GDPR N°2 - New Data Protection Obligations

Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.

To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.

In this issue, we will detail the obligation of accountability which is now establishing itself as the new paradigm and leads to a new form of data governance following new principles such as data protection by design and data protection by default, which will be exposed in our next Newsflash.

In article 24, the GDPR introduces a new accountability principle which completes the list of data protection principles already set out under the Directive 95/46/CE and which currently require companies to perform a lawful, fair, proportional, transparent and with a limited purpose, processing of their personal data.

What is accountability?

“Accountability” essentially means two things: reporting and being able to justify compliance with the GDPR. In other words, organisations will be required to adopt technical and organisational measures to demonstrate their actual compliance with the provisions of the GDPR.

Accountability thus implies for the data controller and data processor, not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to both the data protection authorities and the data subjects how such compliance is ensured.

How do I comply with this requirement?

Under the current legislative framework, compliance could, in most cases, be evidenced by the completion of data protection formalities, such as prior notifications or authorisation requests before data protection authorities.

The GDPR no longer requires the completion of most of these administrative formalities, which shall be replaced by a requirement to implement a series of actions and measures to ensure data governance.

Among those actions, the GDPR creates an obligation (except for companies employing fewer than 250 employees unless the processing it carries out is likely to result in a risk to the rights and freedom of data subjects, its processing is not occasional or concerns special categories of data related to criminal convictions and offences) to maintain records of data processing activities (i.e. the type of data processed, the purposes for which it is used, the recipients of such data, the data subject’s rights, the general technical and organisational measures taken, etc).

The new accountability principle therefore creates a shift from a paper based compliance to an actual demonstrated compliance and requires a proactive, systematic and answerable approach to the processing of data through the implementation of appropriate measures.

Article 22 of the draft GDPR, as proposed by the European Commission on 25 January 2012, suggested the implementation of the following procedures - which gives us an indication of what is expected from businesses - to ensure the company’s compliance with data protection legislation: (a) draft and keep up-to-date records of data processing activities, (b) implement appropriate technical and organisational measures to ensure the security of processing (pseudonymisation and encryption, ability to quickly restore the availability of systems, etc.), (c) perform a data protection impact assessment when deemed necessary, (d) requirement for prior authorisation / consultation of the supervisory authority, (e) appoint a data protection officer if necessary (DPO). The adoption of a code of conduct outlining the organisation’s best data protection practices, or Binding Corporate Rules (BCRs) to govern cross-border data transfers between entities of a group of companies, is also recommended.

Additionally, a company should provide data subjects with information regarding the processing of their personal data.

As always, the burden of proof and liability lies with the companies processing the data.

To what extent should my organisation implement such measures?

Risk-based approach.- Although the so-called “risk-based approach” is not a new concept, it has been introduced by the GDPR as a core element of the accountability principle.

The idea is to adapt the level of data protection obligations, and the measures taken accordingly, to the risks presented by the data processing activities performed by the company. A strong risk-based approach can help to promote responsible data use based on risk management.

Organisations must be able to demonstrate their compliance with the GDPR through the implementation of appropriate technical and organisational measures the nature and extent of which must be determined by taking into account the nature, scope, context and purpose of processing as well as the risks of varying likelihood and severity for the rights and freedom of natural persons. Proportionality is key in determining adequate measures to be taken and it is important to bear in mind that risk must be assessed in an objective manner.

Central to this approach are the concepts of privacy by design and privacy by default which will be discussed in our Newsflash n°3 and which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing and to take appropriate technical and organisational measures accordingly.

For there is no such thing as a riskless data processing activity, the GDPR provisions only focus on two levels of risk: risk and high risk. Companies that engage in low risk processing activities, or that adequately address risk, may be exempted from the requirements to notify a data protection authority of a data breach. To the same extent, a foreign data controller which conducts processing representing a reduced risk, may be relieved from the requirement to appoint a representative in the EU.

On the contrary, the GDPR imposes heightened requirements for data processing activities that pose a high risk to individuals. In specific, before engaging in such an activity, an organization may be required to consult with a data protection authority and conduct a detailed privacy impact assessment which will be detailed in our next issue. In the event of a data breach, a company may be required to notify potentially affected individuals.

The purpose of a risk-based approach is not to eliminate all risk, but rather to evaluate its level and use appropriate mitigation techniques to control and minimize potential impacts.

Implementation of a privacy management program

Organisations will, from now on, have to assess which measures are most likely to mitigate the risk of physical, material or non-material damage that could result from any particular data processing. Examples of such damage may be discrimination, identity theft, fraud, reputational damage, loss of data confidentiality, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantages.

Project management.- Designing and implementing an effective compliance programme will necessitate a privacy by design approach to addressing privacy and data security risks when developing your solutions.

Your organisation will need to follow 4 steps to successfully achieve GDPR compliance: (i) analyse where your organisation stands in terms of data protection by means of auditing existing data processing activities, (ii) identify the shortfalls, (iii) prioritise the changes based on the risk-based approach, and (iv) implement identified measures.

The check-list on page 1 of this Newsflash is a representative sample of solutions, procedures, and policies that may be relevant to your company in developing and implementing an effective data protection compliance programme.

Anticipate obstacles.- Part of an efficient project planning is the ability of the project manager to anticipate the obstacles which will most likely be encountered. Organisations will most definitely need to elevate their internal privacy governance awareness.

To help you in this task, we would like to draw your attention to the following aspects, which in our view, will present the most difficulties:

  • determining appropriate measures (to this extent, further guidance from DPAs is needed);
  • assigning roles and responsibility for data protection compliance to the project manager (e.g. appointment of a DPO as the case may be) and the persons from each relevant department which will need to collaborate internally to the project (e.g. (IT, HR, etc.) ;
  • assigning a budget for data protection compliance;