Whether it is the debate about the UK’s ‘Snooper’s Charter’, or news of a high-profile cyberattack, data privacy has rarely been out of the news in recent times. The introduction of the new EU General Data Protection Regulation (GDPR), the most significant overhaul of EU data protection regulations in recent years, has ensured that data privacy shall remain firmly in the spotlight.
The GDPR is set to become law in May 2018, however, a recent report suggests that few companies have actually made efforts to ensure compliance.
So what does the GDPR actually look like, and what steps should companies take to comply?
The letter of the law
The GDPR replaces current EU Data Protection Directive 95/46/EC. As a Regulation, and unlike the old law, the new rules will be directly applicable in all EU member states. Key changes include:
- Accountability
Crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work. - Data protection officers (DPOs)
In many circumstances, those caught by the GDPR will also need to appoint DPOs and so thought will need to be given as to whether this applies and, if so, who that person or persons might be. - Consent
New rules are also introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward. - Enhanced rights for individuals
New rights are introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, amongst others. - Privacy policies
Fair processing notices now need to be more detailed, e.g., new information needs to be given about these new enhanced rights for individuals. Policies will need updating therefore. - International transfers
Binding Corporate Rules for controllers and processors as a means of legitimising transfers are expressly recognized for the first time and so should be considered as a transfer mechanism. - Breach notification
New rules requiring breach reporting within 72 hours (subject to conditions) are introduced and so processes in place (or not) will need to be revisited to accommodate these rules.
Who has to comply?
All organizations operating in the EU will be caught by the new rules. Importantly, organizations outside the EU, like US-based companies that target consumers in the EU, monitor EU citizens or offer goods or services to EU consumers (even if they do this for free), will also have to comply.
Businesses should not see Brexit as a ‘get out of jail free’ card - a means of avoiding compliance.
The GDPR also applies to “controllers” and “processors”. What this means, in summary, is that those currently subject to EU data protection laws will almost certainly be subject to the GDPR and processors (traditionally not subject) will also have significantly more legal liability under the GDPR than was the case under the prior Directive.
Importantly, businesses should not see Brexit as a ‘get out of jail free’ card; a means of avoiding compliance. As part of the ongoing discussion about what the post-Brexit regulatory regime may look like, it is generally accepted that after the UK leaves the EU, UK laws will nevertheless track the GDPR (e.g. via some form of implementing legislation or a new UK law which effectively mirrors the GDPR). In other words, even if you are purely a UK company, or you are outside the UK and targeting UK consumers only, you should not ignore these changes and should still look to comply.
What can businesses do to prepare?
To ensure compliance, companies need to ensure that they have robust policies, procedures and processes in place. With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum:
- Review privacy notices and policies
Ensure these are GDPR compliant. Do they provide for the new rights individuals have? - Prepare/update the data security breach plan
To ensure new rules can be met if needed. - Audit your consents
Are you lawfully processing data? Will you be permitted to continue processing data under the GDPR? - Set up an accountability framework
e.g., monitor processes, procedures, train staff. - Appoint a DPO where required.
- Consider if you have new obligations as a processor
Is your contractual documentation adequate? Review contracts and consider what changes will be required. - Audit your international transfers
Do you have a lawful basis to transfer data?
May 2018 is only getting closer and to avoid potential financial and reputational damage, companies of all shapes and sizes should start thinking about what they can do to demonstrate compliance. Those who fail to prepare, as the saying goes, are preparing to fail.
Rafi Azim-Khan, is head of data privacy, Europe, and Steven Farmer is a counsel at Pillsbury Law