Publications

General Data Protection Regulation: what you must do and know2017-09-19

Ramintawww

Raminta Stravinskaitė

On 25 May 2018, the General Data Protection Regulation (the ‘Regulation’) will enter into effect[i]. What must businesses do and know before it happens?

Inventory of personal data processed

First and foremost, businesses should take inventory of the personal data being processed. You should be able to clearly identify the personal data that you process, the source of the data, and to whom the data are transferred. The organisation or a particular area of business may call for an audit of personal data to answer the following questions:

  • What kind of personal data do you process or intend to process?
  • Who is in charge of processing the personal data at your company? What are their functions?
  • Where are your clients’ and employees’ personal data stored?
  • What the movement of personal data is like: who is the recipient and what means are used to transfer personal data?
  • Are internal rules and procedures prepared and/or updated to deal with matters of personal data processing?
  • And so on.

Rules regarding the processing of personal data

Any business that processes the personal data of its clients and employees must have its rules regarding the processing of personal data. This is not a new requirement, but with the Regulation taking effect existing rules will need to be revised in line with the Regulation.

Submission of information

That is old news that when a company has its own website and/or mobile application that collect personal data, it must publish its own privacy policy. The only thing that will change is that once the Regulation becomes binding, visitors to the website and/or users of the application and the rest of data subjects will have much more rights.

The Regulation establishes rights such as the right to data portability (the data subject should also be allowed to receive personal data concerning him or her which she or he has provided to the company in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller), or the right to be forgotten. The content of these rights and the possibility to exercise them will also have to be covered in your privacy policy.

Importantly, the above mentioned information has to be provided in a concise, visible, understandable, and legible manner.

Data protection officer

The Regulation will introduce a new term: that of the data protection officer. You should designate a data protection officer in your organisation, if necessary, or have a person from the outside to be responsible for compliance with the data protection requirements, and evaluate the status of this function in the organisation.

A data protection officer will have to be appointed if:

  • You are processing data as a public authority or body, except for courts acting in their judicial capacity;
  • Your principal business is data processing operations, their nature, scope, and/or objectives requiring regular and systematic large-scale observation of data subjects;
  • The core activities of the controller or data processor consist of processing on an large-scale special-category of data.

You should decide yourself, or with the help from specialists in this field, whether you should designate a data protection officer and if so, evaluate if your actions in processing personal data will conform to the requirements of the Regulation.

Data protection impact assessment

The general obligation to notify the processing of personal data to the supervisory authorities as provided in Directive 95/46/EC to be replaced by the Regulation did nor in all cases contribute to improving the protection of personal data. This in mind, mandatory registration with the State Data Protection Inspectorate will be replaced by more efficient procedures and mechanisms.

The State Data Protection Inspectorate has published an announcement on its website that by 30 April 2018 it will establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection assessment. Once the list is available, any business processing the personal data of its clients will need to check whether it is listed as a subject that are bound to make this kind of impact assessment. It is considered that such types of data processing may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

Notification of personal data breach

Businesses will have the duty to notify the State Data Protection Inspectorate on threats to personal data security; therefore, you have to make sure you have the right procedures in place to detect, report, and investigate breaches in personal data security.

Businesses should notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, within 72 hours from the moment the personal data security breach was detected, unless it is able to prove that the breach should not endanger the rights and freedoms of private persons.

The State Data Protection Inspectorate has issued a notice that major organisations will need to develop a set of rules and procedures of managing personal data security breaches. It has also been noted that in the event of a failure to report a breach when reporting is required may entail a monetary fine.

Focus on the protection of children’s personal data

The Regulation identifies children as a group of particularly sensitive subjects of personal data. It is for the first time that the law of the European Union regulates processing the personal data of a minor under 16 years of age. When a child is under 16, processing their data becomes legitimate only by consent or permission from the holder of the duties of the child’s parents and to the extent specified in the consent or permission. Upon reaching adulthood, a person will have a right to revoke the consent and demand that the data be destroyed.

There is a prevalent opinion that children’s personal data should be processed exceptionally, as they may less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

Specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles, and collection of personal data with regard to children when using services offered directly to a child. Given that children merit specific protection, any information and communication, where processing is addresses to a child, should be in such a clear and plain language that child can easily understand.

Consent for every purpose of data processing

There is an additional requirement that when the processing has multiple purposes, consent should be given for all of them. Like before, silence, pre-checked boxes, or inactivity should not constitute consent.

If consent does not satisfy the terms and conditions of the Regulation, the mechanism for obtaining consent needs to be reviewed, or an alternative legal basis to process personal data found.

We recommend reviewing the way you ask for, obtain, and record a data subject’s consent, and evaluate if any changes relevant to obtaining consent need to be made. For instance, whether or not you are collecting excessive personal data, whether or not you are obtaining early consents from your clients regarding direct marketing arrangements, whether or not you are publishing information on video surveillance correctly, and so on.

Requirements for the data processor

The data controllers should use only the data processors that provide a sufficient guarantees, in particular in terms of expert knowledge, reliability and resources necessary to implement technical and organisational measures which will meet the requirements of the Regulation.

The data processing performed by the data processer should be regulated under an agreement or another regulation under the law of the EU or a Member State establishing the data processer’s obligations towards the data controller, the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

The Regulation provides that contractual liability should be shared both by the controller and the processor of personal data, which makes it crucial to have professionally drawn personal data processing agreements.

The international element

If your business works on an international scale, you should decide on the data protection supervisory body you will cooperate with.

The Regulation sets forth a set of measures to help you decide, which data protection supervisory body has the competence to act as a governing supervisory body for the purposes of investigating an international complaint, for instance, when data processing has or could have major impact on data subjects in more than one EU Member State.

The territorial scope of the Regulation is extended

The processing of personal data of data subjects who are in European Union by a controller or a processor not established in the European should be also subject to this Regulation where processing activities are related to offering goods or services to such data subjects irrespective of whether connected to as payment. The same rule, moreover, applies to the monitoring of behaviour of such data subjects in so far as their behaviour takes place in the European Union***

Failure to comply with the Regulation will result in a variety of sanctions, including administrative penalties; therefore, we encourage businesses to make haste and evaluate the impact of the Regulation and identify potentially problematic areas.

It is said that sanctions will be based on the nature, gravity, and duration of the infringement; intentional character of the infringement; actions taken to mitigate damages suffered; the degree of responsibility or any relevant previous infringements; the manner in which the infringement became known to the supervisory authority; compliance with measures ordered against the controller or processor; adherence to a code of conduct and any other aggravating or mitigating factor.

[i] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

 

By Raminta Stravinskaitė, lawyer of the law firm GLIMSTEDT and representative of the International Technology Law Association (ITechLaw) for Lithuania and the Baltic region


Teisininkai: Raminta Stravinskaitė

Contacts

Jogailos 4, 01116 Vilnius