The New General Data Protection Regulation

Although our blog has been established in June 2017 only, it may not miss out on what often has been described as the most ambitious and comprehensive changes to data protection rules around the world in the past 20 years. Chiming in at this later stage will provide us with an opportunity to pause for a moment on some basics and to synthesize the practically relevant aspects from the information disseminated so far. We will start our series of articles on data protection with an overview on the GDPR to be followed by more detailed articles on specific issues to be observed when turning data protection compliance into reality.

When structuring a compliant data protection regime for your organization, the following four basic principles set forth by the GDPR provide for the all-encompassing general junctions before going into further detail down the road. However, day-to-day inquiries show that clients tend to jump on the more specific aspects right away with a tendency to neglect the following four principles that can hardly be overcome:

• Lawfulness of processing (Art 6 GDPR)
• Purpose limitation
• Transparency
• Data minimization and storage limitation

The principle of the lawfulness of processing (Art 6 GDPR) provides that any collection, processing or transfer of personal data is strictly prohibited unless undertaken pursuant to the exceptions set forth in Art. 6 GDPR (e.g. consent). This basic threshold often is overlooked in day-to-day situations. In particular, the requirement of the lawfulness of processing provides limitations to big data applications and analysis. The boundaries and possibilities of big data applications and analysis will need further clarification in the future application of the GDPR (see Art 23 GDPR – data protection by design and by default).

The principle of purpose limitation requires businesses to form a clear understanding for what purposes data will be collected and processed prior to initiating those actions. Compliance with this principle calls for a strategic approach, careful communication, and forward-looking process structuring to avoid potential future business limitations.

Similarly, the requirement of transparency is often deemed to limit a business’ flexibility to efficiently structure internal processes and effectively team-up with external service providers. Ideally, a business would approach the structuring of internal processes not only from a technical perspective, however, would also look at communication and marketing functions for verification whether and how data protection requirements need to be communicated to users considering the requirement of transparency. The principles of data minimization and storage limitation closely correlate with the principle of purpose limitation. Broader purposes may create more flexibility for collecting more data, however, need to be leveraged against the actual needs and necessary user communication which relates back to the principle of transparency. We have seen the most sophisticated IT-structures require some re-thinking for not having duly considered the above basic principles although clients had taken great effort to duly consider the various other complex and more specific data protection requirements in the structuring phase. While there are absolute limitations, a fair number of common data protection issues can be avoided by taking a structured, forward-looking and strategic approach in connection with (large scale) data processing.

The GDPR partly amends, and partly introduces new, rules on certain key issues that require consideration when setting-up compliant data processing structures, such as:

Lawful grounds to process and consent
The GDPR’s requirements to identify and articulate the grounds for lawful processing and the period of data storage in essence is not new, however, the rules around consent now are more onerous. This correlates to comprehensive information and transparency obligations set forth by the GDPR. On the other hand, intra-group transfers and direct marketing are now specified as legitimate interests in the GDPR’s recitals.

Governance
This principle sets forth requirements to provide data protection with sufficient prominence in the internal organization and with board support, to appoint a data protection officer (DPO), or to provide continuous training to DPOs and individuals involved in data processing.

Privacy by design and privacy impact assessments
This refers to the various aspects of the technical implementation of data protection measures and the requirement to carry out privacy impact assessments where a type of processing is likely to result in a high risk for the rights and freedoms of individuals.

Accountability and demonstrating compliance
This principle stands for, e.g., comprehensive new documentation requirements and the need for a controller to demonstrate its compliance with the data protection requirements set forth by the GDPR. In this regard organizations also need to consider a data subject’s right to erasure, i.e., the “right to be forgotten.” Organizations may also want to consider developing certification schemes to be approved by the authorities.

Export of personal data
The GDPR imposes new rules on the general framework for cross-boarder data transfers modified by certain new requirements, e.g., for processors, the use of binding corporate rules or specific industry sectors.

New rules on joint controllers, and new obligations of data processors
The GDPR also sets forth new rules on the creation of joint processor responsibility and direct responsibility of processors under the GDPR.

Employee data
Since the Privacy Directive, the processing of employee data has required some thought, in particular with regard to the cross-border transfer within multinational organizations. Under the GDPR, dealing with employee data will not lose its prominence, perhaps in particular, since the GDPR allows for deviations on the treatment of employee data under the national laws of the Member States. In this regard, the GDPR will not save businesses from close coordination with their local counsel in the relevant EU Member States.

Although the GDPR aims at an EU-wide harmonization of the data protection regimes in the Member States, the GDPR provides Member States with certain possibilities to deviate from the standards established by the GDPR. Therefore, despite of the GDPR, the structuring of an EU-wide compliant data protection process in the future may require double-checking with national laws, e.g., in the following areas:

• definition of the data controller (Art 4 (7) GDPR, Art 24 GDPR)
• lawfulness of processing (Art 6 (2) GDPR)
• definition of data recipient (Art 4 (9) GDPR)
• minimum age for child consent (Art 8 (1) GDPR)
• processing of special categories of personal data (Art 9 GDPR)
• information to be provided where personal data has not been obtained from data subject (Art 14 (5)© and (d) GDPR)
• right to erasure, right to be forgotten (Art 17 (1)(e) and (3)(b) GDPR)
• automated individual decision making (Art 22 (2) (b) GDPR)
• restrictions to rights of data subjects (Art 23 (1) GDPR)
• certain details of data processing by processors (Art 28 GDPR)
• processing under the authority of the controller or processor (Art 29 GDPR)
• data protection impact assessment (Art 35 (10) GDPR)
• designation of the data protection officer (Art 37 (4) GDPR)
• representation of data subjects (Art 80 GDPR)
• processing of national identification numbers (Art 87 GDPR)
• processing in the employment context (Art 88 GDPR)
• controllers and processors subject to obligations of professional secrecy (Art 90 (1) GDPR)

We will elaborate more on the specifics of the above-mentioned basic principles and key issues imposed as well as references to national (in particular German) law by the GDPR in future posts in a series of articles on the topic including some ideas on potential operational to-dos and practical compliance considerations.