Globalisation and swift technological developments over the last decades have brought new challenges for the protection of personal data. Modern technologies allow both private and public entities to offer individuals a myriad of ways to distribute and use their personal data. The growing desire of individuals to make use of their personal data has led to widespread sharing of data to service providers in both the private and the public sector.
The day is late, but the outdated data protection framework based on the 1995 Data Protection Directive (95/46/EC) which sought to harmonize data protection across the European Union has been substantially updated last year and the reform has taken the shape of a seemingly stronger and more coherent General Data Protection Regulation (EU 2016/679), casually known as the GDPR. The GDPR will be applied EU-wide starting from 25th May 2018.
How should the GDPR be welcomed?
Should the GDPR be viewed solely as a burden for companies? Or does the regulation act mainly as a deterrent due to its gargantuan administrative fines? Or should the GDPR rather be viewed as a chance to level the playing field among competitors and a way to clarify and harmonize the way personal data is protected?
The GDPR has caused some polemic, positively apoplectic reactions among colleagues and has been the subject of many discussion panels and has hopefully been at least mentioned around the coffee table at your work place.
The doomsday clocks’ countdown on the data protection ombudsman’s website struck 211 days this morning, to signify the maximum amount of days your company has in order to be compliant with the GDPR.
For some this may seem like a lot of time, for others not as much. Regardless, you should use this time to get a head of the game and use your company’s compliance as a selling point. Many focus only on the down side and settle for a light swan dive into the grim morass of the GDPR consisting of 173 recitals and 99 articles filled to the brim with jargon and new definitions (e.g. pseudonymisation).
For example, the list of information to be provided to individuals about the processing of their personal data is quite extensive in the GDPR, yet data controllers have to achieve what EU legislators have blatantly failed to do and provide such information in a concise, transparent, intelligible and easily accessible way.
What is the upside, you ask?
As many others, I first viewed the GDPR as a necessary evil to get all companies to, at last, comply with the data protection directive implemented in the last century. But I soon realized the silver lining – the GDPR should not be viewed as a means to force companies to deal with its obligations. The GDPR is in many ways a positive change that enables companies to track, manage and be aware of the personal data that flows through it. In addition, it provides the framework and a possibility to create new internal processes and guidelines for managing and processing personal data. Finally, it creates the possibility for the company to build up trust towards the individual whose personal data is in your hands, whether on a piece of paper or floating around in your company’s internal bitstream.
How does it work in practice?
Take Lisa for example, the proud owner of a newly established limited liability company. Lisa’s company provides software as a service for consumers. In order for potential clients to use her company’s service they need to register as users by providing a plethora of personal information to the company, necessary for the functioning of the service.
Lisa has recently become aware that the GDPR will be applicable to her company as well. What is Lisa to do next?
The following can be listed as an example of matters to consider before the GDPR is applied:
- Make sure that management and key people in your company are aware of the GDPR;
- Make sure you have a lawful basis for processing data as set out in article 6 of the GDPR;
- Adhere to the principles relating to the processing of personal data as set out in article 5 of the GDPR;
- Be aware of the rights of the data subject as set out in articles 12-22, 34 as well as 77, 79 and 82 of the GDPR, including how personal data is deleted or provided electronically and in a commonly used format;
- Make sure your company’s internal processes are in order, especially relating to privacy by design and default (article 25) and how data requests are handled within the given timelines (article 12);
- Be aware of the risks of the processing to the rights and freedoms of data subjects (i.e. be ready to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with article 24 of the GDPR);
- Be transparent to the individuals about the processing of their personal data and keep communications as concise, transparent, intelligible and easily accessible as possible (article 12);
- Make sure you have internal procedures in place to detect, report and investigate a personal data breach and be aware of your notification obligation towards the data protection authority as well as the data subject as set out in articles 33 and 34 of the GDPR;
- Be ready to demonstrate compliance with the above-mentioned principles relating to processing of personal data (article 5);
- You should document what personal data your company holds, where it came from and who you share it with;
- You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR;
- You should review how you seek, record and manage consent and whether you need to make any changes to this process - renew existing consents if they don’t meet the standard of the GDPR (article 4 and 6-9);
- In case you have outsourced a part or all of your personal data processing, make sure you have a written agreement in place that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller (article 28);
- Consider whether your company is required to designate a data protection officer amongst other things to monitor compliance with the GDPR (article 37);
- Children merit special protection. This means you should start thinking about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity (article 8); and
- Assess whether your company needs to carry out a data protection impact assessment (article 35).
Once Lisa has assessed the above-mentioned and checked all the boxes of the to-do-list, the GDPR requires Lisa’s company to keep up the excellent work. And if you possess a soft spot for metaphors – the GDPR is like cleaning a house, the house needs continuous maintenance and you may be reprimanded for the slightest visible speck of dust. Moreover, it should be noted that the cleaning operation may take more time and effort in a 400 sqm house than in a studio apartment. Accordingly, the necessary (technical and organisational) measures required by the GDPR may vary significantly from company to company. Please note, that the size of the company is not sufficient to define the need for data protection and data security measures, as it also depends significantly on other activities of the company; personal data protection and data security measures should be proportioned to the business of the company and the data to be protected.
Still suffering from lack of motivation? Don’t worry, the GDPR gives your company about 10-20 million reasons to familiarize yourself with your data protection risks. Moreover, you have 211 days to do so.
Regardless of the above and depending on your situation there is no need to be alarmed yet. The framework of the GDPR is set, however the implementation of its intricate details into the day-to-day of a company is still somewhat vague – currently even within the legislator. For example, EU’s Article 29 Working Party, which includes representatives of the data protection authorities from each EU member state, has still to produce supplementary guidance on the application of the GDPR on several topics. In addition, the government proposal of the new data protection act suggested by the so called TATTI working group set up by the Finnish Ministry of Justice which would supplement and clarify the GDPR and would replace the Personal Data Act (1999/523) is currently still to be published.
As legislators and the court apprise further guidance on the GDPR and implementing provisions, we will continue to publish blog-updates and give guidance of our own. If you would like to receive further details or help on your company’s compliance, please let us know. In the meantime, don’t lose hope, embrace the change and see this as an opportunity to get even more organized.