The GDPR will apply as of May 25, 2018. It provides a single set of very innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures—which means that any personal data processing ongoing at this date shall be in compliance with the GDPR. This leaves one year for companies to ensure compliance with the GDPR.
The GDPR provides for a scope of application wider than processing undertaken in EU countries. Indeed, it will also apply to data controllers or subcontractors not established within the EU which are in charge of data processing with the aim to provide goods and services to EU residents or to monitor EU residents’ behavior.
A business can take several steps in order to organize compliance with provisions of the GDPR:
- Changes in internal processes to comply with the rule of Accountability: Appointing a Data Protection Officer or DPO now permits a company time to assess compliance issues as soon as possible before GDPR implementation, even outside the three mandatory legal circumstances imposed by the GDPR. A DPO is a dedicated person to manage personal data protection within your business, to be in charge of information and counsel, as well as organize personal data activity.The DPO shall map data processing within the business and build a register which identifies all ongoing data processing. On the basis of this register, a list of necessary actions may be drafted and prioritized in the light of risks to data subjects’ rights.In practical terms, the principle of accountability means that businesses shall document and trace their compliance with data protection rules and keep this documentation available in the event of an inspection by state authorities.
- Promoting a risk-based approach: After following these steps, if any processing is identified as carrying a high risk to data subjects’ rights, the business shall conduct a Privacy Impact Assessment (PIA).In addition, internal processes developed in order to respond to events likely to trigger the controller’s liability, e.g., such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.Data protection safeguards shall be built into products and services from the earliest stage of development (Privacy by Design), with techniques such as pseudonymisation and encryption.
- Data transfers: Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield scheme may still be used for transfers outside the EU.
- Controllers and subcontractors agreements to be updated: Data controllers and subcontractors agreements will have to be redrafted to incorporate the new mandatory elements set out by the GDPR. Subcontractors will be liable for a major part of the obligations previously laid upon data controllers.
- A single data protection authority: In order to simplify procedures, businesses will deal with one single supervisory authority in the EU country in which they are mainly based. The lead authority will work with other national data protection authorities.
- Negative impacts in case of a legal breach: Whereas the former applicable EU legislation (Directive 95/46/EC) left to the Member States the task to define and apply sanctions, the GDPR provides that administrative fines may be imposed on data controllers and subcontractors. The amount of those fines can go up to 20 million Euros for an individual, and may amount to 4 percent of annual global turnover for a company.
In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority, as well as the data subjects in the event of serious data breaches.