KEEPING UP WITH GDPR REQUIRMENTS

03 August 2018

• data protection
• GDPR
• general data protection regulation
• data privacy
• Solicitors Liverpool
• GDPR liverpool
• Data Processor
• Data controller
• GDPR REQUIREMENTS
• Data protection act 2018
• data profiling
• data auditing
• Privacy shield
• controller and processor liability
• data protection breach
• data exports

The EU General Data Protection Regulation (the “Regulation”) came into effect on 25 May 2018, replacing the Data Protection Act 1998. The GDPR requirements largely repeat the security principles set out in the DPA, although with a much tougher regime and more severe sanctions for breach.

This change has brought about business challenges for which there is little, if any, legislative or regulatory clarity at present.

 1. How does controller and processor liability work in practice? 

The GDPR introduced direct, statutory liability for data processors, not just controllers.

Potential fines for data protection breaches can run up to 4% of annual worldwide turnover. 

 

How does this liability regime work in practice?

 

Who is it liable in the event of a data protection breach?

 

If the processor is at fault, can data protection authorities pursue the controller for the processor’s breach?

 

Or will they pursue the ‘guilty’ party only?  

 

What if both parties are partially at fault?

 

Will data protection authorities go after one, the other, or both parties?

 

This is unclear and is causing problems with commercial deal negotiations. Controllers are asking their processors for unlimited liability which is being refused.

Meanwhile, the processors are asking their controllers for mutual liability in case the controller’s breach causes liability for the processor, for which their controllers are refusing.

Guidance on how data protection authorities will exercise their enhanced enforcement powers against controllers and processors is sorely needed even two months on.

 

2. What is the future of data exports?  

The validity of the Standard Contractual Clauses is the subject of current court proceedings in the EU and for the EU-US Privacy Shield. 

If either or both fail, it will lead to further data export chaos. Data will continue to move back and forth in exactly the same way it does today, but without the legal protections in place that currently exist. 

Difficulties have come apparent, where a non-EU importer seeks to lawfully transfer data it receives onwards to third party recipient. While the controller-to-processor model clauses intend sub-processors becoming a party to the model clauses with the original data exporter, the reality is that engaging large cloud infrastructure providers to sign model clauses with every of customer of every business is completely impractical.

As for the Privacy Shield’s Onward Transfer principle, if the onward recipient refuses to sign the Privacy Shield onward transfer terms BUT will sign model clauses on the basis of a counter-signatory from the data exporter, this also leads to problems. The data exporter is in fact a data importer and so not technically eligible to sign the model clauses. Further, the Privacy Shield makes no mention of being able to rely on model clauses for onward transfers made under the Shield.  

It is clear, that an effective onward transfer toolkit that works in practice is desperately required.

 

3. Profiling

Not all profiling requires consent.

Certain profiling, such as an automated decision that “legally affects” or “significantly affects” a data subject (e.g. automated hiring decisions based on an algorithmic review of a candidate’s CV) will generally need consent as per Art 22 of the GDPR.

However, other types of profiling which does not legally affect or significantly affect a data subject (e.g. the determination of loyalty offers to send a customer based on their purchasing habits) does not.  

However, until regulatory guidance distinguishes between these two types of profiling, questions will remain.  

 

4. What is required in the audit

The GDPR and the model clauses require that processors “allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.” 

The reality is that a cloud provider will not allow customers to conduct onsite audits, because they have thousands of customers and this would cause significant business disruption if those customers exercised their audit rights at the same time (e.g. following a security incident). Further, allowing an onsite audit presents a security risk to other customers’ data. In any event, the cloud provider should have industry-standard third-party audit certifications such as ISO 27001, SSAE 16/18, PCI-DSS, etc conducted by independent auditors.

 

5. GDPR requirements

The GDPR contains 99 articles that define its requirements and rights granted to EU citizens, GDPR operations and structure, and penalties. The articles that have the most significant impact on business are:

• Article 5, processing and storing personal data: All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. That data may be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” All personal data must be processed securely to protect against unlawful access, loss or damage “using appropriate technical or organisational measures.” Those measures are not defined, but presumably if the data is lost or stolen, a company could be considered not in compliance. 
• Articles 6, 7 and 8, consent: All processing of personal data must be done lawfully, by which is meant that each individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual, with the exception of public authorities.
• Article 15, right to access:  EU citizens have the right to know upon request what personal data a company is using and how it is being used.
• Article 17, right to be forgotten and to data erasure: EU citizens can expect companies to stop processing and to delete their personal data upon request.
• Article 20, right to data portability: EU citizens may transfer their personal data from company to company upon request.
• Articles 25 and 32, data protection: Companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. It is not clear what the GDPR governing body will consider reasonable.
• Articles 33 and 34, reporting data breaches: Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.
• Article 35, impact assessments: Companies must conduct data protection impact assessments to identify risks to EU citizens. Those assessments also must describe how the company is addressing those risks.
• Articles 37, 38 and 39, data protection officers: Some companies must appoint a data protection officer (DPO) to oversee data security strategy and GDPR compliance. Companies required to have a DPO process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
• Article 50, international companies: International companies that collect or process EU citizen data must comply with the GDPR.  
• Article 83, penalties: Companies may be fined up to €20 million or 4% of global annual turnover, whichever is higher.