Welcome to Part 3 of the Baker & McKenzie GDPR Game Plan Series!
On 25 May 2016, the GDPR finally entered into force. It will start to apply as of 25 May 2018 giving organisations two years to come into compliance. Companies would be wise to assess sooner rather than later how the GDPR will affect their business models and data processing practices and start formulating a Game Plan to address the transitional steps they would need to take locally, regionally and globally to become GDPR compliant.
As you might be aware, the Baker & McKenzie GDPR Game Plan Series assists companies with this process by identifying and analysing 13 GDPR elements (the so-called “Game Changers”) that companies might want to address as a priority in order to become GDPR compliant.
In this LegalBytes edition, we will provide the third set of our practical analyses of the key Game Changers. We will cover Data Protection by Design and by Default, Data Protection Impact Assessments, Accountability, Profiling Restrictions and One Stop Shop. We provide the key takeaways in relation to each of them.
For comprehensive analyses of the respective Game Changers, please refer tor our GDPR Game Plan booklet available here. The booklet contains our in-depth analyses of the 13 Game Changers. Our previously published analyses have also been updated in the booklet to reflect the final text numbering of the GDPR Articles and Recitals.
1. Data Protection by Design and by Default Requirements under the GDPR
The GDPR expressly codifies the concepts of data protection by design and by default as important data protection principles and imposes specific obligations on controllers in this regard. Compliance with the obligations of data protection by design and by default will form an integral part of any sound data protection compliance program and can also deliver a competitive advantage.
(a) The new data protection by design and by default requirements will apply to controllers but not to processors.
(b) Under the data protection by design provision, controllers are required to:
- implement appropriate technical and organisational measures (such as pseudonymisation) which are designed to implement data protection principles (such as data minimisation) in an effective way; and
- integrate necessary safeguards into their processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
(c) What measures will be appropriate in each case will depend on the risks for rights and freedoms of natural persons posed by the relevant processing (‘risk-based approach’).
(d) Under the data protection by default provision, controllers are required to implement appropriate technical and organisational measures for ensuring, by default, that only personal data which are necessary for each specific purpose of the processing are processed.
(e) Obtaining certifications may help demonstrate compliance with these obligations.
2. Data Protection Impact Assessment under the GDPR
The GDPR will require controllers to carry out Data Protection Impact Assessments (“DPIAs“) in cases of potentially high-risk processing activities and to consult supervisory authorities (“SAs“) in certain instances.
A positive side effect of the introduction of DPIAs will be the abolishment of the general obligation to notify data processing operations to SAs. Rather than generally requiring the notification of data processing operations to SAs (as is currently required in most EU countries), the GDPR will rely on data controllers to assess the impact of envisaged data processing operations and only consult with SAs in relation to high-risk processing operations.
(a) Where a type of data processing is likely to result in a high risk for the rights and freedoms of individuals, controllers shall carry out a DPIA prior to the processing to assess the impact of the envisaged processing operations on the protection of personal data.
(b) The GDPR text itself does not provide much guidance as to what would be considered a “high risk” for the rights and freedoms of individuals. But it does provide a non-exhaustive list of examples as to when DPIAs will be required and further guidance from SAs can be expected.
(c) The GDPR does not prescribe the process for undertaking DPIAs. Existing or future SA guidance on conducting DPIAs will be the best source of guidance.
(d) If a DPIA carried out by a controller indicates that an envisaged processing would result in a high risk in the absence of risk-mitigating measures taken by the controller, the controller shall consult the SA prior to the processing.
(e) The obligations to carry out DPIAs and consult with SAs in relation to high-risk processing operations directly apply to controllers only. But processors should assist controllers, where necessary and upon request, in complying with these obligations.
3. Accountability Obligations under the GDPR
The GDPR expressly introduces a legal accountability obligation to European data protection law. While short in length and inconspicuous on a first reading, the new provisions is likely to have far-reaching consequences in practice.
(a) Codification of the accountability principle in the GDPR is in line with a global trend to make accountability a legal obligation.
(b) Under the accountability principle as codified in the GDPR, controllers will be required to implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR, and review and update those measures where necessary.
(c) What measures will be appropriate in each case, will depend on the nature, scope, context and purposes of the relevant processing as well as the risks for rights and freedoms of individuals.
