On 25 May 2018, the General Data Protection Regulation (the ‘Regulation’) will enter into effect[i]. What must businesses do and know before it happens?
Inventory of personal data processed
First and foremost, businesses should take inventory of the personal data being processed. You should be able to clearly identify the personal data that you process, the source of the data, and to whom the data are transferred. The organisation or a particular area of business may call for an audit of personal data to answer the following questions:
Rules regarding the processing of personal data
Any business that processes the personal data of its clients and employees must have its rules regarding the processing of personal data. This is not a new requirement, but with the Regulation taking effect existing rules will need to be revised in line with the Regulation.
Submission of information
Importantly, the above mentioned information has to be provided in a concise, visible, understandable, and legible manner.
Data protection officer
The Regulation will introduce a new term: that of the data protection officer. You should designate a data protection officer in your organisation, if necessary, or have a person from the outside to be responsible for compliance with the data protection requirements, and evaluate the status of this function in the organisation.
A data protection officer will have to be appointed if:
You should decide yourself, or with the help from specialists in this field, whether you should designate a data protection officer and if so, evaluate if your actions in processing personal data will conform to the requirements of the Regulation.
Data protection impact assessment
The general obligation to notify the processing of personal data to the supervisory authorities as provided in Directive 95/46/EC to be replaced by the Regulation did nor in all cases contribute to improving the protection of personal data. This in mind, mandatory registration with the State Data Protection Inspectorate will be replaced by more efficient procedures and mechanisms.
The State Data Protection Inspectorate has published an announcement on its website that by 30 April 2018 it will establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection assessment. Once the list is available, any business processing the personal data of its clients will need to check whether it is listed as a subject that are bound to make this kind of impact assessment. It is considered that such types of data processing may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
Notification of personal data breach
Businesses will have the duty to notify the State Data Protection Inspectorate on threats to personal data security; therefore, you have to make sure you have the right procedures in place to detect, report, and investigate breaches in personal data security.
Businesses should notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, within 72 hours from the moment the personal data security breach was detected, unless it is able to prove that the breach should not endanger the rights and freedoms of private persons.
The State Data Protection Inspectorate has issued a notice that major organisations will need to develop a set of rules and procedures of managing personal data security breaches. It has also been noted that in the event of a failure to report a breach when reporting is required may entail a monetary fine.
Focus on the protection of children’s personal data
The Regulation identifies children as a group of particularly sensitive subjects of personal data. It is for the first time that the law of the European Union regulates processing the personal data of a minor under 16 years of age. When a child is under 16, processing their data becomes legitimate only by consent or permission from the holder of the duties of the child’s parents and to the extent specified in the consent or permission. Upon reaching adulthood, a person will have a right to revoke the consent and demand that the data be destroyed.
There is a prevalent opinion that children’s personal data should be processed exceptionally, as they may less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles, and collection of personal data with regard to children when using services offered directly to a child. Given that children merit specific protection, any information and communication, where processing is addresses to a child, should be in such a clear and plain language that child can easily understand.
Consent for every purpose of data processing
There is an additional requirement that when the processing has multiple purposes, consent should be given for all of them. Like before, silence, pre-checked boxes, or inactivity should not constitute consent.
If consent does not satisfy the terms and conditions of the Regulation, the mechanism for obtaining consent needs to be reviewed, or an alternative legal basis to process personal data found.
We recommend reviewing the way you ask for, obtain, and record a data subject’s consent, and evaluate if any changes relevant to obtaining consent need to be made. For instance, whether or not you are collecting excessive personal data, whether or not you are obtaining early consents from your clients regarding direct marketing arrangements, whether or not you are publishing information on video surveillance correctly, and so on.
Requirements for the data processor
The data controllers should use only the data processors that provide a sufficient guarantees, in particular in terms of expert knowledge, reliability and resources necessary to implement technical and organisational measures which will meet the requirements of the Regulation.
The data processing performed by the data processer should be regulated under an agreement or another regulation under the law of the EU or a Member State establishing the data processer’s obligations towards the data controller, the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.
The Regulation provides that contractual liability should be shared both by the controller and the processor of personal data, which makes it crucial to have professionally drawn personal data processing agreements.
The international element
If your business works on an international scale, you should decide on the data protection supervisory body you will cooperate with.
The Regulation sets forth a set of measures to help you decide, which data protection supervisory body has the competence to act as a governing supervisory body for the purposes of investigating an international complaint, for instance, when data processing has or could have major impact on data subjects in more than one EU Member State.
The territorial scope of the Regulation is extended
The processing of personal data of data subjects who are in European Union by a controller or a processor not established in the European should be also subject to this Regulation where processing activities are related to offering goods or services to such data subjects irrespective of whether connected to as payment. The same rule, moreover, applies to the monitoring of behaviour of such data subjects in so far as their behaviour takes place in the European Union***
Failure to comply with the Regulation will result in a variety of sanctions, including administrative penalties; therefore, we encourage businesses to make haste and evaluate the impact of the Regulation and identify potentially problematic areas.
It is said that sanctions will be based on the nature, gravity, and duration of the infringement; intentional character of the infringement; actions taken to mitigate damages suffered; the degree of responsibility or any relevant previous infringements; the manner in which the infringement became known to the supervisory authority; compliance with measures ordered against the controller or processor; adherence to a code of conduct and any other aggravating or mitigating factor.
[i] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
By Raminta Stravinskaitė, lawyer of the law firm GLIMSTEDT and representative of the International Technology Law Association (ITechLaw) for Lithuania and the Baltic region