GDPR & Personal Data : What are you doing over the next few months ?

Because companies do not yet appear to be fully prepared to adopt the new European regulation on the protection of personal data, we offer here a check–list of changes to anticipate, to help ensure that your data processing will comply with these new requirements. Combining as they do both legal and technical considerations, personal data come within the scope of those responsible for a company's intellectual property.

The French government has just made public the bill amending the “digital privacy” act (French Law 78–17 of January 6, 1978 relative to Data Processing, Files and Individual Rights) to incorporate the forthcoming European General Data Protection Regulation (Regulation 2016/679, abbreviated GDPR). It is anticipated that the bill will be adopted before the Regulation takes effect.

According to a survey in April 2017, only 19% of surveyed businesses said they would be in compliance with this Regulation by its effective date of May 25, 2018; 33% would not be in compliance at all, and 44% in less than full compliance.¹

The statute replaces the regime established by Directive 95/46/EC of 1995 and is intended to establish a unified set of regulations for personal data in the European Union.

We should immediately point out that “data processing” is defined very broadly and covers virtually any operation to do with personal data, from its collection to its destruction.

The Regulation may not upset the general principles relating to procedures for collecting and processing personal data that we are familiar with (e.g., the legal bases of permissible data processing, obtaining consent, or time limits on retaining personal data); but is does make a number of changes in favor of individuals and consequently, creates new obligations for all natural persons, legal entities, public authorities, public services and all organizations that might collect personal data.²

The Regulation applies to data processing managers and to outsourcing firms.

One of the contributions of the Regulation is to define the concepts of data manager or administrator (which it terms “data controller”) and subcontractor (“processor”), as follows.

• The data controller determines the purposes and means of processing, and
• A processor processes the personal data on behalf of the data controller.

The Regulation also specifies the obligations of the outsourcer, in particular as regards data security, confidentiality and assisting the data controller with impact analyses, notifications to the supervisory authorities, and communications with the individuals affected by any data breach.

In practical terms, this clarification makes it necessary to spell out the obligations of each party in contracts that involve processing personal data.

Note that the French supervisory authority, commission on data processing and individual rights (Commission Nationale Informatique et Libertés, or CNIL) recently published guidelines for processors.

Extensive scope

The Regulation therefore applies to all natural or legal persons, public authorities, public services or agencies (in particular, businesses and public bodies) of the European Union which deal with personal data.

It also applies whenever data concerning a citizen of the Union are processed. Thus businesses and organizations outside of the European Union will also be subject to the Regulation’s requirements if they process the personal data of European citizens.

The Regulation specifies how to obtain consent from individuals to see their data.

These details concern both form (such as explicitness, understandability, clarity and simplicity, and keeping other matters separate if the consent is included in another document) and content (the consent must be obtained for purposes of a specific processing need.)

Furthermore, consent may be withdrawn at any time, which places an obligation on data controllers, as for example when the consent is given online, to provide ways for the consent to actually be withdrawn and the data to be electronically deleted.

It adds further protections of citizens and their data

The Regulation confirms certain rights: an individual’s right to have access to his or her personal data, the so–called "right to be forgotten" (i.e., the right to have one's data erased), the right to have personal data corrected, and the right to complete the data if incomplete.

It also contains specific provisions concerning the individual's right to information about how the data will be processed. (Such information must be concise, transparent, comprehensible and easily accessible in clear and simple terms, in particular with respect to information intended for children, and free of charge, with exception made for unfounded or excessive requests for information.)

Something new: The Regulation establishes a right to data portability. So long as an individual's data have been collected with his or her consent and the processing was automated, the individual may demand that the data controller transfer his or her data to another data controller.

One exception, though: This right to portability does not affect data processed for a public service or governmental function.

• The data controller has added responsibilities

This is one of the most notable changes in the new regulation. The regime of declaration prior to processing will be replaced by an obligation to implement technical and organizational measures to ensure and demonstrate the systematic compliance of the data processing with the Regulation, with the understanding that that the supervisory authorities (the CNIL in France) will be responsible for checking that all of these obligations are being met.

• Privacy by design and privacy by default

Once there is a plan to process personal data and the means of processing have been determined, the data controller must establish appropriate technical and organizational measures (such as pseudonymization³) to ensure the data are protected effectively.

Furthermore, by default, only data necessary for a specific purpose may be processed. This requirement applies to the quantity of data, the scope of the processing, the retention time and the accessibility of data.

• Obligation to keep a processing record

Keeping a record of processing activities is mandatory for businesses and organizations except those with fewer than 250 employees (unless if the latter’s data–processing carries risks, is not occasional or includes personal data that is sensitive or concerns convictions and violations of law.)

