Legal Update: New Data Protection Regulation – How to Prepare Yourself for the New Requirements?
25 April 2016
Finally, after more than four years of debate, lobbying and negotiations, the new EU General Data Protection Regulation (“GDPR”) replacing the 20-year-old Data Protection Directive (45/95/EC, “Directive”) was finally formally approved by the EU Parliament on 14 April 2016.
We are expecting that the GDPR will be published in the Official Journal of EU in June 2016, which will begin a two-year transition period. During that transition period, the businesses should review and adjust their data processing practices in order to meet the new requirements imposed by the GDPR.
Below we have described the key contents of the GDPR and provided a list of action points for companies to prepare for the GDPR.
1. Broader scope of application
Application to processors
The GDPR shall apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor of data in the EU, regardless of whether the processing itself takes place within the EU or not. Whereas the current Directive only imposes statutory obligations on data controllers, under the GDPR data processors (i.e. entities who process personal data on behalf of a data controller) will have direct and independent obligations to comply with particular data protection requirements which previously only applied to data controllers.
Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this regard.
- Planning and operational implementation of the requirements imposed on processors
Application to off-shore processing
As compared to the Directive, the GDPR has a broader territorial scope as it applies to not only data controllers and processors established in the EU but also to data controllers and processors outside the EU provided that the processing activities of such non-EU controllers/processors are related to (i) the offering of goods or services to EU data subjects (regardless of whether payment for the goods or services is required), or (ii) the monitoring of the behaviour of EU data subjects to the extent that the behaviour takes place in the EU.
According to the GDPR, mere accessibility of the controller’s or processor’s website in the EU or of an e-mail address and other contact details or the use of a language generally used in a third country where the controller is established, is insufficient to ascertain intention of offering goods or services to EU data subjects. Instead, the use of a language or a currency generally used in one or more EU Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers or users who are in the EU, may make it apparent that the controller envisages offering goods or services to such data subjects in the EU.
With regard to monitoring the behaviour of EU data subjects, it should be ascertained whether the individuals are tracked on the internet including through potential subsequent use of data processing techniques, which consist of profiling an individual, particularly in order to make decisions concerning them or for analysing or predicting their personal preferences, behaviours and attitudes.
- For non-EU controllers and processors to review the current data collection practices in order to determine whether their data processing activities fall within the scope of GDPR and thus would be caught by the territorial reach criteria
2. Definition of personal data
In the GDPR, the definition of personal data has been slightly expanded and means, “any information related to an identified or identifiable natural person or 'data subject'. According to the definition, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Thus, for example, IP addresses and cookies could be considered personal data.
The definition of sensitive personal data is expanded to cover genetic data as well (such as DNA samples) and biometric data processed to identify a person uniquely (such as fingerprints).
Whereas it is clearly stated that the GDPR shall not be applicable to anonymised data (i.e. data from which the data subject is no longer identifiable), the GDPR recognises that there is category of data between anonymised and personally identifiable data. This is called pseudonymisation, which refers to the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information as long as such additional information is kept separate and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.
- Review of current data collection practices in order to determine whether the data is regarded as personal data (non-sensitive or sensitive) or not
- Documentation of personal data held, the source of the data and the practices for sharing the data
- Use of anonymization or pseudonymisation as much as possible
3. More stringent consent requirements
In order to be regarded as valid consent, consent for the processing of personal data must be clear and have an unambiguous indication of a data subject’s agreement to the processing of their personal data. This could include i) ticking a box when visiting an internet website, ii) choosing technical settings for information society services or iii) any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes, inactivity or any other type of implied consent would no longer be sufficient.
A request for consent must be “clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily accessible form, using clear and plain language”. Thus, consent cannot be “hidden” within other contractual documents, such as general terms and conditions.
If consent obtained prior to the application date of the GDPR does not meet the requirements set forth in the GDPR, new consent should be sought from the data subjects.
- Review of current means and mechanisms for requesting and obtaining consent from the data subject
- Deployment of new consent requirements
- Provision of simple methods for withdrawing consent
4. Obligation to appoint a data protection officer
Controllers and processors are obliged to designate a data protection officer for example i) if the processing is carried out by a public authority; ii) if core activities of the controller or the processor consist of processing operations which, require regular and systematic monitoring of data subjects on a large scale; or iii) if sensitive data is processed on a large scale. The agreed wording of the GDPR does not contain any quantitative thresholds (e.g. in terms of number of employees or data subjects) with respect to an obligation to appoint a data protection officer.
A group of undertakings may appoint a single data protection officer provided that the data protection officer is easily accessible by each member of the group.
The GDPR requires data protection officers to be designated on the basis of professional qualities and to have expert knowledge of data protection law and practices. Even if there would not be an obligation to appoint a DPO, it would be advisable to consider designation of a person(s) to take responsibility for data protection compliance.
