Despite the European Commission’s original goal of lessening the compliance burden for businesses, by harmonizing EU privacy law, the GDPR expands obligations for both Controllers and Processors, creates new rights for individual data subjects, and allows Member States to enhance obligations in certain circumstances.
The GDPR not only applies to companies that are established in the EU, its reach is much broader, ensnaring companies outside the EU if they provide goods or services to EU data subjects or monitor their behavior (for example, through online tracking), regardless of where the data is processed or stored. Therefore, all companies with any EU interests must understand and anticipate their GDPR compliance obligations.
Because every business is different, there is no one-size-fits-all GDPR readiness strategy. Preparations may vary depending on such factors as the sector, type of data processed (e.g. sensitive data like health or biometric data, which are subject to enhanced requirements), and what policies, procedures and programs a company already has in place. The following checklist tied to key provisions of the GDPR can be used as a reference.
- Data Mapping And Data Inventory
The GDPR requires businesses to be transparent and accountable for their handling of personal data, including by maintaining records of data processing activities. It is therefore essential that businesses have a solid understanding of the data lifecycle by conducting an inventory of and mapping all data holdings.
Data classification should be reviewed against the GDPR’s expanded definition of personal data, which can include location data and online identifiers.
Data mapping will help determine whether cross-border transfer mechanisms are required, or whether data should be stored in-country (for instance where data is subject to localization requirements, e.g., Russia or China).
Practical tip: At a minimum, assess the following:
- How your business obtains personal data
- The legal basis for the processing (e.g., consent; performance of a contract)
- With whom your business shares personal data and why
- How and where your business stores personal data (e.g., in-house systems; end users devices; the cloud), and in which countries
- How your business secures personal data
- How long your business retains personal data
- To which non-EU countries your business transfers personal data and what, if any, transfer mechanism is required and used (e.g., model clauses, Privacy Shield)
On the basis of the inventory and data map, businesses should assess what privacy compliance measures are already in place and perform a gap analysis to identify the areas requiring changes to comply with the GDPR. This exercise would require a cross-functional collaboration with buy-in from stakeholders across all departments.
Practical tip: Due to the breadth of the new requirements, it is essential, depending on the maturity of your business’s privacy program, to prioritize the GDPR’s requirements in light of the nature of your business and the types of data processing activities performed. For example, businesses in the midst of launching new products or technologies (e.g., involving the use of fingerprint and face recognition to access services) should conduct a Privacy Impact Assessment. Life science businesses processing large volumes of health data should be thinking about who to appoint as a Data Protection Officer. Setting priorities will also help businesses allocate appropriate resources for GDPR compliance.
Reviewing Privacy Notices
The GDPR calls for enhanced transparency in privacy notices, including explaining:
- The legal basis for processing the data
- Whether the data will be subject to automated decision-making, the logic used and consequences for individuals
- Data retention periods
- Transfer of data outside the EU
- Individuals’ rights, including to lodge a complaint with the Data Protection Authority (DPA)
Practical tip: Businesses should review their public-facing privacy policies, online forms or other notices and update them to ensure GDPR compliance.
As with the current framework, the GDPR requires that companies have a “legal basis” to process personal data. Examples of a legal basis include individual consent, necessity to perform a contract, or the “legitimate interest” of the Controller or a third party.
The GDPR significantly tightens the rules for obtaining consent. Consent must be “unambiguous,” which requires an affirmative indication by the data subjects that they agree to their personal data being processed. Silence, inactivity or pre-ticked boxes are invalid. For sensitive data and other processing activities (e.g., automated decision-making), consent must be “explicit” – while explicit consent is not defined in the GDPR, it will likely require to be affirmed in a clear statement (whether oral or written) rather than by any other positive action. Moreover, individuals must be able to withdraw consent as easily as they give it.
Practical tip: Where consent has previously been relied upon to justify processing activities, businesses will need to carefully assess whether existing consents meet the GDPR’s conditions and, if they do not, fresh consent will need to be obtained from individuals (unless another legal basis for processing can be established).
The GDPR significantly enhances the rights of individuals, including requiring strengthened rights to erasure (“right to be forgotten”); restricting “automated decision-making” (e.g., automatic refusal of an online credit application) and profiling (e.g., using personal data to evaluate or predict a person’s health, economic condition, interests, location or other aspects); and introduces a new right to “data portability” (the right to move one’s data to another service provider in a commonly used format).
The GDPR also makes it easier to claim damages resulting from infringement of the GDPR and expressly authorizes data subjects to mandate consumer groups to enforce rights on their behalf.
Practical tip: Businesses should review their internal processes, staff training and IT systems and make any necessary changes to satisfy these new individuals’ rights.
Businesses who engage service providers to process personal data on their behalf (e.g., outsourcing payroll processing, assisting with marketing campaigns, or engaging a cloud service provider), may be familiar with the current requirement for Controller-Processor data processing agreements. The GDPR is much more prescriptive about the content of these clauses.
Moreover, the GDPR now requires Controller consent for sub-processing and requires Processors to contractually bind sub-processors to the Controller’s instructions in the Controller-Processor agreement. It also places direct legal obligations on Processors, including with respect to security measures, record-keeping obligations and cooperation with DPAs.
Practical tip: Vendor and sub-processing agreements extending beyond May 2018 should be reviewed for compliance with the GDPR’s new contractual requirements for third-party vendors. Businesses should also assess whether liability and indemnity terms associated with data protection and insurance policies are adequate in light of the GDPR’s additional requirements and potential for substantial fines.
Businesses should also keep watch for potential instances of “joint” controllership, which occurs when multiple businesses jointly determine purposes or means of the data processing (for example, in connection with the set-up of a common platform or in an intra-group context).
