The countdown is launched: GDPR
Co-signed by Maître BREBAN – Lawyer Associate of NEXO AVOCATS
On 25th May 2018, the General Data Protection Regulation (GDPR) will enter into force in the European Union. The date is close and companies have little time to get ready. Here is a synopsis of the wide and constraining field of application for actors in the processing* of personal data**.
Adopted by the European Parliament on 16th April, the definitions of the legal text (see the box below) give us a glimpse of the wide range of the actors concerned by its entry into force. And the measures to be taken are quite relevant. Because, if the GDPR is going to develop the rights given to people whose data was collected, this reinforcement also represents many constraints for companies and administrations, be they technical, contractual or organisational.
*Processing: any operation or any set of operations done or not with automated processes and applied to personal data or set of data, as collection, recording, organisation, structuring, conservation, adaptation or modification, extraction, consulting, use, communication by transmission, diffusion or any other form of provision, rapprochement or interconnection, limitation, deletion or destruction.
**Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
On the technical aspect, the main constraint set by the GDPR is the incitement to “pseudonymize” the personal data collected. It is an operation of reversible anonymization, through the use of a pseudonym (or the conservation of data in a format that does not allow its direct identification) instead of the real identity, allowing data confidentiality to be kept in case of intrusion and/or data theft.
A constraining framework for data processing
On an organisational level, the roll-out of the GDPR has wider consequences. The organisation that collects personal data has to obtain, from the person involved, a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. This consent should be given through a clear affirmative act. In case of dispute, the burden of proof lies with the company. Therefore, no more pre-ticked boxes. In case the process of data processing is changed, the operator must evaluate the risk and analyse the impact of this action on the rights and freedoms of the natural persons involved. A log of all data processing must be kept by the company. The organisation is liable of ensuring that its subcontractors (emailing companies, payroll management, etc.) are also compliant with the GDPR.
This obligation binds the organisation who collects data to:
- List the kind of processing operations (we remind you that simple data consulting is data processing regarding the GDPR);
- Specify the categories of personal data processed;
- Describe the scope and the purposes of processing operations;
- List the internal and external players in charge of data processing;
- Detail the data flow (origin and destination) in order to identify potential data transfers outside the European Union.
A new role: Data Protection Officer
Some organisations in charge of processing operations have the obligation to appoint a Data Protection Officer (DPO). They are:
- Authorities and public organisations;
- Organisations in charge of processing operations where core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- Organisations in charge of “particular” processing operations (racial origin, race, political opinion, religious belief, biometric data, etc.)
The DPO will then be entrusted with counsel and control missions with the head processor and his/her subcontractor, as well as with cooperation with the control authority. He/she will enjoy a status of protected personnel.
New playing rules and sanctions
The obligation of notification, stated in Article 34, is in case of a personal data breach, obliged to inform the natural person, provided this breach can “potentially generate a serious risk to rights and freedoms”.
There are exclusion conditions to this information obligation, and of course, the concept of serious risk remains submitted to evaluation. But in case this information obligation must be carried out, a technical challenge has to be tackled by the person in charge of processing: the capacity to identify the list of natural people concerned in his/her own database. Otherwise, he/she will have to make a public announcement, that will then increasingly encumber his/her image.
According to violations observed at the GDPR, the sanctions will naturally be different. In order to draw minimum attention to its good application, it will be enough to recall the terms of Article 84, that provides for a fine amounting up to €20 000 000 or 4 % of the total global annual turnover of the prior year, with the highest amount being considered. This fine relates to the non-observance of the basic principles of a processing operation (Articles 5, 6, 7 and 9 of the GDPR).
Anticipating, by following some recommendations
From May 25, 2018, a major project will result from the mandatory application of the GDPR. Contrary to the obtainment of the old “stamp” released by the CNIL, companies will have to provide the proof that they are compliant with regulations.
Companies, must therefore:
- Increase awareness among their GDPR staff about data protection;
- Review their agreement with third-party service providers (sub-contractors inside the GDPR, data hosting providers, cloud computing solutions providers…);
- Identify their processing operations and databases and ensure their protection,
- Keep a processing record;
- Designate, if appropriate, a DPO;
- Design IT systems ensuring data safety and allowing, in time, the certification of compliance with the GDPR.
And if new financial consequences encumber the company and administration because of the non-compliance with regulations, other risks may rise. Individuals will have the possibility to engage collective proceedings. The person in charge of treatment has the obligation to check his/her own and his/her subcontractors’ conformity. Henceforth, there is the question of the review of contractual relationships and professional liability.