The first thing to say is that any organisation which has already put effort into complying with the 1995 Directive will find that that was time well spent. The policies, procedures and structures already in place will act as a substantial ‘spring-board’ when preparing for the new Regulation.
The Controller currently doing business in several EU countries will have the challenge of keeping track of local interpretation of the legislation in each of those jurisdictions. Under the new Regulation, the Controller will be able to identify their main establishment, so that even an organisation active in several EU jurisdictions, and will only have to comply with the instructions and guidance of the Supervisory Authority (our DP Commissioner) in that jurisdiction (the ‘one-stop shop’).
The eight Rules enshrined in the 1995 Directive have not gone away. They have, however, been articulated slightly differently, and a new focus has been introduced – under the principle of Accountability, the Data Controller will be challenged to be able to demonstrate their compliance with the Regulation.
This has a number of aspects. The Controller must begin to maintain a log of its data management activities, in particular, any breach of DP security or activity which represents a risk to the personal data for which it is responsible. The Supervisory Authority will expect to see evidence of a mature, risk-aware mind-set, and clear efforts to train staff and raise DP awareness.
Where the Controller is planning new forms of processing, or introducing risk to its data management practices, a Privacy Impact Assessment will have to be conducted and documented, and any perceived risks will have to be managed in a proportional and effective manner.
Unhelpfully, the Regulation does not include a template for a PIA Report, but this may well prove to be an advantage, as it will allow the development of ‘fit for practice’ reporting formats.
The Controller will continue to be challenged regarding the justification for any processing of personal data – the Lawful Processing Conditions remain, and the Controller must be able to refer to at least one of them in order to proceed with the data processing.
Among these Conditions, consent becomes very important, and the Controller relying on consent must be able to clearly demonstrate where and how such consent was given.
At the point of acquisition of the personal data, the Controller will be required to explain in clear and transparent manner, the intended processing of the data and the legal basis for such processing.
Allowing for some exemptions, the Data Subject must also be reminded, in any correspondence, of their right to withdraw consent at any time during the life cycle of the processing.
The Controller must be prepared for a request from the Data Subject restricting or limiting the range or scope of processing which the Controller is permitted to do (Restriction), and unless the Controller has a legitimate justification for proceeding, the Controller must be prepared to remove, anonymise or erase personal data once the original purpose has been fulfilled (the Right to be Forgotten).
Even where personal data is not acquired directly from the Data Subject, the Controller must be prepared to explain to the Data Subject, as soon as possible after acquisition, about the source of the data, the extent of processing, and any profiling or secondary processing that is planned. This information should be provided in the first correspondence with the Data Subject, and should happen at the latest within one month of acquisition.
The Controller must also be able to pull together any personal data relating to the Data Subject’s account, at their request, in order to make it easy for them to move account details from one Controller to another. The general principle is that it should be as efficient and inexpensive for the Data Subject to move accounts as it was to acquire their data in the first place.
Throughout all of this processing, the Controller must be able to demonstrate appropriate safeguards and measures, both organisational and technological, to demonstrate compliant processing of personal data within their control.
In the unfortunate event of a data breach, the Controller must, within 72 hours of becoming aware, prepare and provide the DP Commissioner with as much information as possible on the cause or causes of the breach, the steps taken to resolve it and prevent a recurrence, and any notification which has been provided to the Data Subjects whose data was compromised.
As a last change (for now), the Regulation has become much more specific in the clauses and structure of the Data Processor Agreement – where a third-party service provider is engaged to process personal data, the Regulation now stipulates a series of provisions which must be included – among them:
• The scope and subject matter of the processing
• The duration, nature and purpose of the processing
• The categories of Data Subjects whose data will be involved• The obligations of the Data Controller throughout the duration of the engagement
• The limitations on the processing conducted by the Data Processor throughout the engagement.
Under the new Regulation, therefore, the Controller will be expected to have implemented a comprehensive data management solution, including embedded policies and procedures, appropriate security mechanisms and clear lines of communication with staff, Data Subjects and the Office of the DP Commissioner.
The call to action!
Data Controllers should start now to put these structures and behaviours in place, in order to be ready
when the Regulation takes effect, most likely in March, 2018.
This series of articles will continue next week with a view of life from the perspective of the Data Processor.