The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive. The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.
The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.” Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.
The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland. However, organizations will find it useful when preparing for the GDPR anywhere in Europe. The checklist is organized around the following twelve points.
The DPC suggests that data controllers begin identifying areas that could cause compliance issues under the GDPR and review and enhance their risk-management processes.
The GDPR includes an accountability principle that requires organizations to document and be able to demonstrate the ways in which they comply with the GDPR. The DPC suggests that organizations inventory all personal data they hold and examine it by asking themselves the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and, if so, on what basis?
This inventory can also be used to identify incorrect data that needs to be amended or track third-party disclosures.
Communicating with Staff and Service Users
The DPS advises organizations to review all of their current data privacy notices (internal and external) and identify and correct any gaps between statements in the notices and the actual data collection and processing practices. Current legislation requires that data collectors notify data subjects of the following, prior to collecting their personal information:
- Identity of the entity collecting personal data.
- Reasons for collecting the data.
- The use(s) the data will be put to.
- To whom the data will be disclosed.
- Whether the data is going to be transferred outside the EU.
The GDPR will require that the following additional information be communicated to individuals in advance of processing:
- The legal basis for processing the data.
- Retention periods.
- Data subjects’ right to complain about any perceived deficiencies in the implementation of the GDPR.
- Whether personal data will be subject to automated decision making.
- Data subjects’ individual rights under the GDPR.
The GDPR requires that this information be provided in concise, easy to understand and clear language.
Personal Privacy Rights
Organizations should ensure that their procedures cover all the rights granted to individuals under the GDPR, which include:
- The right of access to personal data held about the individual.
- The right to have inaccuracies corrected.
- The right to have information erased.
- The right to object to direct marketing.
- The right to restrict the processing of their information, including automated decision-making.
- The right to data portability.
Organizations should be prepared to timely and effectively respond to a request from a data subject wishing to exercise her rights under the GDPR.
How will Access Requests change?
Organizations should update their procedures to ensure that requests are handled under the GDPR timetable. Under the GDPR, an access request will need to be processed without undue delay and, at the latest, must be concluded within one month (compared to the current 40-day period).
Organizations will no longer be able to charge for processing an access request, unless they can show that the cost will be excessive.
Organizations will be able to refuse a request deemed manifestly unfounded or excessive, if they can support their decision with clear refusal policies and procedures demonstrating why the request meets these criteria.
The DPC recommends that organizations who deal with a large number of access requests save on administrative costs by developing systems that allow individuals to easily access their information online.
What we mean when we talk about a “Legal Basis”?
Organizations should identify and document their “legal basis” for the various types of data processing they carry out, particularly those where they rely upon consent as the sole legal basis for processing data. Under the GDPR, individuals will have a stronger right of erasure where their consent is the only justification for processing.
The DPC recommends minimizing data kept on hand, as well as shortening periods of time when personal data is kept in raw format before being anonymized or pseudonymized.
Using Customer Consent as grounds to process data
Organizations who use individual consent when collecting data should review their procedures for seeking, obtaining, and recording that consent, and determine whether they need to make any changes to comply with the GDPR. Under the GDPR, consent must be “freely given, specific, informed and unambiguous.” Consent requires some action, it cannot be inferred from silence or failure to opt out (pre-ticked boxes).
Consent must be verifiable and individuals must be informed in advance of their right to withdraw consent. Because the GDPR requires controllers to be able to demonstrate that consent was given, organizations should review their systems for recording consent to ensure they have an effective audit trail.
Processing Children’s Data
The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial Internet services. Organizations collecting data from underage individuals (as defined by the individual’s state) must ensure that they have adequate systems in place to verify children’s ages and gather consent from parents or guardians. Once again, consent must be verifiable.
Reporting Data Breaches
The GDPR introduces a mandatory 72-hour breach-notification requirement. All breaches must be reported to the appropriate Data Protection Authority (i.e., the DPC in Ireland), unless the data was anonymized or encrypted. Furthermore, breaches that are likely to bring harm to an individual, such as identify theft or breach of confidentiality, must also be reported to the affected individuals. Failure to report a breach when required to do so could result in a fine, in addition to a fine for the breach itself.
The DPC suggests that organizations do not delay assessing the types of data they hold and documenting those that fall within the notification requirement in the event of a breach. Big companies dealing with large volumes of data will need to develop and implement formal policies and procedures for managing data breaches at all levels.
Data Protection Impact Assessment (DPIA) and Data Protection by Design and Default
A DPIA is “the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals.” The goal of a DPIA is to identify potential privacy issues before they arise and identify ways to mitigate them.
The GDPR introduces mandatory DPIAs for those organizations that are involved in high-risk processing (e.g., those utilizing a new technology, those using a profiling operation that is likely to significantly affect individuals, those undertaking large-scale monitoring of a publicly accessible area).
Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers in Ireland will be required to consult the DPC before engaging in such processing.
The DPC points out that while privacy by design and the minimization of data have always been implicit requirements of the data protection principles, the GDPR enshrines both the principle of “privacy by design” and the principle of “privacy by default” in law. “This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset.”
Data Protection Officers
The GDPR requires some organizations to designate a Data Protection Officer (DPO). Organizations requiring DPOs include those whose activities involve the regular and systematic monitoring of data subjects on a large scale and those who process sensitive personal data on a large scale.
The DPC cautions that it is important that someone at the organization (or an external data protection advisor) take responsibility for data protection compliance and that the chosen DPO has the knowledge, support, and authority to do so effectively.
International Organizations and the GDPR
Multinationals are expected to benefit from the GDPR’s “one-stop shop provision” that will entitle them to deal with one Data Protection Authority, referred to as a Lead Supervisory Authority (LSA), as their single regulating body in the country where they are mainly established.
To determine the location of their “main establishment,” the DPC suggests that international organizations map out where they make their most significant decisions about data processing. The designated LSA will regulate all data protection matters involving that organization. However, the LSA will be required to consult with other concerned Data Protection Authorities on certain matters.
Over the next few months the DPC plans to produce additional guidance and other tools to assist organizations in their preparation for compliance with the GDPR in Ireland. Additional guidance, at European level, is expected to be introduced by the Article 29 Working Party.