BHL Bogen

BHL Bogen
BridgehouseLaw LLP - Your Business Law Firm

Thursday, May 31, 2018

I’m a Business and GDPR Applies to Me—Now What?


The General Data Protection Regulation (GDPR) is here! Now, compliance and, thus, the avoidance of hefty penalties should be a concern for any business processing personal data of European Union citizens. Naturally, the first and most important question is: what obligations, if any, are imputed to businesses in regard to EU citizens under the new General Data Protection Regulation (GDPR) scheme? The answer may surprise you: any company, regardless of whether or not the company is physically present in the EU, that processes personal data of natural persons (called “data subjects”) in the European Union (EU) for professional or commercial purposes[1] must comply with GDPR mandates[2]. This includes email-based marketing and newsletters. Interestingly, GDPR’s application to “natural persons” means that data from corporations and other legal entities do not fall within GDPR mandates.[3]
Also, it is noted that there may be potential loopholes to GDPR that allow some to fall outside GDPR compliance; however, such possibilities are outside the scope of this article and may or may not actually remove compliance mandates.

Key Compliance Requirements:
Data Audits: Companies should audit personal data and document: what personal data are held; how and where the data were acquired; and with whom the data are shared.[4] If an entity has at least 250 employees or processes certain types of highly sensitive personal data (e.g., religious or political beliefs, and similar), GDPR generally requires that records be maintained as to what is collected and held.[5] This also means information must be kept up-to-date, with inaccurate data being deleted or corrected[6] within the entity’s systems and with any third parties with whom the data have been shared.
Privacy Policies: Privacy policies and notices should be reviewed and potentially updated.[7] Privacy policies should reflect that data is processed in a lawful, fair, and transparent manner.[8] Thus, the following should be addressed to varying degrees based on whether personal data have or have not been obtained from the data subject: (1) the identity and contact information of the controlling or processing entity; (2) the lawful basis for processing the data; (3) that data are being processed and the purpose of the processing; (4) with whom the data will be shared; (4) how long the data will be stored; (5) generally, the rights of the subject and the obligations of the processing or controlling entity, as determined by GDPR; (6) if data will be processed for a different use, thus requiring additional disclosures[9]; and (7) lastly, the policy must be in plain language and easy to understand.[10]
Also, note that where data are obtained from one other than the data subject, the controlling or processing entity must, at specific times in relation to when obtained and in what context, disclose to the data subject that it obtained data.[11]
Essentially, the above means that privacy policies and notices will need to be separate and distinct based upon how and from whom the data was received.
Rights of Individuals: GDPR enumerates a host of rights now enjoyed by data subjects: “the right to be informed; the right to access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not be subject to automated decision-making including profiling”.[12] Thus, generally, GDPR gives data subjects the right to largely restrict, direct, or otherwise control what and how personal data are used. Also note that a data subject has the right to request information about what data an entity possesses regarding the subject. Thus, procedures should be implemented to address such requests fully and in a timely manner.
Lawful Basis or Bases for Processing Personal Data: GDPR requires that, for processing of personal data to occur, a controller or processor must have a lawful basis for doing so.[13] Though only one basis is needed, it may prudent to have multiple bases for processing personal data. Some such bases are: (1) where consent has been obtained from the data subject; (2) where processing is necessary to perform a data subject’s contract or perform activities at the request of the data subject prior to forming a contract; and (3) where processing is necessary to further legitimate interests of the controller or a third party, unless the data subject’s interests or rights and freedoms override such legitimate interests.[14]
Also, please remember that there are certain requirements for consent[15], special rules where children are involved[16]; and special rules for certain types of personal data (i.e., highly personal data (religious beliefs, political beliefs, and others) and some criminal matters).[17]
Data Breach Policies: Generally, GDPR now requires controllers to notify the relevant authorities of any personal data breach “without undue delay” and within 72 hours after learning of the breach where such time period is feasible.[18]
Additionally, where a breach likely brings a high risk to rights and freedoms of data subjects, the breach must be communicated to data subjects without undue delay and in plain language.[19]
Data Protection by Design and Data Protection Impact Assessments: GDPR imparts upon controllers and processors the general requirement to implement necessary technical and organizational steps to create a default system where only the personal data needed for processing are so processed, stored, and accessible.[20] Further, where processing is likely to create high risk to rights and freedoms of data subjects, such as where new technologies are in use, entities must perform a data protection impact assessment.[21]
Data Protection Officers: Where processing is: (1) executed by a public authority or body, other than the courts in a judicial capacity; or (2) executed by entities that, as part of their core activities, monitor data subjects or process personal data on a large scale, GDPR requires the appointment of a data protection officer (DPO) within the organization and the publishing of  contact information for the DPO.[22] Articles 38 and 39 of GDPR set forth the scope of the DPO’s work, which is generally to be involved with data protection and compliance within the entity.[23]
Lead Supervisory Authority: If an entity processes personal data in more than one EU member country, the entity should determine which supervisory authority is the lead supervisory authority for compliance with GDPR, as determined by the entity’s primary location.[24]

