Norton Rose Fulbright - Data Protection Report blog

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how the GDPR may change the data privacy litigation landscape in Europe.

For many organizations that are based outside the EU and took the “wait and see” approach, our checklist may come in handy, which gives an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements.  We also have a chatbot powered by artificial intelligence that helps clients to determine whether the GDPR applies to their business.

If you missed our previous blog articles, the European Commission released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet containing Q&As on the GDPR.  The Commission also released a “Next Steps” document, which clearly sets out actions to be taken by the European Commission toward Member States, data protection authorities (“DPAs”), and citizens and businesses/organizations processing data through the year 2020.

What do we expect in terms of enforcement priorities?

Many of our clients ask us when and how they may be called upon to demonstrate compliance with the GDPR.

The European Commission Fact Sheet and Q&A includes statistics that nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and seven out of ten worry about the potential use that companies may make of the information disclosed.  The stated purpose of the new law is to give people more control over their personal data and make it easier to access it.  If your organization is a social network, mobile app, a service offered to children, driverless cars, big data analytics, or an advertising company, the European Commission has shown an explicit interest in how people’s information is protected from those industries—no matter where it is sent, processed or stored—even outside the EU.

In fact social media or social networks is mentioned three times in the Q&A and big data analytics is mentioned five times.  Our crystal ball predictions for GDPR enforcement would be that the initial focus by the regulators will be on the highlighted products or services. To be audit-ready, appropriate technical and organizational measures must be in place and evidence of compliance will need to be provided in the form of documentation.  A structured approach to identifying operations that are “high risk” is needed, as well as implementing risk mitigation measures.  Did we mention big data?

So if you’re not a social network, mobile app, driverless car, or one of the big data companies, does this mean you can breathe a sigh of relief? The Member States could proactively ask an organization to show how it complies with GDPR under Art. 24, but more likely than not the first test for many organizations will be how they respond to data subject access requests (DSARs) or when they experience a personal data breach which they will likely need to report to their Supervisory Authority due to the relatively hair trigger reporting thresholds.  Because these DSARs must be responded to within 30 days, basic procedures should be in place to handle these requests to avoid scrambling to comply with the law when you receive a DSAR.  These data subject rights are not new as similar rights were already in place before the GDPR in Europe (and most frequently exercised in the UK), but for organizations that are based outside the EU, this procedure may have been put in place for the first time and never put to test before.  This includes EU-based companies that may work with US-based service providers, for example.

What are some common pitfalls to implementing a data subject access request response procedure?

Since responding to a DSAR may be the first GDPR compliance test for most organizations, we outline below some common pitfalls that may present challenges and practical tips for addressing them.

Challenge #1

Different departments and systems hold personal data about an individual.

Data mapping and creating an inventory of the types of personal data an organization collects, stores and processes is one of the first GDPR compliance requirements. When a data subject requests an opt out of marketing lists, for example, it will be critical to have an understanding of which departments within your organization process personal data and what systems may be affected. Even if a comprehensive data mapping exercise has not yet completed, every organization should conduct a baseline test to ensure that marketing opt out requests will be honored. If an individual opts out and still receives an unwanted email, it could result in a complaint that alleges that the organization is processing data without consent (remember the maximum fines are now up to 4% of annual worldwide turnover).

Challenge #2

There is no standardized format for making requests, making verification of identity difficult and results in requests getting “lost in the mail.”

Without a clear privacy notice and designated communication channels, such as a dedicated phone line or email inbox for receiving complaints and inquiries, valuable time may be lost before DSARs are escalated to the appropriate teams for handling. It is often not enough to have established an email address and phone lines, but training everyone that may potentially interact with data subjects is also important so that the proper channels are used to kickstart the process of validating and responding to the request. This means it will be just as important for your sales and marketing teams to be aware of the GDPR requirements as it will be for your customer support teams. Training should be provided, for example, so that a standardized procedure is in place to verify the identity of the requestor before sensitive personal data is sent out from the organization in response to a DSAR.

Challenge #3

The use of nonstandardized request forms could lead to incomplete search results, especially when third party involvement is needed.

It is important to not only understand how your organization collects, stores and processes personal data, but also how third parties you interact with do, including vendors, service providers and business partners who may process personal data on your behalf. Many organizations have spent a lot of resources within the past year to renegotiate and add contractual terms to third party contracts that reflect the new GDPR requirements. Close coordination and effective collaboration among third parties as well as departments within your organization will be needed which could be difficult if the procedure for handling DSARs is not standardized. It is never too late to begin identifying key third parties and starting a dialogue as to how these DSARs may be received and responded to by each organization.

How is GDPR going to change the litigation landscape in Europe in relation to data privacy?

