Briefing No. 2 GDPR. 1 mccann fitzgerald

Transcription

1 Briefing No. 2 GDPR This briefing was produced by the Institute of Directors in association with McCann FitzGerald for use in Ireland. McCann FitzGerald is one of Ireland s premier law firms, providing a full range of legal services to many of Ireland s leading businesses. Clients include international organisations, major domestic concerns, emerging Irish companies and clients in the State and semi-state sectors. When it becomes applicable on 25 May 2018, the General Data Protection Regulation ( GDPR ) will update and overhaul European data protection law. As a regulation, the GDPR will be directly applicable in all EU Member States without the need for implementing legislation. However, it will be supplemented by new national laws that will result in some areas of divergence from one Member State to another. In readiness for this rapidly advancing deadline, companies will need to implement changes to ensure compliance with the GDPR requirements or risk incurring substantial financial penalties and other negative consequences. We outlined these in our first briefing available here. In working towards compliance, companies will need to be familiar not only with the provisions of the GDPR and additional applicable national legislation, but also the various sources of supplemental guidance that has been published to date and that will be made available in the coming months. Keeping abreast of this guidance, understanding its legal implications and adapting GDPR preparations as necessary to comply with it is one of the additional challenges that all organisations face in their preparations for the GDPR regime. 1 mccann fitzgerald

2 Sources of GDPR Guidance Article 29 Data Protection Working Party (the Art 29 WP ) The Art 29 WP is an advisory body comprising representatives from each of the European Data Protection Authorities. It frequently publishes opinions on various aspects of data protection law and has recently issued guidance on how some of the newer concepts introduced by the GDPR will operate in practice (see below). European Data Protection Board (the EDPB ) The GDPR will create a new body, the EDPB, to replace the Art 29 WP with effect from 25 May It will comprise of the European Data Protection Supervisor and senior representatives of the national data protection authorities. The EDPB will have more extensive responsibilities and powers than the Art 29 WP, including the power to issue legally binding decisions to national supervisory authorities, to issue guidelines, recommendations and statements of best practice and to approve EU-wide codes and certification. National Data Protection Authorities ( DPAs ) The functions of DPAs include to implement and enforce data protection law, and to offer guidance. In Ireland, this role is currently fulfilled by the Data Protection Commissioner. It has been proposed that, as one of the updates to Irish data protection law that will be made in connection with the GDPR, the Data Protection Commissioner will be replaced with a new legal entity with additional and more robust powers to be known as the Data Protection Commission. Art 29 WP Guidelines The Art 29 WP has published four sets of guidelines and FAQs to date on specific aspects of the GDPR the right to data portability, data protection officers, identifying a controller s lead supervisory authority and data protection impact assessments. Right to Data Portability The right to data portability allows individuals to receive the personal data they have provided to a controller and to have such data transmitted to another controller in certain circumstances. It is a new right which has no equivalent under currently applicable data protection law. The Art 29 WP guidelines explain and flesh out various elements of this right. They take a very broad view of a key issue regarding the scope of its application. They state that for these purposes, data provided to a controller should be interpreted to cover not only data actively provided by the individual, but also personal data observed and recorded by the controller about that individual. This interpretation would not be evident to a company that had considered the GDPR only. 2 mccann fitzgerald

