Why the EU General Data Protection Regulation (GDPR)?
The EU GDPR is designed to enhance data protection for EU residents and provide a consolidated framework to guide business usage of personal data across the EU.
It replaces the patchwork of existing regulations and frameworks including the 20 year old Directive (95/46/EC).
The EU GDPR enforcement will begin in 2018 despite receiving much attention due to its complexity and the associated penalties for noncompliance.
Fines can be up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding year (whichever is higher).
As a result, many organizations are making significant changes to their privacy programs. To help with these changes, the Article 29 Working Party (WP29) has guided several requirements, summarized below.
4 Keys to Preparing for GDPR Enforcement
Right to Data Portability
Article 20 provides data subjects with the right to data portability.
The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.
Identifying Lead Supervisory Authority
For organizations conducting cross-border data processing this guidance provides examples, concepts for identifying a key supervisory authority, and questions to guide your search.
Data Protection Officer
WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:
a) where the processing is carried out by a public authority or body WP29 guides that “such a notion is to be determined under national law.”
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.
These factors should be considered when determining whether the “large scale” threshold is met:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Data Protection Impact Assessments (DPIAs)
This guidance goes through when DPIAs should be conducted, beyond the official text: “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)).
WP29 provides these example categories:
- Evaluation or scoring
- Automated-decision making with legal or similar significant effect
- Systematic monitoring
- Sensitive data
- Data processed on a large scale
- Data sets that have been matched or combined
- Data concerning vulnerable data subjects
- Innovative use or applying technological or organizational solutions
- Data transfer across borders outside the European Union
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Article 22 and recital 91)
It’s suggested that a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA.
But organizations must still use their judgement because two is only a suggested rule of thumb.
The guidance also goes through what should be included in a DPIA, and when an organization should consult a supervisory authority.
To help organizations deal with the new concept introduced by DPIAs, namely benefits being balanced against risk, TrustArc is working with the Information Accountability Foundation (IAF) to develop a DPIA construct.
It will also be automated so that organizations can scale their DPIA process, and create the documentation needed for support in case the organization must go to a regulator.
TrustArc has comprehensive solutions to help organizations comply with the GDPR. Solutions are backed by decades of expertise and automation to help you implement a privacy program while reducing business cost.