The requirements imposed by the General Data Protection Regulation 2016/679("GDPR") entail extensive work for undertakings processing personal data under the threat of heavy administrative sanctions (up to 4% of worldwide annual turnover or EUR 20,000,000, whichever is higher). This concerns data controllers (i.e. legal or natural persons who determine the purposes and the means of the processing) as well as data processors (i.e. legal or natural persons who process the data on behalf of the controller and upon his instructions). It also involves a profound change in the approach to personal data processing within businesses. For the accountability duty towards the authorities that will be of paramount importance to all concerned, this will affect their corporate internal organisation - starting next year on 25 May 2018.
The accountability principle means that the controller must comply with the GDPR. It also means that it must be able, at any time, to demonstrate such compliance to the competent authorities and notably to prove that all personal data it processes is under control, mapped, secured, lawfully transferred and only used for determined purposes in accordance with the GDPR.
Even though the prior filing of formalities with the Commission Nationale pour la Protection des Données ("CNPD") will be abandoned under the GDPR, controllers will have to meticulously document and monitor their data processing-related activities, notably by conducting impact assessments, i.e. in-depth analysis of the processing, where required. The management of the processing must be internalised rather than declared to the CNPD. Under the GDPR, these obligations will also, to a certain extent, be incumbent on data processors with respect to the data that they process on behalf of a controller under a servicing agreement. Until the GDPR applies, only the controllers are responsible for complying with the data protection law.
Given the extent of the task incumbent on controllers and processors, which starts with the identification of (i) the type of personal data that is processed, (ii) the data subjects, (iii) the legal grounds, (iv) the purposes of the processing, (v) the recipients of the data transfers and the guarantees for the data subjects, (vi) the retention period, (vii) the security applied, etc., it is essential to start planning the roadmap today in order to be prepared for and compliant with the GDPR when it becomes effective.
As a starting point, and on the basis of the formalities already filed with the CNPD (if any) controllers and processors should create an inventory of all personal data collected and processed and identify the purposes of that processing (bottom-up approach). If the personal data processed cannot be precisely identified, another approach would be to rely on the list of purposes published by the CNPD available on its website . Indeed, controllers and processors will have to keep a specific register of all their data processing activities stating detailed information, except in very limited situations (i.e. where (i) the undertaking employs fewer than 250 employees, (ii) the processing is occasional, (iii) the processing is not likely to result in a risk to the rights and freedoms of data subjects, (iv) the processing does not include special categories of data). The controllers and processors who are exempt from keeping such a register will, however, still be accountable towards the competent authorities for complying with the GDPR. They may therefore keep a register of their data processing activities on a voluntary basis.
Controllers and processors will under certain conditions (e.g. where the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or consist in the processing of special categories of data on a large scale) have to designate a Data Protection Officer ("DPO"). Any company that qualifies as a "controller" or "processor" is allowed to designate a DPO on a voluntary basis. Undertakings may wish to consider the possibility of designating a DPO as of today to ensure an efficient and smooth transition to the GDPR regime. The guidelines of Article 29 Data Protection Working Group Party on DPOs adopted on 13 December 2016 (WP 243) give valuable and practical direction.
The changes introduced by the GDPR embrace the idea that businesses relying on and processing personal data will have to consider the processing of such data as an integral part of their business strategy. Businesses will thus be well advised to continue and reinforce their ongoing efforts in terms of compliance with data protection regulations and in particular with the forthcoming application of the GDPR and to take appropriate legal and technical advice in that respect.