A Note on Consent:
Consent will likely be one of the predominant legal bases for processing personal data. As such, it is necessary to explore the contours of consent with some specificity.
GDPR inserts a presumption that consent is not freely given.[25] Thus, care should be used in determining if consent is the appropriate legal basis to use in relation to personal data processing.[26] Generally, consent requests must address the following: (1) the entity’s name must be provided (and that of any third parties with access to the data), as well as the purposes, methods, and uses of personal data; (2) must be separate and distinct from other terms of use or service (e.g., in a separate document or email); (3) should not be a pre-condition to use or service; (4) must be a clear and affirmative action (no pre-checked boxes); (5) must address each type of processing, if more than one; (6) must include information about the right to withdraw consent, and withdrawal must be simply and easy to complete; and (7) must be easy to read and understand.[27]
Additionally, consent records for each consent obtained (who, when, what he or she was told, how he or she consented, and whether consent has been withdrawn and, if so, when) must be kept.[28] Reviewing existing consents is strongly encouraged to ensure compliance with GDPR’s new, more stringent consent standards.[29] Lastly, give careful attention to any possible imbalance in the relationship between the controller and data subject (e.g., employer/employee), as this greatly raises the difficulty in achieving true consent under GDPR.[30] The use of consent as a legal basis in such cases should likely be avoided.[31]


[1] GDPR, Recital 18, https://gdpr-info.eu/recitals/no-18/.
[2] GDPR, Art. 3(2), https://gdpr-info.eu/art-3-gdpr/.
[3] GDPR, Art. 1(1), https://gdpr-info.eu/art-1-gdpr/; GDPR Recital 1, https://gdpr-info.eu/recitals/no-1/; GDPR Recital 2, https://gdpr-info.eu/recitals/no-2/.
[4] Information Commissioner’s Office, https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.
[5] Id.
[6] GDPR, Art. 5(1), https://gdpr-info.eu/art-5-gdpr/.
[7] See Footnote 4.
[8] See Footnote 6.
[9] GDPR, Art. 13, https://gdpr-info.eu/art-13-gdpr/; GDPR, Art. 14, https://gdpr-info.eu/art-14-gdpr/.
[10] GDPR, Recital 58, https://gdpr-info.eu/recitals/no-58/.
[11] GDPR, Art. 14(3), https://gdpr-info.eu/art-14-gdpr/.
[12] See Footnote 5; GDPR, Chapter 3, https://gdpr-info.eu/chapter-3/.
[13] GDPR, Art. 6, https://gdpr-info.eu/art-6-gdpr/.
[14] Id.
[15] GDPR, Art. 7, https://gdpr-info.eu/art-7-gdpr/.
[16] GDPR, Art. 8, https://gdpr-info.eu/art-8-gdpr/.
[17] GDPR, Art. 9, https://gdpr-info.eu/art-9-gdpr/; GDPR, Art. 10, https://gdpr-info.eu/art-10-gdpr/.
[18] GDPR, Art. 33(1), https://gdpr-info.eu/art-33-gdpr/.
[19] GDPR, Art. 34, https://gdpr-info.eu/art-34-gdpr/.
[20] GDPR, Art. 25, https://gdpr-info.eu/art-25-gdpr/.
[21] GDPR, Art. 35(1), https://gdpr-info.eu/art-35-gdpr/.
[22] GDPR, Art. 37, https://gdpr-info.eu/art-37-gdpr/.
[23] GDPR, Art. 38, https://gdpr-info.eu/art-38-gdpr/; GDPR, Art. 39, https://gdpr-info.eu/art-39-gdpr/.
[24] GDPR, Art. 60, https://gdpr-info.eu/art-60-gdpr/; GDPR, Recital 124 https://gdpr-info.eu/recitals/no-124/.
[25] GDPR, Recital 43, https://gdpr-info.eu/recitals/no-43/.
[26] Information Commissioner’s Office, https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf.
[27] Id.
[28] Id.
[29] Id.
[30] Id.
[31] Id.

No comments: