The General Data Protection Regulation (Regulation (EU) 2016/679, or GDPR) is set to come into force across Europe and the UK on 25 May 2018. The operational impact of GDPR is substantial, as both PwC and the International Association of Privacy Professionals warn. Board members should be aware of the following operational implementations required by the new law to improve security: Mandatory data breach notification, the consumer’s ‘right to be forgotten,’ privacy impact assessments, privacy ‘by design,’ appointment of a data protection officer, vendor management, data portability restrictions, profiling, cross-border issues and compliance with specific codes of conduct.
GDPR and Substantial Operational Impact
The General Data Protection Regulation (Regulation (EU) 2016/679, or GDPR) is set to come into force across Europe and the UK on 25 May 2018. In the UK, it will replace the Data Protection Act of 1998. The GDPR is directly applicable in each Member State – and the UK, regardless of Brexit – and will lead to a greater degree of data protection harmonisation across EU nations. The GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
The operational impact of GDPR is substantial, warns PricewaterhouseCoopers’ London office. With the International Association of Privacy Professionals (IAPP), PwC proposes a list of the 10 most important operational impacts.
1. Mandatory data breach notification.
Starting in 2018, companies that experience data breaches will need to notify regulators and individuals whose personal data was compromised. Companies will most likely want to avoid the negative publicity of these disclosures. As a result, we expect to see multinationals gradually ramp up comprehensive risk assessments, end-to-end security enhancements, and outsourced managed security services similar to what was experienced in the United States following mandatory data-breach notification.
2. Right to be forgotten.
A new, so-called “right to be forgotten” or right to erasure could impose a significant burden on companies with personal data stored across multiple systems. The new requirement gives individuals, in certain circumstances, a right to request that data stored about them be erased. The GDPR for the first time codifies this right and applies it to all controllers. Under Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing or the processing was unlawful. Recital 65 explains that this right is especially relevant when a child consents to processing and later wants to remove the information, even if he is no longer a child. The right to erasure extends additional obligations to any controller that makes personal data public, especially online. Where a data subject requests the erasure of data that has been made public, the controller must take “reasonable steps” to inform other controllers that are processing the data about the person’s objection, unless it would require “disproportionate effort.” Any controller processing the data must then erase copies of it or links to it. Whether the steps taken are “reasonable” will depend on the available technology and the cost of implementation.
3. Privacy impact assessments.
The GDPR will require companies to conduct data protection impact assessments (PIAs) where their data processing operations are highly invasive. E.U. regulators have created a list of operations that are subject to the rule:
- Using new systems or software for processing data.
- Processing is likely to result in a high risk to the data subject’s rights and freedoms.
- Data collection involves systematic monitoring of a publicly accessible area on a large scale.
- A large-scale project involves collecting data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetics, biometrics or health.
- A large-scale project collecting personal data relating to criminal convictions and offences.
- A project might produce decisions and legal effects concerning the natural person or significantly affect the natural person.
If a controller’s data project doesn’t meet any of these circumstances, it’s still important to be aware of the situations when a PIA is required because a future project might trigger the need for one, particularly those involving special categories of data.
4. Privacy by design and default.
Up until now, European businesses generally deployed privacy by design on a limited basis within some parts of their operations. Going forward, European regulators will expect that the most privacy-friendly settings or postures — such as those that collect, retain and share personal information — will be built into new products, devices and business processes. In particular, it seems online service providers should by default only use such data which are necessary for the core functionalities of the services requested by the consumer, e.g., when she created her account or downloaded an application. Making services better, enhancing a user’s experience, or personalising services, justifications all too often used by services providers in their notices, would not meet this condition. In such cases, or for such additional functionalities, opt-in instead of opt-out would be a more appropriate method. This would be, in fact, more logical altogether.
Learn the 8 ways board directors should be preparing for GDPR right now or book a demo to find out more about how we can help.
5. Data protection officers.
The GDPR will require large companies to appoint data protection officers (DPOs) if their core activities consist of large-scale, systematic monitoring of people. These can be appointed at the board level for assurance of company-wide oversight, or integrated into management. The experience of data protection in the European Union is that the DPO role has been an attorney. The broad impact of the GDPR on technology and business processes, however, will effectively require DPOs to exhibit expertise in these other areas as well as project and program management, including risk assessment and compliance monitoring skills. Senior executives boasting this type of resume are in short supply in Europe, portending a privacy talent grab over the next two years.
