As of 25 May 2018, the General Data Protection Regulation (GDPR) will be applicable to all companies which process personal data. Companies only have a few months left to prepare for this new piece of legislation. Several authorities, including the Article 29 Working Party (WP 29) and the Belgian Privacy Commission, have issued useful guidance. Here is an overview of the guidance issued by these two bodies.
Transparency
The principle of transparency is a fundamental principle of data protection in the current legislation, and its importance is only further highlighted in the GDPR (Article 5(1)(a) and Article 12 ff. GDPR). Transparency refers to the information that companies must give to individuals about what happens to their personal data, but also how such information is communicated and how persons can exercise their rights with regard to their personal data.
Find out more in the (draft) guidance of WP 29: Guidelines on transparency under Regulation 2016/679
Consent
Consent is one of the six legal grounds which allow a company to process personal data. Consent is only valid if it has been freely given, is specific, informed and constitutes an unambiguous indication of the data subject's wishes (Article 4(11), Article 6(1)(a) and Article 7 GDPR). This means, for example, that consent cannot be derived from inactivity or silence of a data subject (e.g. the use of pre-ticked opt-in boxes does not constitute valid consent under the GDPR).
Find out more in the (draft) guidance of WP 29: Guidelines on consent under Regulation 2016/679
Right to data portability
Article 20 GDPR creates a new right of data portability. It allows data subjects to receive a copy of their personal data in a structured, commonly used and machine-readable format and to transmit these data to another data controller.
Find out more in the guidance of WP 29: Guidelines on the right to data portability
Automated individual decision-making and profiling
The GDPR introduces new and more detailed rules on profiling and automated decision-making (Article 22 GDPR). Profiling is a form of automated processing of personal data used to analyse or predict matters relating to an individual, e.g. analysing an individual's interests, performance at work, financial status, health, etc. In the case of automated decision-making, decisions are made on the basis of the processing of personal data without human intervention, e.g. in online credit applications.
Find out more in the (draft) guidance of WP 29: Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679
Record of processing activities
Article 30 GDPR stipulates that each controller and processor must maintain a record of processing activities. This record is a document that contains essential information on any processing activity within the company.
Find out more in the guidance of the Belgian Privacy Commission: Recommendation on the records of processing activities (Article 30 of the GDPR) (in French)
Data breach notification
The GDPR introduces the obligation for controllers to notify personal data breaches, e.g. in case of data leaks or when the security of personal data is no longer guaranteed. This notification must be made to the competent national supervisory authority within 72 hours after the controller has become aware of the infringement. In some cases, a notification must also be made to the individuals affected by the infringement (Articles 33–34 GDPR).
Find out more in the (draft) guidance of WP 29: Guidelines on Personal data breach notification
Data Protection Impact Assessment
From now on, controllers will have to perform Data Protection Impact Assessments (DPIAs) before embarking on new high-risk processing activities (Article 35 GDPR). These assessments are an important accountability tool, because they help demonstrate that a company has taken appropriate measures to ensure compliance with the GDPR.
Find out more:
- in the guidance of WP 29: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 and
- in the (draft) guidance of the Belgian Privacy Commission: Recommendation on Data Protection Impact Assessment and prior consultation (in French)
Data Protection Officers
The appointment of a Data Protection Officer (DPO) becomes mandatory if a company carries out specific processing activities (such as regular and systematic monitoring on a large scale of data subjects or large scale processing of sensitive data) and is recommended for any company processing personal data. The Data Protection Officer plays a key role in any data governance system (Article 37–39 GDPR).
Find out more:
- in the guidance of WP 29: Guidelines on Data Protection Officer ("DPOs") and
- in the guidance of the Belgian Privacy Commission: Recommendation on the designation of a Data Protection Authority pursuant to the GDPR and in particular the admissibility of the cumulation of this function with other functions, including that of a safety consultant (in French)
Binding Corporate Rules
Personal data cannot just be transferred outside the European Economic Area (Article 44 ff. GDPR). Additional safeguards are required – for example, concluding a European Commission model contract between the data exporter and the data importer. Establishing binding corporate rules that create a sort of code of conduct regarding data protection within a group of companies is another way of legitimising data transfers outside the EEA. In the past, the WP 29 issued various working documents on this subject, which it recently updated.
Find out more in the working documents on Binding Corporate Rules that are available here and here
Lead supervisory authorities
The GDPR enhances cross-border cooperation between data protection authorities by introducing a one-stop-shop mechanism with a lead supervisory authority and concerned supervisory authorities. Companies carrying out processing activities in several Member States have to determine their lead supervisory authority based on the country of their main establishment (Article 51 ff. GDPR).
Find out more in the guidance of WP 29: Guidelines for identifying a controller or processor's lead supervisory authority
Administrative fines
The administrative fines for infringements are without a doubt one of the new elements of the GDPR which are feared most by companies. The fines can be up to EUR 20,000,000 or 4% of an undertaking's total worldwide annual turnover of the preceding financial year (Article 83 GDPR). In recent guidelines, the WP 29 addressed how supervisory authorities should identify the most appropriate corrective measures in case of an infringement in order to create a common approach between all European supervisory authorities.
Find out more in the guidance of WP 29: Guidelines on the application and setting of administrative fines
Data processing at work
Processing of personal data at work is a major challenge for every company, and in this context several guidelines from WP 29 on data processing at work have been issued in the past. WP 29 has recently updated its guidance on data processing at work in the light of the GDPR.
Find out more in the opinion of WP 29: Opinion on data processing at work
Further guidance expected
In the coming months, additional guidance from WP 29 is expected. In a recent press release, WP 29 announced the adoption of more guidelines between now and February 2018 on the topics of consent, transparency, data transfer and certification.