Impact on internal processes
The current EU Data Protection Directive (95/46/EC) regime requires a fair amount of internal documentation, administration and process, but the Regulation will materially increase that administrative burden. Some administration will disappear in that the obligation currently imposed on data controllers to notify their data processing activities and, in some cases, international transfers to the relevant data protection authority will no longer apply under the Regulation. Instead, organisations are required to implement internal processes which are designed to mitigate the risks associated with data processing activities, and to document those processes in a specific manner. In practice this means that organisations will need to change their internal processes, by creating, and maintaining on an ongoing basis, associated “paper trails” in order to comply with the Regulation.
Under the current EU Data Protection Directive, organisations that are data controllers are, unless particular circumstances apply, required to provide a notification in which they summarise their data processing activities to each local data protection authority where the local laws apply to them. The process of submitting a notification is fairly routine, with organisations generally being required to answer standard questionnaires and complete standard forms. Organisations are also required to keep their notifications up to date and, in certain EU Member States, also to pay a recurring registration fee to the relevant data protection authorities in the EU.
Beyond that notification requirement, in our experience local EU laws do not, unless particular circumstances apply, mandate the processes which organisations must put in place to comply with local laws; rather, they impose sanctions on organisations which, for whatever reason, fail to achieve compliance with the broad data protection requirements set out in the current law. For instance, while the concept of “privacy impact assessments” is not entirely new and is often recommended by data protection authorities as best practice, their use is not mandatory.
Changes in detail
The Regulation dispenses with the requirement to make a notification of data processing activities to national data protection authorities but introduces the following new key concepts and requirements that organisations will need to ensure are reflected in their internal processes:
(A) Requirement for transparent information and communications: Under Article 12, data controllers must provide “in an intelligible and easily accessible form, using clear and plain language”:
- the information under Articles 14 and 14a (broadly, this is information required to be given to individuals in data processing notices)
- the communications under Articles 15 to 20 (these Articles relate to data subjects’ rights), and
- breach notifications to data subjects.
(B) Joint Controllers: Under Article 24 joint data controllers (ie organisations jointly determining the purposes and means of the processing of personal data) must publish, in a transparent manner, a description of their respective responsibilities under the Regulation. However, notwithstanding any allocation of responsibilities between the joint data controllers, data subjects can exercise his/her rights against with of them.
(C) Requirement to adopt policies and demonstrable measures in relation to compliance with the Regulation: Under Article 22, data controllers must adopt “appropriate” measures (which must include, “where proportionate in relation to the processing activities”, the implementation of appropriate data protection policies) to demonstrate that the processing of personal data is performed in accordance with the Regulation. One means of demonstrating compliance will be to adhere to codes of conduct approved under Article 38 or to meet a certification mechanism approved under Article 39.
(D) Requirement to maintain certain records: Under Article 28, each data controller and data processor with 250 employees or more, or which carries out “high risk” processing must maintain records setting out certain information, including details of the data controller, the data protection officer, the purpose of the processing, the categories of data subject and of personal data relating to them, the categories of recipients to whom personal data are disclosed, the categories of transfers of personal data to third countries or international organisations, (where possible) the envisaged time limits for erasure of the different categories of personal data and (where possible) a general description of the technical and organisational security measures adopted.
This requirement essentially amounts to a form of process operations manual describing data processing activities. It can probably only be created following a detailed audit of processing activities.
(E) Requirement to carry out impact assessments: Under Article 33, each data controller must, where a type of processing is likely to result in “high risk”, carry out an assessment of the potential impact of the intended processing on the rights and freedoms of data subjects. Article 33(2) lists a wide range of examples of processing types where an impact assessment is required, which include the following:
- a “systematic and extensive” evaluation of “personal aspects” relating to individuals which is based upon profiling and on which decisions are based that “produce legal effects concerning data subjects or severely affect data subjects”
- processing of sensitive personal data or data on criminal convictions and offences on a large scale, and
- processing which involves systematic monitoring of publicly accessible areas on a large scale.
Each supervision authority is required to establish and publicise a list of types of processing operations which are subject to the requirement for an impact assessment.
The impact assessment must be documented and include “at least a general description” of the envisaged processing operations, the evaluation of the risks, the measures to address the risk including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with the Regulation.
On a related point, under Article 34, data controllers are required to consult the supervisory authority where an impact assessment under Article 33 indicates that the processing would result in a “high risk” and where no measures are taken by the controller to mitigate the risk. Clearly the onus is therefore on the controller to take steps to mitigate the risk of any high risk processing.
In addition to the requirements above, organisations may, depending on the processing that they carry out, be required to consider the provisions of Chapter IX of the Regulation, relating to specific processing situations, such as the processing of personal data in the employment context. These specific requirements may impose more administrative requirements on top of the general requirements.
It is clear that, following the implementation of the Regulation, the day to day administrative burden on organisations will increase significantly. In some instances, we anticipate that most organisations will already have adequate (or close to adequate) measures in place, for instance as regards the policies which they make available to data subjects and in relation to data retention time periods. However, the level of detail included in the various requirements means that in order to achieve compliance, data protection will need to well and truly form part of the organisation’s DNA, such that:
- Legal teams or other data protection professionals will need to be consulted more commonly and widely and before any decisions are made which have a data protection impact.
- Larger companies will need more dedicated data protection compliance resource.
- Specific documents need to be created and maintained (also as processing operations change) to demonstrate, at a granular level, what data processing activities are taking place and how compliance will be achieved. It is worth noting in particular that the requirement to carry out an impact assessment under Article 33 (as summarised above) will apply to a wide range of processing situations, rather than exceptional situations which we anticipate would currently trigger additional data protection compliance steps.
- In advance of implementation of the Regulation there will be a major exercise for companies of putting in place the required documentation and bringing their compliance processes up to the “gold standard” required by the Regulation. This will likely require some form of audit of current data processing activities and an assessment compliance gaps.
- On an ongoing basis companies will have to both operate a schedule of review of impact assessments but also maintain the currency of their documentation to reflect changes in data processing. This may well require some degree of recurring audits.
The significant shift from a focus on outcomes-based regulation to a focus on how compliance is achieved and a more inputs-based model will inevitably create an increased administrative burden on organisations. For larger companies, if dedicated personnel are not already in place to be consulted on data protection matters and document data protection compliance measures, organisations will need to think carefully about hiring them. Organisations will also need to ensure that consideration of data protection issues is factored into decision-making processes as a matter of course. In other words, organisations will also need to ensure that data protection becomes part of their DNA, rather than an ad hoc consideration.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.