The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.
Application of the GDPR
The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union, regardless of whether the processing takes place in the EU or not. It also applies to companies not established in the EU, where the processing activities are related to: the offering of goods or services in the EU, to data subjects in the EU irrespective of whether a payment is required or the monitoring of their behavior so long as their behavior takes place within the EU. The GDPR states that “’Establishment’ implies the effective and real exercise of activity through stable arrangements.”
Achieving Compliance with the GDPR
In order to be GDPR compliant, companies will have to adopt new technical and organizational measures. In particular, some of them will have to appoint a data protection officer and to conduct data protection impact assessments.
- Appointment of a Data Protection Officer
Since 1970 in Germany, companies have been required to designate a Data Protection Officer (DPO), that is to say a person responsible for implementing data protection law within the company in question. (This appointment has become optional in other EU states.)
A Data Protection Officer is an expert in data protection law who plays the role of an intermediary between the company and supervisory authorities. According to the GDPR, the DPO has to report directly “to the highest management level” of the company and his contact details have to be communicated to the supervisory authority.
The DPO’s duties should, at a minimum, include: informing the company and its employees on their obligations with respect to data protection law, monitoring the company’s compliance, monitoring privacy impact assessments, cooperating with supervisory authorities and handling data subjects’ inquiries.
The DPO can be a company’s employee or an outside contractor. A group of companies may appoint and share a single DPO.
The company must ensure that its DPO has the practical and financial resources to perform his/her tasks.
To date, around 10 European Member States have introduced the possibility to appoint a Data Protection Officer in their legislation. However, their scope and powers vary from one Member State to another. In some states, it is mandatory (Germany, Spain and Greece) and in others it is optional (Luxembourg, the Netherlands and France).
The GDPR provides a single set of rules for DPOs applicable in the 28 Member States.
Pursuant to Article 37, it is mandatory to appoint a DPO in the following cases:
- where the company’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or processing on a large scale of sensitive data or data relating to criminal convictions and offences.
- where required by EU or Member State law.
In cases other than those referred to above, the appointment of a DPO is at the company’s option.
- Conducting data protection audits
The first task of a DPO is to personally conduct an audit of the data processing carried out by the company. For each processing, the DPO has to identify the scope and purpose of the processing, the origin and sensitivity of the processed data, an estimate of the number of persons concerned, the recourse to service providers and whether data is transferred outside the EU.
Now, the GDPR introduces an obligation to conducts new kinds of audits called “data protection impact assessment” intended to identify the risks to the rights and freedoms of natural persons and the measures envisaged to address those risks.
Pursuant to article 35 of the GDPR, such assessment is required where the processing represents “a high risk to the rights and freedoms of natural persons”, such as processing on a large scale of sensitive data.
Supervisory authorities will establish a list of processing operations for which an impact assessment is required and a list of processing operations for which such assessment is not required.
To sum up, the appointment of a DPO is required for US companies having activities in Europe and processing European’s data on a “large scale”. The obligation to conduct an impact assessment will only apply to “high risk” data processing.
Supervisory authorities are expected to provide definitions and examples of “large scale” and “high risk” processing.
In the meantime, it could be a good idea to conduct a preliminary audit because from 25 May 2018, if your company is not GDRP compliant on the above discussed issues you can be exposed to administrative fines up to 2% of the total worldwide annual turnover.