EU General Data Protection Regulation (GDPR)
The EU GDPR is a law designed to enhance data protection for EU residents and provide a consolidated framework to guide business usage of personal data across the EU, replacing the patchwork of existing regulations and frameworks. The 200-plus page GDPR replaces the 20 year old Directive (95/46/EC). This new law has received a lot of attention due to its complexity and the associated penalties for noncompliance. Fines can be up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher).
As a result, many organizations are making significant changes to their privacy programs. To help with these changes, the Article 29 Working Party (WP29) has provided guidance on several of the requirements, summarized below.
Article 20 provides data subjects with the right to data portability. The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.
If your organization conducts cross-border data processing, or is unsure whether it does, this guidance provides examples, key concepts to identifying a key supervisory authority, and even questions to guide the identification of the lead supervisory authority.
WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:
a) where the processing is carried out by a public authority or body
WP29 guides that “such a notion is to be determined under national law.”
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses. While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.
These factors should be considered when determining whether the “large scale” threshold is met:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– The volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– The geographical extent of the processing activity
This guidance goes through when DPIAs should be conducted, beyond the official text: “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)). WP29 provides these example categories:
- Evaluation or scoring
- Automated-decision making with legal or similar significant effect
- Systematic monitoring
- Sensitive data
- Data processed on a large scale
- Data sets that have been matched or combined
- Data concerning vulnerable data subjects
- Innovative use or applying technological or organisational solutions
- Data transfer across borders outside the European Union
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Article 22 and recital 91)
While they suggest that a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA, organization must still use their judgement because two is only a suggested rule of thumb.
The guidance also goes through what should be included in a DPIA, and when an organization should consult a supervisory authority.
To help organizations deal with the new concept introduced by DPIAs, namely benefits being balanced against risk, TRUSTe is working with the Information Accountability Foundation (IAF) to develop a DPIA construct. It will help organizations understand the benefits that come with the processing. It will also be automated so that organizations can scale their DPIA process, and create the documentation needed for support in case the organization must go to a regulator.
TRUSTe has developed comprehensive solutions to help organizations comply with the GDPR. All solutions are backed by our technology platform so that implementations to comply with the GDPR will be sustainable and scalable. To learn more about TRUSTe EU GDPR solutions, or to speak with a consultant, contact us.