3 Data Protection Officers ( DPOs ) The GDPR requires certain organisations to designate a DPO. These are public authorities or bodies, and organisations that as a core activity monitor individuals systematically and on a large scale, or that process special categories of data on a large scale. The Art 29 WP guidance clarifies key elements of the criteria for determining whether a DPO is required, such as how the concepts of a core activity or large scale should be interpreted. For example, core activities are defined as key operations which are necessary to achieve the organisation s goals, or activities where the processing of data forms an inextricable part of the organisation s core activity. It states that the types of controllers that are likely to be obliged to appoint DPOs include banks, insurance companies, hospitals and search engines. Essential activities such as IT support and employee compensation are classified as ancillary functions common to most organisations and as such, do not constitute a core activity or give rise to an obligation to appoint a DPO. Although the Art 29 WP does not provide specific guidance in relation to the professional qualifications that an organisation should seek in a DPO, it does state that the level of expertise should be commensurate with the sensitivity, complexity and amount of data an organisation processes. All DPOs should possess an in-depth understanding of the GDPR. The guidelines also provide that a DPO need not always be an individual and that a team can function as a DPO. Similarly, a DPO need not be a company employee and can be an external service provider, provided that the role is structured and performed in a way that complies with the mandatory requirements in respect of a DPO. These include being involved, properly and in a timely manner in all issues relating to the protection of personal data, reporting directly to the highest management level of the company and not having any additional tasks or duties that may give rise to a conflict of interest. Identifying a controller or processor s lead supervisory authority Pursuant to the one stop shop approach of GDPR, the supervision of cross border processing will be led by one supervisory authority known as the lead supervisory authority. In its guidelines, the Art 29 WP explains how an organisation s main establishment or single establishment in the EU will be determined, for the purpose of identifying its lead supervisory authority. This is a key issue for any organisation that operates in more than one EU Member State. The guidelines recognise that the designation of a lead supervisory authority is a very fact-specific inquiry. They provide detailed, illustrative examples, factors to be considered and a helpful annex to guide companies through the designation process. The GDPR does not, however, permit forum shopping in this regard. Organisations must be able to demonstrate that decisions about data processing are, in fact, implemented in the jurisdiction which it designates as its main establishment. 3 mccann fitzgerald

4 Data Protection Impact Assessment ( DPIA ) Under the GDPR, a DPIA will be required where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. The Art 29 WP guidelines explain, and provide some examples of, the circumstances where a DPIA will be required. The guidelines suggest some criteria to consider in assessing whether the processing of personal data is likely to be considered high risk. These include where the processing involves: evaluation or scoring; sensitive data; data processed on a large scale; data concerning vulnerable data subjects; the innovative use of technology; and data transfers outside the EU. The Art 29 WP recommends that a DPIA should be carried out in advance of the relevant processing and should be re-assessed regularly and at least every three years. The guidelines include a helpful chart suggesting a process for carrying out a DPIA and a checklist which controllers can use to assess whether a DPIA complies with the requirements of GDPR. Further Art 29 WP Guidance In the coming months, the Art 29 WP will provide guidance on various other important issues and concepts under the GDPR. The topics will include obtaining consent from individuals, profiling, breach notifications and certification. Once they are made available organisations will need to consider whether their GDPR preparations are aligned with this guidance. DPA Guidance The Office of the Data Protection Commissioner ( ODPC ) has published guidance entitled The GDPR and You Preparing for 2018 which sets out 12 initial steps that organisations should implement, with a view to becoming GDPR-ready. These steps include ensuring awareness of the GDPR across the organisation, making an inventory of personal data held and processed, reviewing and updating privacy notices and procedures, and considering whether a DPO will need to be appointed. In August 2017 the ODPC published guidance on the qualifications of DPOs, which further supplements that Art 29 WP Guidance on DPOs mentioned above. It is expected that the ODPC will continue to publish further guidance in connection with the GDPR, which will need to be taken into account in addition to any Art 29 WP Guidance. For organisations based in Ireland that operate in other EU member states, it will also be necessary to monitor guidance issued by other DPAs. The Information Commissioner s Office in the UK (the ICO ) is particularly active in this regard and has already published proposed guidance on key topics such as consent and contracts between controllers and processors. 4 mccann fitzgerald

5 For further information on this, or related topics please contact the authors Paul Lavery Partner, Head of Technology and Innovation paul.lavery@ Adam Finlay Partner, Technology and Innovation adam.finlay@ Annette Hogan Consultant, Technology and Innovation annette.hogan@ Alternatively, your usual contact in McCann FitzGerald will be happy to help your further. McCann FitzGerald and Institute of Directors in Ireland All rights reserved. Institute of Directors in Ireland, Europa House, Harcourt Street, Dublin info@iodireland.ie This document is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed. McCann FitzGerald, September