receive such information in a “structured, commonly used and machine-readable format.” The GDPR also introduces, under certain circumstances, the right to have data transmitted from one business to another where technically feasible. Additionally, with respect to subject access requests, it removes the right to charge a fee unless the request is “manifestly excessive.”
What are some of the key organizational and technical components required to demonstrate compliance?
Under the GDPR, data controllers and processors are responsible, and must be able to demonstrate, that their processing is compliant with the GDPR. The key components to consider when implementing technical and organizational measures proportionate to the volume and sensitivity of the data are internal policies, internal allocation of responsibilities and training. There should be clear documentation of these security techniques in addition to regular testing and updating. Internal data protection policies, such as incorporating privacy by design and default into data processing activities, or the introduction of a new system or product, would be a great start.
What should our readers know about third-party relationships?
Controllers are responsible for ensuring that any third parties processing personal data on their behalf are doing so with the appropriate attention to security and compliance. The GDPR also renders a company responsible for all actions taken by a third-party service provider concerning the processing of personal data. Additionally, the GDPR provides that a service provider is not permitted to subcontract any services without approval from the controller, thereby rendering the controller responsible for whoever is processing their personal data. Because the GDPR places the onus on controllers and processors to demonstrate compliance, it is in the interest of companies not to assume that their third-party vendors are GDPR compliant. The first step in mitigating third-party processing risks is to accurately identify third-party providers that are within the scope of the GDPR. Second, companies should understand whether these third parties are acting as controllers, processors or both with respect to the relevant personal data. Third, underlying agreements with third parties must be revised to include new key data processing obligations and restrictions under the GDPR. Fourth, companies should regularly audit their third-party vendors’ processes to ensure ongoing compliance.
What is the breach notification period and how does it work?
The GDPR is the first European data protection legislation to embed breach notification rules into EU law on such a large scale. Under the regulation, the definition of data breach expands to include any unauthorized disclosure. Article 33 of the GDPR contains the requirements for notification of breaches to the data protection regulators. Article 34 of the GDPR sets out the conditions for controllers to inform data subjects of data breaches and the accompanying requirements. The regulation also specifically mentions that the reporting of personal data breaches forms part of the accountability principle. As previously noted, the GDPR requires notice by data controllers within 72 hours to relevant DPAs.
How do you expect the GDPR to be enforced? Who will enforce it?
Everyone is concerned about the potential fines the GDPR introduces for non-compliance: Penalties for infractions such as not notifying authorities of a breach and not conducting impact assessments can reach up to 2 percent of an organization’s annual world-wide revenue (of the preceding year) or €10 million, whichever is greater. More serious data privacy violations can result in fines up to 4 percent of an organization’s annual world-wide revenue (of the preceding year) or €20 million, whichever is greater. The DPA is tasked with monitoring whether individual data subjects can exercise their rights and evaluating whether the processing of personal data complies with the processing standards provided in the GDPR. The DPA is likely to focus on infringements of the GDPR pertaining to:
- The basic principles for processing, including surrounding consent;
- The data subjects’ rights;
- The conditions for lawful international transfers of data;
- Specific obligations under national law, where the regulation permits member states to tailor requirements;
- Orders by DPAs (such as suspension of data flows).
However, in all circumstances, the remedy for violations should be
“effective, proportionate and dissuasive.” DPAs must also consider the “nature, gravity and duration of the infringement having regard to the nature, scope or purpose of processing” as well as “the intentional or negligent character of infringement.” If the DPA is acting on suspicion of a violation, it will likely call on its various investigative powers, such as requesting additional information related to processing, or accessing all personal data or carrying out a data protection audit by obtaining access to any premises, including data processing equipment and means. If the DPA is acting on a confirmed violation, the DPA may choose to issue a reprimand or issue an order to bring processing operations into compliance with the GDPR. Aside from fines, if the DPA determines that less serious measures have not resulted in compliance, the DPA may order the suspension of data flows to third countries or impose temporary or definitive limitations on processing, including a full ban on processing. With respect to how the GDPR will be enforced, it is likely that DPAs will target companies that process high levels of personal data of European citizens as a large component of their business model. However, this is definitely an uncertainty.
What are some of the other uncertainties as this gets implemented?
