With this in mind, we ask six key questions you should think about to successfully navigate GDPR year two:
1. Do you need to launch GDPR programme v2?
GDPR was first published in April 2016. For many companies, there was a somewhat leisurely build-up to its effective date of 25 May 25 2018. This led to numerous mad dashes to what some companies perceived as a 25 May ‘finish line’. Those of us in the privacy and data protection world are all too familiar with organisations that then suffered little ‘GDPR fatigue’ after 25 May 2018.
Now is an opportune time to review your privacy and data protection regime. We have more regulatory guidance and case law and practices may well have bedded-in within your organisation over the last year.
This is a great opportunity to take stock, assess the compliance landscape, and review your existing GDPR program. What is working, what is not working, and how can things be improved?
A successful compliance program is one that is ongoing and iterative. GDPR compliance is a constant process and not a static goal. This means taking lessons learned, incorporating best practice and ensuring you are properly resourced to continue your compliance efforts.
2. Do you need to complete your records of processing?
Some may have struggled with the data mapping exercise and accurately recording how they process personal data. Particulalrly for multinational companies, this can indeed be a mammoth task. Trying to track how personal data flows through a large organisation is difficult and time consuming. Businesses may have simply given up trying to complete their GDPR Article 30 records of processing.
However, this is a mistake. Records of processing are the bedrock on which good GDPR compliance is built. To embed a culture of privacy by design, you need to understand what personal data flows through your organisation. Accurate and comprehensive records of processing are the first thing that a regulator will ask for if it conducts an audit. They are invaluable during a personal data breach to understand what personal data is at risk.
If you have not completed (or started) your records of processing, address this today.
How have EU Member States implemented and enforced the new data protection regime?
Learn more about how the EU Member States themselves implemented GDPR, including a discussion on local implementation efforts, implementation highlights, enforcement activities, and what to expect next.
3. Do you need to plan for a no-deal Brexit?
The Brexit elephant in the room is not getting any smaller. The UK is now scheduled to leave the EU on 31 October 2019. As of today, no exit deal has been agreed, the British Prime Minister has resigned and her potential successors are increasingly talking up the chances of a ‘no deal’ exit. None of this augurs particularly well for a smooth UK exit from the EU.
The intention is to bring GDPR directly into UK law on exit, and to sit alongside the UK Data Protection Act 2018. So in many respects, it will be business as usual, but a number of items could feature on your GDPR/Brexit checklist.
In the event of no-deal, the UK will become a ‘third country’, meaning that the transfer of personal data into the UK from the EU will have to be based on one of the adequate safeguards set out in Chapter V of GDPR. Businesses should therefore assess their data flows and identify any data transfers into the UK from EU that will require a transfer step. You may need to appoint a representative in the EU. You may need to review and update your privacy information and internal documentation. You may also need to update your data processing agreements to ensure that the UK’s Data Protection Act 2018 is covered, and that they include references to the UK, where perhaps they previously referred to the EU or EEA only.
4. How can employers honour employees’ GDPR requests?
One trend we have noticed in the first year of GDPR is the increasing number of data subject access requests being submitted by employees and ex-employees – and it shows no signs of slowing down. The crossover between employment and privacy law has always been delicate for employers, who must balance the competing interests of their businesses and the individuals they employ.
It is vital that employers have systems in place to deal with GDPR requests from employees. Employers must respond without ‘undue delay’ and within at least one month of receiving a request. An extension of two months is available for particularly complex requests. Too often companies lose precious time responding to requests because the requests are routed the wrong way internally.
A clear, concise and well-known system must be in place to ensure that GDPR requests from employees go to the correct team. This system must also clearly set out how requests will be responded to. For example, which online systems must be searched? How far back will you search? Will you release all information associated with an employee who has submitted a subject access request? What happens if the vast majority of this information comes from business emails that the employee sent or received?
This is an area of real interest for regulators and they tend not to look kindly on well-resourced companies failing to respond to employees within GDPR time limits.
5. Can you benefit from a lead supervisory authority and the ‘one-stop-shop’ mechanism?
One of the attractions of GDPR for multinational organisations is the ‘one-stop-shop’ mechanism. Companies with operations in many EU countries can identify the regulator of their EU headquarters as their lead supervisory authority. This means that companies involved in cross-border processing of personal data only have to deal with one regulator, instead of upwards of 30 EU data protection authorities. This can save an awful lot of time, particularly in emergency situations, like reporting a multi-EU member state personal data breach. The European Data Protection Board recently reported that 205 of 446 cross-border cases registered with it have led to ‘one-stop-shop’ procedures.
This all sounds fantastic in theory, but, as with all things GDPR, reality is a little bit more complicated. Identifying which regulator is your lead supervisory authority requires organisations to identify their main establishment. But for many companies their corporate structures do not always point to one, single place of central administration in the EU, making the ‘main establishment’ assessment a tricky one.
To benefit from the ‘one-stop-shop’ procedure, however, this is an essential assessment. The time to figure it out is now, not in the middle of a crisis!
6. How can you balance GDPR with your other legal and compliance obligations?
Many multinational companies face difficulties balancing GDPR compliance with their other legal obligations, particularly non-EU obligations, such as US anti-money laundering and trade sanctions laws. The extra-territorial effect of the US trade sanctions law, for example, means that in practice they don’t just apply to US nationals or US-based companies, but also extend to their non-US group companies.
To achieve compliance, businesses often need to carry out due diligence checks on customers, suppliers or other third parties they may engage with commercially. Inevitably, these checks will involve processing personal data, either by controllers established in the EU, or by non-EU controllers monitoring the behaviour of data subjects in the EU: and so GDPR applies.
The difficulty arises when looking to identify a legal basis for the processing. In some cases, a basis for the transfer of that data outside the EU will also be necessary. GDPR allows for processing where necessary for a company to comply with its legal obligations under EU or member state law. However, it does not envisage processing for a company to comply with its non-EU legal obligations.
Many companies resort to relying on the ‘legitimate interests’ processing basis under GDPR Article 6. However, this is not bulletproof. You must carry out balancing tests to ensure that your legitimate business interests do not override affected data subjects’ rights and freedoms. In the Swedish administrative court’s judgement involving a health care provider, the court recognised the legitimate interest of the company to comply with US sanctions rules, but still found that this interest was not enough to override the fundamental rights of the individuals.
This leaves quite the quandary when you consider the penalties for violating US sanctions can be substantial – monetary fines going up to several millions of US dollars and prohibition on continued trade in the United States – and this can be more than already hefty fines under GDPR.
This area desperately requires regulatory clarification. Until we receive such clarification, you should conduct a full risk assessment and decide how you can best navigate the different regulatory regimes.
Client Alert 2019-139