With the GDPR set to become effective mid-2018, companies would be wise to assess sooner rather than later how the GDPR will affect their business models and data processing practices and start formulating a Game Plan to address the transitional steps they would need to take locally, regionally and globally to become GDPR compliant.
As you might be aware, the Baker & McKenzie GDPR Game Plan Series assists companies with this process by identifying and analysing 13 GDPR elements (the so-called “Game Changers”) that companies might want to address as a priority in order to become GDPR compliant.
In this LegalBytes edition, we will provide the second set of our practical analyses of the key Game Changers. We will cover Enforcement & Sanctions, Data Processor Obligations and Data Subjects’ Rights.
If you missed Part 1 of our Game Plan series, in which we covered DPOs, Data Breach Incident Management, Cross-border Data Transfers, Consent and Data Mapping, you can access it here. We will address the remaining Game Changers in Part 3 of this series due in April.
1. Data Subject’s Rights under the GDPR
The GDPR dedicates a whole chapter to data subjects’ rights which controllers are required to honour. The intention is to strengthen and expand data subjects’ rights compared to rights granted to them under the Data Protection Directive (95/46/EC) (“Directive”). Infringements of the provisions relating to data subjects’ rights are subject to the maximum level of fines under the GDPR. Controllers would therefore be prudent to prioritise compliance with these obligations.
(a) The GDPR expands data subjects’ rights existing under the Directive such as the right to access, right to rectification and right to object.
(b) The GDPR introduces important new rights for data subjects, namely the right to erasure, the right to data portability, the right to restrict processing and certain rights in relation to profiling.
(c) Under the GDPR, controllers will be required to provide significantly more information about their processing activities to data subjects. Complying with the new information requirements will require controllers to update their privacy policies and to translate these requirements into internal policies and procedures in order to be prepared to comply with the new obligations, also in light of the high sanctioning threshold.
Please click here for our detailed analysis of data subjects’ rights and related controller obligations under the GDPR and your Data Subjects’ Rights Game Plan.
2. Enforcement and Sanctions under the GDPR
The new enforcement and sanction powers granted to supervisory authorities (“SAs”) under the GDPR, including the new significant fines that may be imposed for GDPR violations, are likely the GDPR Game Changer most feared by organisations. The new enforcement and sanctions regime will – no doubt – focus management attention and push data protection compliance further up on the risk agenda for many organisations.
(a) Unlike the Directive, the GDPR describes in great detail the measures and procedures for enforcement leaving very little discretion to Member States to make up their own rules.
(b) SAs across all Member States will have the same powers, including investigative powers, corrective powers and sanctions, as well as powers to bring infringements of the GDPR to the attention of judicial authorities and/or engage in legal proceedings to enforce the provisions of the GDPR.
(c) The imposition of fines is likely to become the norm as the GDPR states as a general rule (subject to very limited exceptions) that penalties and administrative fines should be imposed for any infringement of the GDPR in addition to, or instead of, appropriate measures imposed by the SA.
(d) The GDPR sets the upper limit and criteria for determining fines which are then finally determined by the competent SA in each individual case having regard to a variety of factors and circumstances listed in the GDPR.
(e) The maximum applicable fines are:
- in case of major infringements (such as failure to comply with cross-border transfer rules or obtain adequate consents) EUR 20,000,000, or in case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year (whichever is higher); and
- in case of other infringements (such as failure to appoint a DPO as mandated or comply with the requirements for appointing a processor) EUR 10,000,000, or in case of an undertaking, up to 2% of the worldwide annual turnover of the preceding financial year (whichever is higher).
(f) In case of an undertaking, the worldwide annual turnover relevant for determining the amount of the fine may be the turnover of a parent company if that is held liable for the infringement (even if the parent did not actively participate in the infringement).
(g) Member States may provide that certain non-profit bodies, organisations or associations may (i) exercise certain data subjects’ rights on their behalf (such as the right to lodge complaints with SAs or seek judicial review in case of alleged GDPR infringements), and/ or (ii) lodge a complaint or take legal action against supervisory authorities or controllers/ processors independently of a data subject’s mandate if they consider that data subjects’ rights have been infringed as a result of non-compliant processing. These rights are likely to add an additional dimension to data protection enforcement if taken up by a number of Member States.
(h) In view of the significant fines, organisations of all sizes would be wise to get their privacy house in order, focusing:
- as a first step on high-risk areas such as cross-border data transfers, consents and data subjects’ rights; and
- as a second step on other areas such as implementing appropriate security measures and a data breach incident management plan.
Please click here for our detailed analysis of the new enforcement and sanctions regime under the GDPR and your Enforcement & Sanctions Game Plan.
3. Data processor obligations under the GDPR
A major Game Changer under the GDPR will be the new compliance obligations directly imposed on data processors. Given the new liability regime as well as stringent requirements for processing agreements, these changes will have a notable operational impact on many businesses. Controllers and processors alike will need to understand and address the new requirements.
(a) The definitions of “data controller” and “data processor” remain unchanged.
(b) The GDPR will impose privacy compliance obligations directly on data processors and hold them directly liable for non-compliance with those obligations.
(c) For instance, data processors will be required by law to:
- implement appropriate technical and organisational measures to ensure a certain level of data security;
- keep detailed records of their processing activities;
- appoint a data protection officer (“DPO”) in certain instances and a representative located within the EU if the processor is located outside of the EU;
- comply with the same cross-border transfer requirements as data controllers; and
- notify data controllers of data breaches.
(d) In the event of non-compliance with their obligations under the GDPR, processors may be subject to direct enforcement action by supervisory authorities (“SAs”).
(e) The GDPR will not only apply to processors established within the EU or to data processing activities taking place in the EU. The new processor obligations will equally apply to processors not established in the EU to the extent the relevant processing activities relate to the offering of goods or services to individuals residing in the EU or to the monitoring of their behavior.
(f) Controllers and processors will be required to enter into detailed processing agreements, the terms of which are prescribed in detail in the GDPR. Most existing processor agreements are unlikely to satisfy the new requirements and will require revision.
(g) Sub-processors may only be engaged with the prior consent of the controller and must be subject to the same contractual obligations as the initial processor.
(h) If a processor acts outside the scope of its authority granted by the controller, in respect of the relevant processing it will be regarded as a controller and be subject to the same obligations as controllers under the GDPR.
Please click here for our detailed analysis of the data processor obligations under the GDPR and your Data Processor Game Plan.