A major uncertainty related to the GDPR is the lack of precedent and the fact that compliance will be assessed on a case-by-case basis, depending on the nature and volume of data processed. While the Article 29 Working Party (which per the GDPR will be replaced by the European Data Protection Board) has issued guidance and there are components of the regulation that are necessary to demonstrate compliance, the GDPR takes a risk-based approach to data protection. This means that data controllers are encouraged to implement protective measures ensuring a level of security appropriate to the risk of the data processing activities. However, there is no clear standard of GDPR compliant technical measures in the regulation, only a reference to take into account “the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” There is also uncertainty as to which entities or industries the DPAs will target first.
How is exposure gauged, given that various rights are still to be adjudicated?
As mentioned above, the GDPR takes a risk-based approach to data protection. This means that data controllers (organizations that control the processing of personal data) are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Risk analysis is contextual and certain processing activities are viewed as higher risk than others. Risk is not clearly defined but the regulation’s recitals provide examples. The European Data Protection Board will have the power to determine the risk level of processing activities and issue related guidance, and Article 33 of the GDPR provides three examples of high risk activities: One, “systematic and extensive” automated profiling that “significantly affects” individuals. Two, large-scale processing of special categories of data. And three, large-scale, “systematic monitoring of a publicly accessible area.” Recital 75 of the GDPR provides other examples of activities likely to pose a risk to data subjects, such as processing activities that could result in processing leading to discrimination, identity theft or fraud, financial loss, reputational damage, etc. DPAs and the European Data Protection Board will be empowered to identify other activities that are likely to be riskier or not with respect to the rights and freedoms of data subjects. Therefore, it is important to note that these determinations are not exclusive and companies should pay close attention to the activities DPAs target in their enforcement.
What are the general assessment and risk mitigation protocols?
Article 32 of the GDPR lists the elements of a security risk assessment process to ensure controls are appropriately designed and implemented. The task of risk mitigation requires companies to identify and understand the full information lifecycle. In general, an effective risk assessment process helps accelerate the identification of the linkage between risks and internal controls. These processes help reduce GDPR compliance gaps and improve risk mitigation strategies. Only by looking clearly at an entity’s particular data flows and changes to such data maps can the appropriate protocols be introduced. Controllers and processors should consider factors such as cyber and technology environment; incident detection and response; management of security; results of threat and vulnerability assessments and security maturity assessments; human factors; the physical environment; and the policy, controls and business processes framework.
What are the implications for international transfers?
The GDPR continues the main existing principles – i.e., prohibition of international transfer of personal data to a recipient not located in a country ensuring sufficient protection of personal data, unless one of the limited exceptions apply or an appropriate safeguard is in place. The appropriate safeguards to secure international data transfers under the GDPR are substantially the same as the current ones: adequacy decision relating to a country, or implementation of standard contractual clauses or of binding corporate rules. Even though such principles are unchanged, it should be noted that breaches of the requirements applicable to international data transfers will be sanctioned by the highest level of administrative fines (up to the greater of 4 percent of the worldwide turnover or €20 million).
What are the top five items to include on a compliance checklist?
The top five most common items for a compliance checklist would typically include preparation of the record of processing activities; updating privacy notices/consents and internal policies; ensuring that agreements with data processors include the mandatory provisions required by the GDPR; implementing a suitable framework for international transfers of personal data; and defining procedures for responding to data subjects’ rights as well as for breach notification and response.
Note: The views expressed are the personal views of the lawyers and do not necessarily reflect those of the law firm with which they are associated.
Mauricio Paez advises Fortune 100 companies concerning legal issues with digital transformations, space-based data services, global e-commerce, digital marketing, data protection and privacy, cybersecurity, cyber governance, technology sourcing and outsourcing, and emerging technology matters. He also assists clients with data breach response and conducts data privacy assessments, information security compliance audits, and cyber investigations on a worldwide scale, including managing third-party forensic investigations. Reach him at firstname.lastname@example.org.
Dr. Undine von Diemar's practice focuses on technology transactions, in particular cloud computing and IT outsourcing, and on data protection matters, including international data transfers, data breaches, internal investigations, e-discovery, and global compliance projects. Undine coordinates Jones Day's European Privacy & Cybersecurity practice, which consists of a team of dedicated privacy lawyers across Jones Day's European offices. Reach her at email@example.com.
Published April 2, 2018.