- Designation of a data protection officer if required, or someone responsible for data protection compliance
5. Transparency and obligation to maintain records
As compared to the Directive, the GDPR requires that companies provide more detailed information to the data subjects. The GDPR contains an extensive list of information that controllers are obliged to provide to data subjects. Information requirements slightly vary depending on whether the personal data is to be obtained directly from the data subject or indirectly from somewhere else. Information must be provided in a concise, transparent, intelligible and easily accessible way using clear and plain language.
The GDPR also requires data controllers and processors to maintain records relating to their respective processing activities. Content requirements for such records are close to that of the description of the data file (in Finnish: rekisteriseloste) currently required to be drafted by data controllers under the Finnish Personal Data Act. Records must be made available to the supervisory authority upon request.
- Review of current practices relating to information notices (e.g. privacy policies) to individuals and implementation of new notice requirements
6. New rights for individuals
The GDPR provides new rights for individuals. These include, for example, the right to have information deleted (so called “right to be forgotten”, “RTBF”) and data portability.
Pursuant to the RTBF, data subjects shall have the right to request the deletion of personal data, e.g. if i) the data is no longer needed for the purposes by which it was collected; ii) the data subject withdraws consent; iii) the data subject objects to the processing; or iv) the data was processed unlawfully. If the data controller has an obligation to erase data, it must also take “reasonable steps” to inform other controllers that are processing the data about the person’s objection. The GDPR contains a list of exemptions to RTBF.
Data portability requires the data controller to provide the data subject with the personal data concerning him/her in a structured, commonly used, machine-readable and interoperable format. Data portability applies only to data that has been provided to the data controller by the data subject where the processing is based on the data subject’s consent or data is being processed to fulfil a contract.
- Review of procedures related to enabling the exercising of data subjects’ rights
- Review of data formats currently used and revision of procedures in order to meet the new format requirements related to data portability
7. Data security and data breach notification
Data controllers and processors will be obliged to use appropriate and organizational measures taking into account “the state of the art and costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.” The GDPR provides a list of security measures that may be regarded as “appropriate”:
- Pseudonymisation and encryption of personal data
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Controllers and processors complying either with an approved code of conduct or an approved certification mechanism may use such tools to demonstrate compliance with the GDPR’s security standards.
Under the GDPR, in the event of a personal data breach, data controllers must notify the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Notice is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Minimum content requirements for notice are provided for in the GDPR. In the event that a data processor experiences a personal data breach, it must notify the controller but does not have an obligation to the notify DPA.
The GDPR also requires a data controller to inform data subjects without undue delay about the breach if the breach is likely to result in a high risk to the rights and freedoms of individuals.
- Preparation of procedures for a data breach, including detection, reporting and investigation of data breaches
8. Privacy Impact Assessment (PIA)
The GDPR requires controllers and processors to conduct an assessment of the impact of the envisaged processing operations if the processing poses a high risk for the rights and freedoms of individuals. In this assessment, the nature, scope, context and purpose of the processing and the sources of the risk should be taken into account. In the GDPR, a systematic and extensive evaluation of personal aspects related to natural persons that is based on automated processing as well as processing of sensitive personal data on a large scale is mentioned as an example of high risk processing. If PIA shows a high risk, consultation with a supervisory authority is required.
- Review of current processing operations and assessment of processing situations where PIA may be required
9. Heavier penalties for non-compliance
Under the GDPR, the supervisory authorities are empowered to impose administrative fines on data controllers and processors for non-compliance with provisions of the GDPR. There will be two tiers of fines:
a) Max 10M EUR / 2% of total worldwide turnover, e.g. for a breach of obligations related to the implementation of organizational and technical measures to protect privacy; the use of data processors; data breach notifications; appointment and responsibilities of data protection officers.
b) 20M EUR / 4% of total worldwide turnover, e.g. for a breach of obligations related to fundamental data processing principles; the requirements for obtaining consent from data subjects; data subjects’ rights regarding access to information, the right to be forgotten, the right to restrict the use of data, data portability obligations and the right to object to automated data decision-making; the transfer of personal data to third countries; and non-compliance with an order from a supervisory authority.
Fines may be imposed instead of or in addition to other measures available for supervisory authorities. Such measures include warnings, reprimands, bans and suspensions. Any fines imposed by the supervisory authorities must be effective, proportionate and dissuasive. For example, the nature, gravity and duration of the violation, actions taken by the data controller to mitigate the damage, the degree of responsibility of the controller or processor and the type of personal data affected by the violation should be taken into account when imposing the fines.
Please feel free to contact our data protection & privacy specialists in case you have any questions about the GDPR.