6. Vendor management.
The GDPR makes the company responsible for processing activities, even if they are contracted out to third parties. It sets out specific rules for allocating responsibility between the company and the processor. The Regulation’s more detailed requirements for these contracts should compel some companies to reassess their vendor agreements to achieve compliance. Processors not only have additional duties under the GDPR, they also face enhanced liability for non-compliance or for acting outside the authority granted by a controller. Nonetheless, the burden for personal data protection under the GDPR still rests primarily with the company itself.
7. Data portability.
One of the responses of the GDPR to the so-called “Big Data” trend is the creation of a new right to data portability that aims to increase user choice of online services. Where controllers process personal data through “automated means,” Article 20 grants data subjects the right to receive the personal data concerning them. Controllers must provide the data in a commonly used and “machine-readable” format, and data subjects have the right to transmit that data to any other controller. Where feasible, the controller may even be required to transmit the data directly to a competitor. One of the responses of the GDPR to the so-called “Big Data” trend is the creation of a new right to data portability that aims to increase user choice of online services. Where controllers process personal data through “automated means,” Article 20 grants data subjects the right to receive the personal data concerning them. Controllers must provide the data in a commonly used and “machine-readable” format, and data subjects have the right to transmit that data to any other controller. Where feasible, the controller may even be required to transmit the data directly to a competitor.
A hotly contested provision of the GDPR, the “profiling” restrictions ultimately adopted were narrower than initially proposed. Under Article 4(4), data processing may be characterised as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analysing or predicting “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” This definition implicitly excludes data processing that is not “automated.” Further elaboration of this definition may be found in the Recitals, where the GDPR establishes its jurisdiction over non-EU companies provided they are “monitoring the behaviour of [EU] data subjects as far as their behaviour takes place within the European Union.” Processing activity involves data subject “monitoring” when “individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” This definition suggests that profiling is not equivalent to tracking, but instead is something more, involving the intention to take decisions regarding a data subject or predict the subject’s behaviours and preferences.
Find out how Diligent’s Governance Cloud helps organisations monitor compliance with legislation.
9. Cross-border data transfers.
The GDPR introduces some new legal grounds for cross-border data transfers, as well as significant changes to the recognition of “adequate” countries, a report from the London office of law firm Loyens & Loeff. Transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. Third countries’ level of personal data protection is assessed by the European Commission through ‘adequacy findings,’ which are binding in their entirety to all Member States. Once the “adequacy” of a third country has been recognised, personal data can be transferred to this country without having to take further protective measures. In the absence of an adequacy decision, personal data may in principle only be transferred to third countries if the controller or processor exporting the data has himself provided for “appropriate safeguards,” and on the condition that enforceable data subject rights and effective legal remedies are available in the given country.
10. Codes of conduct.
Confirming each data controller’s or processor’s compliance with the GDPR’s many protections for data subjects would exceed the capacity of any regulator. The GDPR therefore endorses the use of codes of conduct and certifications to provide guidance on the GDPR’s requirements, signal to data subjects and regulators that an organisation is in compliance with the Regulation, and offer third-party oversight as another check on data handling practices. When private associations prepare codes of conduct or amend existing ones for the purposes of allowing members to indicate GDPR compliance, a draft code must also be submitted to the appropriate supervisory authority to determine whether it provides “sufficient appropriate safeguards.” When the draft code relates to processing activities in several Member States, the supervisory authority must, before approval, submit it to the European Data Protection Board for an opinion as to the code’s compliance with the Regulation. Thereafter, the European Commission must review it.
Diligent board portal software keeps board of directors up-to-date
Diligent Boards moves all of the agendas, documents, annotations and discussions of board meetings online into one intuitive, secure portal. The platform goes beyond digital board books to manage the full scope of a board’s moving parts — committees, contacts, voting, reporting and more. With Diligent Boards, on-the-go directors will have more than iPad board meeting software at their fingertips. From a single sign-on (even for multiple boards), they’ll be able to work across devices (with real-time syncing) to: stay current with committee meetings and materials; communicate and annotate documents in tandem with other users and get notifications for updates; easily search archives and board resources; complete questionnaires and submit their votes and signatures any time of the day or night, from anywhere in the world, from their smartphone, tablet or laptop.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…