(d) The GDPR text provides very little guidance as to what measures controllers will need to implement to discharge their accountability obligations. Further guidance in the form of codes of conduct, certification mechanisms and clarifications from the Art. 29 Working Party/ EDPB can be expected.
(e) A best-practice approach for organisations to satisfy their accountability obligations would be to build and implement a structured privacy management program. But less comprehensive approaches may be appropriate as well, depending on the level of risk raised by the data processing.
4. Profiling and Profiling-Based Decision-Making under the GDPR
In today’s times of big data analytics and personalised customer experiences, businesses of all sizes and sectors increasingly, collect large amounts of personal data in order to create detailed profiles of data subjects recording their behaviours, preferences, movements, etc. Further, businesses increasingly make decisions based on those customer profiles (such as granting or refusing loans). In an attempt to control and limit these activities seen as a threat to privacy, the GDPR imposes restrictions on data controllers that engage in these activities.
(a) Profiling is a form of data processing and as such is not prohibited but subject to the general rules governing the processing of personal data.
(b) Individuals have certain rights to object to profiling which must be honored by controllers.
(c) Controllers are subject to specific information requirements where they engage in profiling.
(d) Individuals have the right not to be subject to a decision based solely on profiling (or other automated processing activities) which produces legal effects concerning them or similarly significantly affects them. This right is subject to limited exceptions, namely that the decision is:
- based on the data subject’s explicit consent;
- necessary for the entering into, or performance of, a contract between the data subject and the controller; or
- authorised by EU or Member State law to which the controller is subject,
provided in each case suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests exist.
(e) Data processing undertaken for the purpose of profiling-based decision-making may be subject to the requirement to carry out a data protection impact assessment.
(f) Decisions based solely on profiling (or other automated processing) must not be based on sensitive data unless the data subject has explicitly consented or the processing is necessary for substantial public interest reasons on the basis of Union or Member State law.
(g) Profiling-based decision-making must not take place in relation to children.
(h) Union or Member State law may impose further restrictions in relation to decisions based on profiling.
(I) The European Data Protection Board will likely issue guidance in relation to profiling, and in particular as to when decision-making based solely on profiling will be permitted.
5. One-Stop Shop under the GDPR
The one-stop-shop (“OSS“) mechanism incorporated into the GDPR was probably the most controversially discussed concept during the GDPR’s inception. What we are left with, is a considerably watered-down version of the EU Commission’s ambitious initial proposal for streamlining the competencies of the various national supervisory authorities (“SAs“) and ensuring a consistent interpretation and application of the GDPR by them.
(a) As a general rule, each SA will be competent to perform the tasks assigned to it and exercise the powers conferred on it on the territory of its Member State. Without any qualifications or derogations, this rule would frequently lead to various national SAs being competent to act on one and the same matter.
(b) In order to promote consistency and ease the compliance burden for businesses, in cases of “cross-border processing”, generally only the SA of the main or single establishment of the controller/ processor will be competent to act as “lead SA”, subject to an obligation to cooperate with other “concerned SAs”. The idea is that businesses operating in multiple EU locations will have to deal with only one lead SA (where they have their main or single establishment) which will be responsible for supervising all of its processing activities across Europe.
(c) However, the OSS mechanism is subject to important derogations. For example, a local SA other than the lead SA may be competent to handle complaints lodged with it or a possible infringement of the GDPR if the subject matter relates only to an establishment in its Member State or substantially only affects data subjects in its Member State.
(d) The GDPR sets out detailed rules for lead SAs and concerned SAs to cooperate in cases of cross-border processing. Overall, the lead SA should closely involve and coordinate the concerned SAs in the decision-making process and decisions are to be agreed jointly with disputes to be resolved by the European Data Protection Board.
(e) In order to ensure a consistent application of the GDPR across EU Member States, the GDPR requires SAs to obtain the opinion of the Board before adopting certain measures (such as Binding Corporate Rules or standard contractual clauses) or issuing certain guidance (e.g., when DPIAs are required). In cases of conflict, the Board has the last word and may issue binding opinions.
(f) It remains to be seen how the complex rules will be interpreted and applied in practice.