21 August 2020
Since entering into force in May 2018, the EU General Data Protection Regulation (GDPR) applies to all entities in the European Economic Area (EEA) and - due to the extended territorial scope - to a large extent also to entities outside of the EEA. The GDPR has led to a significant rise in data protection compliance duties. In case of violations, companies may face fines of up to 4% of the global annual turnover of the whole company group. Supervisory authorities do not seem to be afraid to push those limits. In 2019, European supervisory authorities have announced and issued recordbreaking fines of £183 million (UK) and €50 million (France). Even data protection noncompliance in smaller and less important offices of a company group may now lead to significant ramifications. As the preparation for the GDPR requires reorganisation of various internal procedures, it is highly recommendable to follow a structured path when initiating a GDPR compliance project.
If you have already implemented compliance measures, please be aware of the duty to regularly audit and potentially update your internal processes. Please see our guidance on conducting GDPR audits in this regard.
Step 1 Gap analysis
Step 2 Risk analysis
Step 3 Project steering and resource/ budget planning
Step 4 Implementation of a compliant data protection structure
Step 5 Local Add-on Requirements
Step 6 Coping with the Brexit
The GDPR includes a number of strict data protection requirements, such as
Please see the annex for more details regarding the major requirements deriving from the GDPR. In order to cope with these obligations, the company must implement an efficient data protection organisation:
The GDPR stipulates a number of requirements that are difficult to handle unless a thorough data protection management system is implemented. Such system should work group-wide, as even data protection issues in smaller company offices may lead to high fines for the company group as a whole.
Defined roles and responsibilities in the involved Company entities
Company should set up a structure of persons responsible for data protection in all of its EU offices as well as a responsible head officer at the Headquarters. Respective structure should allow for (i) easily giving data protection related orders and/or advice to the involved offices (“top-down approach”) as well as (ii) communication of data protection related issues to the head officer (“bottom-up” communication).
Procedures and concepts
Many of the GDPR obligations can only be effectively implemented if respective concepts, policies and standard operating procedures (cumulatively “SOPs”) are in place, e.g. regarding data subjects’ rights, data breach notification obligations, Data Protection Impact Assessments etc. Thus, respective SOPs should be prepared to ensure GDPR compliance.
Training
Employees should be trained on their obligations and responsibilities deriving from the GDPR. The company should adapt the training to the employee’s tasks. In this respect, it makes sense to map the training requirements in a training concept. This concept should also reflect the cycle of training (regular training, training in the event of legal changes (e.g. due to new regulations, deviating case law, current guidelines of the supervisory authorities))
Documentation of Compliance
The company must implement appropriate measures to demonstrate compliance with GDPR requirements. Failure to prove continuous compliance upon request of supervisory authorities will likely result in fines. Internal data protection procedures should be reviewed and updated frequently. For this purpose, the company should carry out regular internal GDPR audits.
Due to the high number of agreements that the company must conclude with internal and external parties, companies should implement a sensible data processing contract management strategy:
In addition to the EU-wide GDPR requirements, it must be assessed whether additional national requirements apply.
At a very high level, these are the most important GDPR requirements:
Accountability, Art. 5 Sec. 2
Companies must be able to prove full compliance with their obligations under the GDPR. In order to document the lawfulness of their processing activities, companies must have appropriate measures and records in place. These must be constantly updated.
Records of Data Processing Activities, Art. 30
Records of processing activities under the company’s responsibility must be maintained in most cases. These records shall generally contain the following information:
Data Protection Impact Assessment (DPIA), Art. 35, 36
Where a data processing activity is likely to result in a high risk to the rights and freedoms of natural persons, the company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations. Companies should consider the regulators’ guidelines listing scenarios that always require DPIAs. If such assessment indicates a high risk that the company cannot mitigate, the supervisory authority shall be consulted.
Data Processors, Art. 28
Companies may use internal or external service providers to process personal data. These data processors will process personal data on behalf and under the instructions of the company. Both parties are subject to their own data protection obligations under the GDPR. As an additional compliance requirement, the parties must conclude a Data Processing Agreement that specifies their obligations and allocates responsibilities for the contracted processing activity.
Data Protection Officer, Art. 37-39
An independent, reliable and knowledgeable data protection officer must be appointed in case the company’s core activities consist of
Implementation of Technical and Organisational Security Measures, Art. 32
Appropriate and reasonable state of the art technical and organisational measures (TOMs) must be implemented in order to protect the personal data.
Data Breach Notifications, Art. 33, 34
In case of personal data breaches with risks to rights and freedoms of the data subjects, the supervisory authority shall generally be informed within 72 hours after the company became aware of the breach. In case of high risks for the data subjects, they generally also must be informed about the breach. Compliance with the notification obligation in the envisioned time period requires a proper internal data breach procedure.
Privacy by Design and by Default, Art. 25
Each company’s processing activities shall
Representative in the EU, Art. 27
Companies without establishment in the EU must appoint an EU representative for dealings with authorities etc. Upside of having a representative: this will establish a “one-stop-shop” for third country companies when it comes to notifying data breaches to the regulator.
The rights of the data subjects have been strengthened. In particular, data subjects have the following rights:
Information rights, Art. 12-14
Transparent and broad information about processing must be provided to data subjects.
Access, deletion, rectification, restriction rights, Art. 16-19
Data subjects generally have broad access rights with respect to their data; in some cases, they will also have the right to have their data deleted, rectified or the data processing activities restricted.
Right to Object, Art. 21-22
In some cases, data subjects have the right to object to the processing of their data on grounds relating to their particular situation. 3.4 Data Portability, Art. 20 In limited cases, data subjects may even have the right to request to receive the personal data concerning them in a structured, commonly used and machinereadable format and have the right to transmit those data to another company.
Data Portability, Art. 20
In limited cases, data subjects may even have the right to request to receive the personal data concerning them in a structured, commonly used and machinereadable format and have the right to transmit those data to another company.
Please click here to download the article as pdf file.
by multiple authors
by Wiebke Reuter, LL.M. (London) and Dr. Paul Voigt, Lic. en Derecho, CIPP/E