The GDPR in a nutshell: 10 things you have to be aware of

nutshell.png

By Edwin Jacobs (Time.lex)

1. The GDPR’s information governance requirements

Companies will have to be able to show that they are data protection compliant, e.g. through maintaining written policies and regularly conducting compliance audits (“accountability principe”). For example, firms will have to show that they are implementing data protection by design in the process of developing new products and are minimizing the amount of personal data involved, i.e. by default only using the personal data needed for the processing at issue.

2. The need to adapt existing privacy policies and notices to the GDPR

Several aspects of existing privacy policies will have to be altered in order to be compliant with the GDPR, such as the provisions relating to explicit and seperate consent, the provision of information to the data subject, the provisions dealing with requests from data subjects, etc.

3. The obligation to maintain a register of processing activities

The obligation to notify new processings to the privacy commission will be replaced by the obligation to maintain a register of processing activities for companies with 250+ employees or in cases where a processing is not incidental (e.g. processing medical info of employees).

4. The need to adapt the contracts with processors

Contracts with processors (e.g. external data centers, HR firms, IT providers) will have to contain different or additional provisions in order to be compliant. For example, in a project where the firm who is the data controller is sub-contracting certain tasks to a firm who will act as a data processor, the principles of data protection by design and default should also be enshrined in the contractual arrangements with the processor, equally obliging the latter to have privacy be built in and options for lessened protection made available only as an opt-out.

5. The requirements concerning data transfers outside the EU

The GDPR has an explicit reach outside the EU, eqaully being aimed at undertakings established outside the EU borders whose processing activities relate to the offering of goods or services in the EU or whose acitivities consist of monitoring the behaviour EU data subjects (when the subjects are within the EU). In general, undertakings with establishments outside the EU and/or potentially using service providers established outside the EU will have to carefully consider whether their data transfers are legal or not, given the new and stringent sanctions introduced by the GDPR (see point 10). Transfers are possible based on consent, on the basis of an adequacy decision by the European Commission on the level of data protection in the third country concerned (for the US currenty the Privacy Shield), on the basis of standard contractual clauses, or through Binding Corporate Rules (BCR’s) within a group of undertakings.

6. The need to invest in security and procedures for dealing with incidents

Security incidents are a real threat and the GDPR addresses this reality. In many provisions security and organizational measures to that extent are mentioned as a means of addressing privacy risks. Noteably, the GDPR forsees a strenghtened role for technical security measures, e.g. encryption. Should a signficant data breach nonetheless occur (there is a certain de minimis threshold), companies are obliged to notify the competent authority (normally within 72 hours), even if the breach occurs at the level of the (third party) processor. The notification obligation should be inserted in the processor contracts.

7. The obligation to educate and appoint a Data Protection Officer (DPO)

Companies whose core activities consist of regular and systematic monitoring of data subjects or who process sensitive information on a large scale will have to appoint a Data Protection Officer. Even when a DPO is not obligatory, it can in many cases be recommended as a best practice, which can have reputational value for the company. The DPO has to be an identifiable but in practice an undertaking can decide to have several departments or key people contribute to the DPO’s tasks.

8. The obligation to conduct privacy impact assessments (PIA’s)

For any planned processing of personal data that is likely to result in a high risk to the rights and freedoms of natural persons, the controller will have to carry out a privacy impact assessement (PIA) before being allowed to continue. This will in particular be the case when a company intends to undertake large scale processings of sensitive data, the systematic monitoring of a publicly acessible area or a systematic and extensive automated evaluation of personal aspects relating to natural persons, used for making decisions that produce legal effects (e.g. profiling).

9. The one-stop-shop mechanism

An undertaking with several establishments in the EU can designate one national data protection authority as the competent authority for its activities in its BCR’s. Outside of the BCR context the lead authority for cross-border processings will be the authority of the Member State of the main establishment.

10. The GDPR’s strengthened enforcement mechanisms

The GDPR includes high fines (depending on the situation up to EUR 20 million or 4% of the annual global turnover, whichever is the highest) and generally aims to enhance the enforcement by national data protection authorities. Stricter enforcement is to be expected. Moreover, the EU’s national data protection authorities will be able to impose fines themselves, i.e. without, as currently is the situation in many EU countries, having to go through a court. This is expected to speed up the enforcement process, making it more effective and consequently making the GPDR’s regime (even more) dissuasive for those who have been disregardering personal data protection concerns.

About the author

Edwin Jacobs is a member of the Brussels bar and partner at time.lex, former affiliated researcher at the Interdisciplinary Centre for Law and ICT (now Centre for IT & IP law, CITIP) at the University of Leuven, and lecturer of a practical course in negotiation and mediation at the University of Antwerp. Time.lex is a law firm specialized in technology, intellectual property, media and e-business