The GDPR includes several enhanced accountability requirements, including:
Data Protection Officer (DPO)
Controllers and Processors must appoint a DPO in specified circumstances (e.g., where they undertake large-scale, regular and systematic monitoring of individuals, such as in the context of monitoring geolocation or in connection with behavioral advertising, or large-scale processing of sensitive data). The DPO must be a staff member or an external service provider with expert knowledge of data protection law and practices, whose job will include monitoring internal compliance with the GDPR.
Practical tip: Unless it is obvious that designation of a DPO is not required, companies should document the internal analysis carried out to determine whether or not a DPO must be appointed. If you have already hired a DPO you should review the job functions of the position and compare them to the GDPR’s requirements (e.g., expertise and independence), and adapt the functions as warranted.
Privacy Impact Assessment (PIA)
In many EU Member States, conducting a PIA is a recommended good practice. The GDPR requires Controllers to conduct a PIA when the processing is “likely” to result in a “high risk” for individuals (e.g., large-scale processing of sensitive data or certain forms of automated-decision making). If the PIA indicates that the processing is high risk that cannot be mitigated, Controllers will need to consult the DPA prior to starting the processing.
Practical Tip: Companies should identify products early in the development process that are likely to pose a high privacy risk and conduct a PIA. Developing a PIA questionnaire for use by project leaders and having it at the ready can facilitate meeting this requirement with minimal disruption to the product development team.
Privacy By Design; Privacy By Default
Controllers must implement appropriate security measures, such as pseudonymization, in order to integrate data protection principles into data processing activities (“Privacy by Design”). They must also ensure that, by default, only personal data that is necessary for each specific purpose is processed (“Privacy by Default”).
Practical tip: Businesses should ensure that their privacy programs, products and business processes address the GDPR’s Privacy By Design and Privacy By Default requirements.
In exchange for eliminating the current requirement in some Member States that businesses register their data processing activities with a DPA, the GDPR now requires businesses to keep detailed records of data processing. Records must be provided to DPAs upon request. The GDPR is prescriptive and lists minimum information to be included in these records.
Practical tip: Businesses should create and maintain records of their processing activities. Businesses could use information in their existing data protection notifications or registrations in Member States, if any, as a reference to fill in their GDPR records.
The GDPR requires Controllers to notify DPAs of certain “personal data breaches” within 72 hours after having become aware of the breach, unless they can show the risk to individuals is unlikely. Likewise, affected individuals must be notified without “undue delay” if the breach is likely to result in a “high risk” to their rights and freedoms. Processors are required to notify Controllers without undue delay after becoming aware of a breach.
Practical tip: Businesses should assess their internal policies and processes to ensure that appropriate procedures are in place to detect, investigate, report and document data breaches and to manage the fall-out from such reporting.
The GDPR introduces a new concept -- “lead DPA.” The lead DPA will supervise GDPR-compliance and will coordinate enforcement actions with other DPAs for companies operating in several EU States. The lead DPA is determined by the place of a company’s “main” EU establishment, i.e., where decisions over purposes/means of the data processing are made (for Controllers) or where main processing activities are carried out (for Processors). Businesses may not “forum shop” to designate the lead DPA in the jurisdiction with requirements that are perceived to be more business friendly, and they will have to be able to provide DPAs with evidence of their main establishment.
Businesses with no establishment in the EU and nonetheless subject to the GDPR will not be able to designate a lead DPA. These businesses could potentially be subject to the jurisdiction of all Member State DPAs.
Practical tip: Businesses should try and identify their “main establishment” and lead DPA now. Consider in which jurisdiction your data processing decisions are taking place or your main processing activities are carried out. If your business has particular organizational or operational links to a specific Member State, it makes sense to ensure that the main establishment and corresponding lead DPA for your business correlates to that.
The GDPR, like the Privacy Directive, restricts data transfers to countries outside the EU that do not ensure an adequate level of data protection unless a valid transfer mechanism is used. The current transfer mechanisms (Privacy Shield, model clauses), remain broadly in place, with some changes. For example, the GDPR explicitly recognizes the use of Binding Corporate Rules as a means of legitimizing intra-group data transfers. Approved codes of conduct and certification mechanisms may also be used in the future.
Practical tip: Companies should pay close attention to the pending legal challenges to the EU-US Privacy Shield and model clauses, as well as to the impact of Brexit on EU-UK data transfers, and be ready to revise their strategy for cross-border transfers accordingly. Companies may also want to consider whether and to what extent they may eventually be able to utilize industry self-regulatory codes to accomplish these transfers in lieu of current mechanisms.
Conclusions: The GDPR’s enhanced harmonization of Member State data protection laws may theoretically make it easier for businesses with global operations to adopt a more uniform approach to data privacy and governance. The GDPR also presents an opportunity for businesses to strategically leverage data privacy compliance as a means to distinguish themselves from competitors.
At the same time, there will still be significant national variations in some areas, particularly regarding the processing of employee data. Businesses should keep track of Member State laws that modify or enhance the GDPR’s obligations and pay close attention to the existing and forthcoming DPAs’ guidance on key aspects of the GDPR.
Finally, by holding Controllers accountable for the noncompliance of their Processors and subjecting Processors to fines, the GDPR offers significant incentives for Processors to live up to their GDPR obligations or else lose business to competitors. We anticipate an uptick in DPA audits of Processors, through which DPAs can identify potential noncompliance of multiple Controllers, which will likely result in greater efficiency for the DPAs.
Goodwin’s Data, Privacy and Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.
Federica De SantisAssociate