The European regulation No. 2016/679 of 27 April 2016, or General Data Protection Regulation (GDPR), will come into force on 25 May 2018. Businesses that fail to comply could be saddled with administrative fines that can reach the greater of EUR 20,000,000 and 4 % of their global annual turnover of the previous year.
This article describes in a very practical way the actions that a business established in France must take in order to comply with the GDPR, assuming it is already complying with current regulations.
Business must maintain a record of personal data processing activities ("processing activities") that it controls. The record template proposed by the French data protection authority, the Commission Nationale Informatique et Libertés (the "CNIL"), contains a list of processing activities and a descriptive sheet for each processing activity. Each processing activity sheet must indicate, among others, its purposes, the categories of data subjects (referring to the physical persons whose personal data are being processed), the categories of recipients and, "where possible", the envisaged time limits for deletion of the different categories of data.
Ideally, you should identify the processing activities using the same nomenclature as developed by the CNIL in its dispenses, simplified norms, unique authorisations, reference methodologies and normal declaration recommendations. It is also recommended that you verify that each processing activity is conforming to the recommendations of the CNIL in each of these documents regarding the categories of data collected, time limits for deletion and categories of recipients.
If you also act as data processor within the meaning of the GDPR (if it processes personal data on behalf of a controller), you need to maintain another record for these processing activities.
Exempt from these obligations businesses that employ less than 250 employees but the exemption applies only for processing that is "occasional", not likely to result in a risk and not in relation to sensitive data or criminal convictions and offences.
Data protection clauses and notices shall be updated given the new information that must be communicated to data subjects (employees, clients and suppliers who are physical persons, physical persons representing clients and suppliers that are legal entities…).
Any consent form shall be updated given the new prescriptions.
If a business jointly determines the purposes and means of processing activities with another person, they will be considered joint controllers and shall enter into an arrangement determining their respective roles. The "essence of the arrangement" also needs to be made available to the 'data subjects'.
Contracts between controllers and processors should include new clauses. The CNIL has proposed standard clauses.
Finally, it must be remembered that any contract with a recipient located in a country outside the European Economic Area ("EEA") that is not considered by the European Commission as ensuring an adequate level of protection must include certain clauses unless other "appropriate safeguards" avail.
C. Impact assessments
According to the CNIL's online questions and answers, "[t]he filing systems for which formalities have already been regularly carried out with the CNIL (declarations, authorisations granted and notices rendered) may continue after 25 May 2018 without undergoing any data protection impact assessment as long as they are not modified in a material way" (our translation).
Otherwise, or for any new processing activity, you should:
- determine if the processing activity is likely to result in a high risk to the rights and freedoms of natural persons, which test is further described in guidelines of the article 29 working party (the "WP29"), of which the CNIL is a member;
- if this is the case, realise an impact assessment according to applicable prescriptions;
- if the impact assessment indicates that the processing activity would result in a high risk in the absence of measures taken by the controller to mitigate the risk, consult the CNIL before.
D. Data protection officer
A data protection officer (a "DPO") shall, among other tasks, monitor compliance with the GDPR, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audit.
A business shall appoint a DPO if its core activities consist of:
- either processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- or processing on a large scale of sensitive data or personal data relating to criminal convictions and offences.
The DPO can be someone within the business or an outside individual or organisation. In order to avoid any conflict of interest, if the DPO performs other functions, they cannot lead him, her or it to determine the purposes and the means of the processing of personal data or to represent the business before the Courts in cases involving data protection issues, according to the WP29.
E. Measures or policies
A data controller must "implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation" possibly through "policies" (article 24 of the GDPR) and "be able to demonstrate compliance" with the principles of article 5 of the GDPR.
These measures or policies shall require management and relevant employees to:
- comply, in the design and implementation of a processing activity, with the principles of article 5 of the GDPR including the existence of a lawful ground - which may be amongst others consent, performance of a contract to which the data subject is party or compliance with a legal obligation (article 6 of the GDPR) - and data minimisation;
- ensure no processing activity concerns "sensitive data" (such as ethnic origins, political opinions, philosophical beliefs or sexual orientation) - unless an exception avails - or relates to criminal convictions and offences;
- ensure data subjects are provided with the information set out in articles 13 and 14 of the GDPR;
- respond appropriately, within maximum one month of receipt of the request, to access, rectification, erasure, restriction of processing, data portability and objection requests, or requests not to be subject to a decision based solely on automated processing, it being noted that many of these rights are new (articles 15 to 22 of the GDPR) ;
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- notify any personal data breach to the competent supervisory authority and, in some cases, the relevant data subject, which is a new obligation under the GDPR;
- for any new processing activity, ensure that a data protection impact assessment is carried out if this processing activity has certain characteristics making such assessment compulsory;
- in case of a new processing activity and if no DPO has been appointed yet, appoint a DPO where the characteristics of this processing make a DPO compulsory;
- maintain the record(s) of processing activities;
- ensure that any agreement between joint controllers, any contract between controller and processor as well as any contract with a recipient of personal data established in a country outside the EEA that is not considered by the European Commission as ensuring an adequate level of protection, contain the necessary clauses.
Business may be assisted by various service providers for the implementation of these measures but lawyers are undoubtedly the most competent when it comes to drafting contractual clauses and drafting an internal policy complying with the legal obligations stemming from the GDPR. Lawyers can also assist businesses with the setup of the register(s) of processing activities, carry out impact assessments and ensure the role of DPO.
Finally, in light of the new "e-privacy" European regulation meant to complete the GDPR and enter into force also on 25 May 2018, the exact content of which was still unknown on the date of writing of this article, business may also be called to review at the same time their practices in terms of unsolicited communications for purposes of direct marketing and cookies.
This article was first published in the 10 January 2018 edition of the magazine Option Droit & Affaires.