Many organizations have devoted a great amount of planning, effort and resources towards GDPR compliance, while others have not done as much in the way of preparation. No matter what stage you’ve reached in your compliance effort (or plan to reach by May 25, 2018), you can better position yourself for GDPR compliance by doing a few simple things:
Check DPA Websites
Use Data Protection Authority (DPA) websites of each EU member state as a resource. DPA websites can be helpful in many ways, including providing model forms, guidance documents and a platform for submitting questions to the DPA about GDPR compliance. It may also be necessary for controllers to consult a DPA when deciding how to respond to a data subject’s objection to processing or request for access, rectification, or restriction on processing, as individual member states may have specific legislation on these issues. DPAs must also be consulted prior to initiating so-called “high-risk processing” (i.e., processing involving high risks to rights and freedoms of data subjects) where the risks cannot be sufficiently mitigated. Of course, DPAs will be responsible for handling complaints from data subjects and enforcing the GDPR, but that does not mean DPAs should be seen as an enforcement body only; they offer resources, expertise, and guidance, all of which should be utilized. Links to all DPA contact information and websites can be found here: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
Check the EC’s Listing of Adequacy Decisions
Particularly if your organization’s business relies upon transferring personal data of EU data subjects outside the EU, regularly check the listing of countries deemed by European Commission (EC) to provide an adequate level of protection of personal data—it is a simple, time-efficient task, and, if you find that the country to which you want to transfer the data is on the EC’s list, it will save you from having to invest a lot of money and effort to implement additional safeguards to protect data. The EC’s determinations of adequacy may be withdrawn or amended at any time, so it is important to regularly check the listing, available here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
Develop a Template Breach Reporting Form
If you are a controller, having a template breach reporting form on hand is especially useful in light of the 72-hour time frame for reporting the breach to the relevant EU supervisory authority. When time is of the essence after discovering a breach, spend that time on making critical assessments of the breach, including whether it is still ongoing, its scope and relevant jurisdictions in which it occurred, and mitigation, not on drafting a breach report from scratch. Make sure that your template reporting form is drafted in such a way that it will prompt you to include the minimum required elements: (1) a description of the nature of the breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (2) the name and contact details of the data protection officer or other contact point where more information about the breach can be obtained; (3) a description of the likely consequences of the breach; and (4) a description of the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
“Flag” Areas of Special Concern
Establish a process for flagging any proposed activity for which there are special requirements under the GDPR so that you can ensure compliance before proceeding. Activities to consider flagging include profiling, processing personal data for research purposes, and processing special categories of personal data.
“Profiling” is defined under the GDPR as automated processing of personal data in order to make an evaluation of, or decision about, the data subject (e.g., decisions which have significant adverse legal consequences for the data subject, such as denial of a credit application). Flagging any proposed profiling is important due to the fact that a controller is required to provide notice to a data subject, at the point of data collection, of the fact that profiling will occur, any consequences of decisions that may be made in connection with the profiling, and of the subject’s right to object to the profiling at any time.
Processing personal data for research purposes involves a host of requirements under the GDPR, including in some cases obtaining explicit consent from a subject to process his/her data, implementing safeguards such as pseudonymization to protect research data, providing notice to the research subject which includes a description of intended research purposes, and having a process to evaluate a research subject’s request for erasure of his/her data and determining whether honoring such a request would impair research objectives.
Processing “special categories of personal data” (e.g., data revealing racial or ethnic origin, health condition, political opinions, or religious or philosophical beliefs) may require obtaining consent from a data subject, performing a data protection impact assessment (DPIA) prior to processing (especially in connection with large-scale processing), or consulting with a supervisory authority prior to processing when there is a high risk posed to data subjects’ rights.
Flagging the above activities will help your organization carry them out in a thoughtful, methodical and compliant way rather than unwittingly committing a violation of the GDPR.
Know the Unknowns
Be aware of the fact that there are still many uncertainties about the meaning of certain aspects of the GDPR and how it will be enforced. As an example, the Information Commissioner’s Office (ICO) recently released a draft guidance regarding contracts and liabilities between controllers and processors. While the guidance was helpful on many points, there is still debate and unanswered questions on this subject, including questions about the obligations of subprocessors and the recourse that may be pursued by data subjects or others who are harmed as a result of violation of a contract. Another example is the Article 29 Working Party’s guidance on data protection impact assessments—uncertainty still exists about what would be considered processing “likely to result in high risks” to the rights or freedoms of individuals which would trigger the need to conduct an impact assessment, and how to weigh and apply the numerous criteria set forth in the guidance to make that determination. The manner in which the GDPR will be enforced is also unknown. Those who will be subject to the GDPR certainly know (or should know) potential penalties for violations, which could be as high 4% of a company’s worldwide annual turnover, but without having the benefit of knowing about actual penalties that have been assessed, we may not gain more certainty on this subject until after May 25, 2018.
Download this infographic to share these helpful tips with others: