By Cédric Nédélec, Data Protection Officer at PwC Luxembourg
The so-called "GDPR" reshuffles the existing regulatory framework to impose tougher data protection rules across the European Union and beyond. Every EU-based organisation acting as "controller" or "processor" of personal data is concerned, as is every organisation based outside of the EU and acting as a controller of personal data of EU residents.
While the current regulatory frame is based on notification requirements, the GDPR will shift it to the accountability principle. The data controller will not only have to implement technical and organisational measures, but will also have to demonstrate its compliance.
For that, organisations must already start elaborating their privacy programme based on a perfect combination of strategy, environment specificity and constraints (technical or legal), the sensitivity of the personal data processed and the purposes of such processing, the type of data subjects, the potential impacts in case of data leak, as well as risk appetite. To achieve this, companies have to assess privacy maturity, understand regulatory requirements and take into account the business needs - a tremendous challenge to take up within 18 months.
Understanding regulatory requirements
What is personal data? The idea of personal data is broad: it means any information relating to an identified or identifiable natural person (so-called "data subject").
While some personal data details are obvious - identification data (name, national security number, DNA etc.), username and password pairs, race, religion, biometrics (fingerprint, pictures), bank account number, and criminal record - others are less obvious. This is the case, for example, for browsing or computer usage profile, bank transactions, credit history and risk profile, appraisals and performance rating, location at a certain time. In addition, and for the avoidance of common misunderstanding, the regulation of personal data processing applies even when the personal data are encrypted, replaced by a pseudonym, known by the public or spread in multiple locations.
Also, anonymous information can become personal data when it’s gathered and combined in a particular context and allows the identification of data subjects. For example, while a "19 year old man playing football in Luxembourg" can’t be identified, he becomes identifiable if we add that he "has been a goal keeper at Steinfort for three years".
What is processing? A very broad concept as well, "processing" covers every operation that can be done on personal data, from the initial collection to final deletion or destruction (including creating personal data, storing, using, copying, aggregating, adapting, amending, sharing, transmitting, archiving, selling, losing and erasing these data).
When processing personal data, the GDPR requires that data controllers and processors do it lawfully, fairly and transparently. They have to be open and honest about what they’re doing and why. They can’t, for example, mislead data subjects about why they're processing their personal data. Data controllers and processors have to stick to the their declared purpose, minimise the amount of personal data held, keep it accurate, up to date and secure and confidential at all times. They must then delete or destroy it when the purpose for which it was obtained or created is fulfilled, or if consent legitimating the use of data has been withdrawn. Data subjects who ask questions about what is happening with their personal data are entitled to answers and to receive copies of that personal data. If they have good grounds to ask for the processing to stop, then it has to be stopped.
Key issues to focus on from a company point of view
Companies need to rethink how they collect, process and store data. The new rules will impact them at different levels:
Compliance: for example companies will have to deal with a new “accountability” obligation, which means creating written compliance plans as to the measures taken with the GDPR in relation to the risks and impacts, and which might be shared with regulators on demand.
Usage controls: personal data will be subject to strict usage controls principles, such as “data minimisation”, “data portability” and “right to be forgotten”. This means companies have to limit the use of data, enable individuals to take back their data at the end of a relationship, as well as to delete and destroy data on request. The GDPR also restricts the automated decision-making as well as the profiling of natural persons.
Consent: it will be more complicated to achieve and prove the consent to use personal data.
Bundling: the regulation bans a very common practice in marketing services, for example, which is conditioning the provision of services by individuals’ consent for their data to be used for non-essential purposes.
Aggregation: the ability to collect data and create individual profiles will be severely curtailed.
Supervision: regulators will have the right to carry out audits and inspections of entities on demand.
Breach disclosure: GDPR requires business to report serious contraventions of the law to regulators within 72 hours and to communicate to the people affected. Public disclosure of failure is likely to fuel regulatory sanctions and compensation claims, as well as causing damage to companies’ brand and reputation.
Fines: Companies that do not comply with the law risk fines of up to either €20 million or in case of an undertaking, up to 4% or of group annual worldwide turnover.
Litigation: citizens and pressure groups have the right to engage in group litigation to recover compensation for mere distress caused by contraventions of the law.
The need to prioritise
After carefully reading the GDPR, some questions arise:
Such questions are legitimate and their answers are essential to the understanding of GDPR, as they’ll be the cornerstone of the model chosen by each organisation. Privacy compliance is not a simple, legal approach on a one-fits-all model. Each organisation needs to understand it through its own lenses and address privacy from a risk-based and holistic perspective. It all begins with the company’s vision, which is the articulation of its objectives and provides an ongoing reference point for the work to be performed. The strategy for the privacy programme has to be fully aligned with this vision, to make sure that business priorities are always kept at the forefront.
Once the organisation develops its strategy, it can then establish the structures necessary to support the vision (assigned team, roles and responsibilities of the stakeholders, etc.) and elaborate step by step the privacy programme (governance, tools and methodologies, information gathering on current situation, identification of gaps and arbitrage, remediation planning and sustainable implementation, monitoring and reporting) to be fully prepared for data breach.
The General Data Protection Regulation is the biggest shake-up of data and privacy protection law in over twenty years. Companies find themselves in a restricted environment and divided organisations risks massive penalties and serious reputational damages if they don’t understand the complete implications. The regulation will become effective in May 2018 but given the intensive preparation work required, companies should already start developing a GDPR vision and strategy, to make sure they become compliant in the most cost-effective manner.
Data Protection Officer
Tel: +352 49 48 48 2186