When all else fails, there will be litigation. Individual data subjects have rights under GDPR to bring direct claims against data controllers and processors in circumstances where they have suffered material or non-material damage as a result of infringement of GDPR by that controller or processor. A demand to exercise a data subject right and any subsequent failure to satisfy the requestor, for example, could be a precursor to litigation claims in the EU. The reference to “non-material” damage in this context means that a broad spectrum of loss is in principle compensable—from direct financial loss to matters such as anguish or hurt feelings. In principle, this is nothing new. For example, similar rights already existed under English law as a result of s13 DPA 1998 (which afforded data subjects a right to bring direct claims against a data controller for losses caused by a breach of DPA 1998)—this right was interpreted broadly by the English courts as including a right to compensation for non-pecuniary losses of the type contemplated by GDPR (see Vidal-Hall v Google). To date, claims of this nature have been relatively rare—this may however change, at least to some extent, as individual data subjects become more aware of the rights that they hold in relation to their personal data as a result of GDPR. Compensation awards for claims of this type have traditionally also been low, but for companies processing large quantities of data a risk of significant liability may arise if a large population of data subjects brings a claim on a collective basis, for example following a significant data breach (see the UK Morrisons Breach). Again, claims of this type have not been common to date but may become more frequent as data subjects obtain a growing awareness of the rights they hold in respect of their personal data and an increased readiness to vigorously pursue those rights.

What are some issues to think through in terms of when and how GDPR notification requirements apply to a data breach?

In addition to DSARs, another way an organization’s GDPR compliance program could be put to test is when it suffers a data breach. A common question we face is whether and how GDPR will apply to a personal data breach which is discovered on or after 25 May but which in fact took place before that date. For example, if a data theft took place last week but is only discovered Friday—which law applies? We would make two observations on this. The first is that GDPR notification requirements are triggered on awareness of a personal data breach—so if a data controller obtains that awareness on 26 May, the requirement to notify the Member State Supervisory Authority within 72 hours will be triggered as of the time the organization becomes aware of a breach. However, this is not to say that GDPR will apply retroactively—it seems that any fines or penalties imposed by regulators in respect of an incident of this type would be imposed under the old regime, as this was the law applicable to the affected organization at the time the potential non-compliance took place. We should not therefore think that 25 May marks the day when the previous regime ceases to be relevant—that regime could still affect companies for months and years to come and this needs to be factored into the risk management process. Cyber liability insurance policies, for example, should still provide cover in respect of liabilities arising under the law pre-GDPR even though that law is no longer current.

Will GDPR become a global standard? Is there a silver lining to organizations that are subject to a patchwork of laws globally?

Although the GDPR is meant to unify EU privacy and data protection laws, each Member State within the Union will have certain priorities and guidance documents and national variations in the implementation should be monitored. The German Data Protection Authorities, for example, published new guidance documents in February that recommended that organizations list not only the recipients of data transfers outside the organization but also the details of the internal groups or persons having access to the data processing. This may require a greater level of detail than what some organizations are prepared to provide. The German guidance also states that organizations will be expected to provide a description of the data processing activities in German language.

Although much thought leadership has focused on GDPR and the EU implementation, it is also important to note that other jurisdictions have not been sitting idly by. A new California law, which may be passed in November 2018, would expand the definition of personal information to include categories such as biometric data, commercial activity, internet browsing activity, geolocation data, IP address information, and any inferences drawn about consumers from this data. The Consumer Right to Privacy Act of 2018 would also allow consumers to opt out from sale or sharing of their information, and require the business to post on any website homepage an opt out link with the text “Do Not Sell My Personal Information.”

On 29 December 2017, the Standardization Administration of China also issued an Information Security Technology—Personal Information Security Specification (GB/T 35273-2017) (the “Specification”), which went into effect on 1 May 2018, which has a key implementing role in relation to China’s Cyber Security Law (“Cyber Security Law”) in respect of protecting personal information in China. Here too, the definition of “personal information” is expressly expanded to cover (in addition to the personal identity information) information reflecting the activities of certain individuals, including the personal location, personal correspondence records, online browsing history and so forth. The Specification also confirms that the basic principle for legally collecting personal information consists of the following: (i) the collecting entity needs to explicitly notify relevant individuals of the rules regarding collecting personal information; and (ii) the collecting entity shall obtain consent from relevant individuals.

In addition to expanded definitions of personal information and consent requirements, global organizations will now face mandatory data breach notification laws not only in the US and now the EU under GDPR but also in Australia and Canada (as of 22 February and 1 November, 2018, respectively).

For organizations that have diligently put together compliance plans for the GDPR, this will be a competitive advantage when facing privacy and cybersecurity requirements from multiple jurisdictions. For organizations that are playing catch up, we recommend the following three (3) best practice steps:

  1. Define and implement a data collection policy. This could be in a form of a privacy notice and it should be communicated to all employees, customers and clients.  If you are engaged in a high risk data processing activity, determine which business activities require consent or need to be restricted. Ensure internal procedures in practice accurately reflect the business when compared with the uses described in the notice.
  2. Identify key third party data processors. Define each party’s obligations in a written contract and obtain assurances related to privacy, confidentiality and security for processing critical data.
  3. Have a plan. Even if your organization is not fully audit-ready, think in advance about what kinds of inquiries or complaints are most likely to be received and have a plan for responding to them.