This record will be made available to the supervisory authority in the event of an audit. It shall contain the following information:

• Name and contact information of the data controller
• Purpose of the processing
• Description of the categories of persons concerned and of the categories of data processed
• Categories of users of the data
• Transfers to non–EU countries
• And, to the extent possible, the schedule of data erasures and a description of the security measures in place.

• Perform an Impact Analysis

The data controller must make an impact analysis before processing data if such processing presents a high risk to the rights and freedoms of the subjects, particularly in cases where “new technologies” are used.

Such an analysis will be especially called for in cases of:

• The systematic, thorough evaluation of personal aspects by automated processing and if the evaluation has legal consequences or significantly affects the individual
• Large–scale processing of sensitive data and data relating to criminal convictions or offenses and
• Large–scale surveillance of a publicly accessible area.

Broadly speaking, an impact analysis lists all the risks associated with the processing of personal data and the measures taken by the data controller to minimize those risks.

The guidelines give various examples of high–risk situations: assessments (such as of work, health or behavior), automatic decisions, handling sensitive data, high volumes of data, merging data sets, etc.

• Appoint a Data Protection Officer

The Regulation establishes the position of Data Processing Officer (DPO), who must be involved in any question relating to the protection of personal data and in particular must provide information and advice to the data controller or the outsourcer, monitor the application of the Regulation and cooperate with the supervisory authority.

Appointing a DPO will be mandatory:

• for the public authorities or public bodies (except juridical ones),
• if the core activities of the data controller or outsourcer require the large–scale, regular, systematic monitoring of individuals or consist of the large–scale processing of special categories of sensitive data (such as racial or ethnic origin, health data, political opinions and union membership) and/or data related to criminal convictions and offenses.

In other cases, the Member States may make it mandatory to appoint a DPO.

Note that the DPO is person and not a department and that he or she will have a particular status in the business or organization in terms of confidentiality, protection in the performance of his or her duties and so forth.

• Inform the supervisory authority and the persons concerned in case of breaches of personal data

In the event of a breach of security, the Regulation creates an obligation for the data controller

• to so notify the supervisory authority (the CNIL) as soon as possible and no later than 72 hours after the breach becomes known and
• to communicate in a timely manner with the individuals concerned if the breach creates a high risk for them.

The transfer of personal data to non–EU countries is restricted

Personal data may not be transferred outside the EU unless:

• The Commission rules that the non–member country provides adequate protection of personal data and that individuals have enforceable rights and effective remedies (e.g., the Privacy Shield agreement between the European Union and the USA)
• The data controller or the processor has provided suitable safeguards, including in the case of group of companies, agreements as to the protection and transfer of data (referred to in the Regulation as “binding corporate rules”)
• Or under certain conditions, such as that the individual has given his or her consent to the transfer after being informed of the risks, or the transfer is necessary to perform a contract or to make a legal case in court.

What sanctions are there?

Note first that the Regulation gives the supervisory authorities⁴ investigative powers and the authority to order corrective measures (e.g., a warning, order, limitation of processing or suspension of data flows).

The supervisory authorities then have the power to impose administrative fines, depending on which provisions of the Regulation were violated:

• Up to €10 million or (for businesses) 2% of yearly global revenues and
• Up to €20 million or (for businesses) 4% of yearly global revenues

In addition, an individual who has suffered harm may be compensated for it. Class actions may also be brought, depending on the laws of the nation.⁵

As a practical matter, this new set of regulations calls for reviewing the approach taken by businesses (and anyone else) to personal data and to re–examine their practices of collecting and processing personal data and all processes that may affect personal data.

This exercise needs to involve all parts of the company concerned, especially including the legal department, IS, human resources, the sales and customer relations departments, and everyone with legal and technical qualifications.

Naturally, we remain at your disposal for advice and any additional information you may need.

¹ BAROMÈTRE RGPD “La maturité des entreprises Françaises face au règlement général sur la protection des données” [“The Readiness of French Companies for the GDPR”] April 2017 – Association Française des Correspondants à la Protection des Données à caractère Personnel
² The language of the bill provides exceptions, however, with regard to processing personal data (in a strictly personal or domestic context).The language of the bill provides exceptions, however, with regard to processing personal data (in a strictly personal or domestic context).
³ The replacement of a name by a pseudonym
⁴ In France, this means the Commission Nationale Informatique et Libertés (CNIL).
⁵ In 2016 the French legislature chose to rule out class action settlements in breaches of personal data. The bill discussed here amending the digital privacy act reintroduces this possibility.