Only a few weeks left until the go-live of the EU General Data Protection Regulation As of 25 May 2018, all data protection standards in the EU will be raised to a uniform level with the EU General Data Protection Regulation (EU-GDPR). With regard to the processing of personal data, among others, companies, authorities and freelancers must adapt their process and structure organisation (for example in Human Resources area) to the EU-GDPR. In addition to meeting all operational and legal requirements, the EU-GDPR also requires the implementation of technical-organisational measures. The new regulation not only applies to companies based within the EU, but also to companies from third-countries offering, inter alia their goods and services within the EU. The aim of the EU-GDPR is the standardisation of the data protection laws and ensuring greater protection of personal data. Thus, the new regulation requires essential obligations from companies in the processing of personal data. This achieves the goal of strengthening the rights of natural persons. The Federal Republic of Germany has already ensured a high level of data protection with the Federal Data Protection Law (BDSG). With the new regulation, other EU member states are now required to also adapt their data protection standards. This will allow a better cooperation in the processing of personal data within the EU.
Implementation of the “Rights of the data subjects”
The tightening of the “Rights of the data subject” (Art. 12 – Art. 23 EU-GDPR) is one of the extended provisions of the European data protection law in the new General Data Protection Regulation (GDPR).The EU-GDPR understands the “Rights of the data subject” or “subject rights” as the rights of any natural person in relation with the handling of their personal information by responsible parties (natural or also legal persons), who process these data.
This right was already mostly specified in the Federal Data Protection Law (BDSG) in § 33 to 35, however, so far, little use was made of it. However, it can be assumed, that this aspect will be focused on by many EU citizens by 25.05.2018, due to the media attention around the EU-GDPR.
It can be assumed that due to the aforementioned aspect, companies and also authorities can expect significantly more inquiries about personal data. To counteract this effort, a separate process should be implemented, for example for the information process in the procedural and organizational structure. In particular, against the background that a disclosure must be processed within four weeks, this process should be set up as lean as possible. In practices this means: Less process participants and interfaces to departments make compliance with the reporting deadline possible. Therefore the number of involved persons within the process must be limited. Furthermore, there is also the challenge of identifying all systems with process personal data. These systems must generate the personal data which must be handed over as copies together with a reply letter to the “person inquiring”. In addition, in companies operating throughout Europe, the information must be provided in the respective national language of the branch. These points represent an excerpt of the challenges related to the right of access of data subjects.
In addition to the right of access, further rights of the data subject must be taken into account. These are:
“Right of rectification (Art. 16)
“Right to erasure (right to be forgotten) (Art. 17)
“Right to restriction of processing” (Art. 18)
“Right to data portability” (Art. 20)
“Right to object” (Art. 21) and
Information to be provided where personal data are collected (Articles 13 and 14)
Fragmented data and non-compliance with compliance requirements
The EU-GDPR is cleaning up and causing companies to optimise and increase the data quantity, and to implement an appropriate data management in order to meet the compliance requirements. The greatest challenges in the consideration of the data in the context of the GDPR have grown historically, for example very large, exponentially increasing data stocks or missing insights into the relevant data and data structures. Companies face these huge and fragmented data volumes and, due to the lack of insights, are having increasing difficulties in fulfilling the legal requirements for data storage as well as the security of these data. Uncontrolled and careless data management leads to possible fines for privacy violations. Furthermore, unsystematic storage of data is associated with high costs. These arise on the one hand with the storage resource itself, and on the other hand, also as a result of operating costs, such as e.g. energy for the servers. In the process organisation, untraceable data result in impairments in the workflows. The GDPR requires companies to disclose at which locations, for what purpose (sensitive) personal data are processed, passed on or stored. Furthermore, companies are responsible for controlling and monitoring access to the relevant data. However, a proper control is hampered by the use of various cloud services or other cloud and file-sharing services. For example, the lack of knowledge about where the data (outside of the EU) are located and what laws are in place there to ensure the relevant protection. In addition, it is usually not possible to fully ascertain whether the data are actually being deleted or have been deleted. These aspects of use must be considered and aligned with company policies in order to meet the compliance requirements.
Notification of a personal data breach
According to the GDPR, personal data breaches must be notified to the competent supervisory authority within 72 hours (in accordance with Article 33) after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. This notification includes:
description of the nature of the personal data breach
the categories of the personal data
the approximate number of data subjects concerned
a description of the likely consequences of the personal data breach
the measures taken or remedial action taken for mitigation and
appropriate documentation to ensure the implementation of Article 33
In case of a personal data breach the affected data subjects must be notified about this, in accordance with Article 34.
A report to the supervisory authority shall not be required, if the breach of personal data protection is not expected to “result in a risk to the rights and freedoms or natural persons”( Art.33 (1)). In order to prevent “data breaches”, companies (IT or IT security departments) should preventatively make themselves familiar with the current threat situation and perform a corresponding analysis. The identified weaknesses should be counteracted with appropriate measures. Particular attention should be paid to compliance with the notification obligation as this not only entails monetary risks but also reputational risks. For the implementation, either an existing internal process needs to be adapted or a new process set up, which meets the relevant criteria of the notification obligation to the supervisory authorities. LDA Bayern has already published a corresponding notification form as well as general information on data breaches.
In order to recognise data breaches, employees need to be sensitised in this regard. Also, employees must be aware of the channels for disclosing information in case of a data breach.
Privacy Impact Assessment (PIA)
The performance of a Privacy Impact Assessment (PIA) is required (according to Art. 35 (1) GDPR), if the processing activity entails a high risk for the rights and freedoms of the persons concerned. Aim of the PIA: Early detection of potential risks and definition of appropriate countermeasures. Unlike prior checking according to BDSG, the PIA is no longer the responsibility of the data protection officer, but is the responsibility of the person responsible for processing (Art. 35 GDPR). During this process, the data protection officer assists and advises throughout the entire process and monitors the performance of the PIA. By means of provided templates, the data protection officer ensures the requirements of the EU-GDPR. In the first step, a so-called threshold analysis determines for which processing activities a PIA is required. This threshold analysis consists of a list of criteria which make a PIA necessary. The nine criteria of the Article 29 Working Group provide a guideline for the creation creating the threshold analysis. However, these criteria are very general and would need to be adapted to the relevant industry or company. For example, there is no precise definition for the criterion ” extensive amount of data”.
Furthermore, the supervisory authorities (acc. to Art. 35 (4, 5)) shall prepare a catalogue of processing operations. The so-called “Blacklist” contains processing activities for which a PIA is mandatory. Processing activities of the “Whitelist” in turn, to now require a PIA. Currently, it is still unclear when these lists will be published. If the result of the threshold analysis is positive for a processing activity, a risk analysis must be performed in a second step. Here, the data protection risk is assessed from the perspective of the data subject, by means of objective criteria (e.g. type, scope, circumstances, purpose of the processing). In addition, appropriate measures for the mitigation of the identified risks must be identified and implemented. If the measures implemented are not sufficient, the supervisory authority must be notified about this. The implementation of the requirements by 25.05.2018 presents companies with big tasks. Not only data protection and IT departments are affected by this.
There is also a need for action in the process and organisational structure. How the data protection supervisory authority will react to non-compliance of poor implementation of the GDPR, is eagerly anticipated. However, a transitional phase of two years for the implementation of the EU-GDPR should probably be considered sufficient. Ensure an at least adequate implementation of the requirements in your company.