Impact of EU General Data Protection Regulation

Transcription

1 Impact of EU General Data Protection Regulation A White Paper Thursday 15 October 2015 The law stated is correct as of this date. This does not constitute legal advice and it is highly recommended to seek professional legal advice when in any doubt about understanding your rights and obligations in order to comply with the law and regulations that impact marketing. Further information is available at GO DPO is a European Community Mark of EU Compliance and Recruitment Ltd.

2 Why is the EU General Data Protection Regulation a game of financial jeopardy? A crucial point about the forthcoming EU General Data Protection Regulation (GDPR) is buried deep in Amendment 188 of Article 79 that deals with the harmonisation of administrative sanctions. Now that may not sound like a very sexy subject but read on! The GDPR creates what s often referred to as a strict liability offence and Data Controllers will need to be alert to the risks they re taking by not doing that they should ve done. Article 79 is like a game of financial jeopardy as it punishes Data Controllers for the omissions of not complying with the principles of GDPR and recidivists can expect the tariff to increase with every subsequent administrative breach. This part of the proposed EU Regulation is largely hidden from view mainly because data breaches at Carphone Warehouse and other big companies tend to grab the news headlines. An internal European Commission document published in May 2015 this year following the DAPIX meeting on 21 April 2015 may have passed by largely unnoticed but makes chilling reading for any Data Controller or Data Processor. The document states: In order to strengthen the enforcement of the rules of this Regulation, penalties and administrative fines may be imposed for any infringement of the Regulation, in addition to, or instead of appropriate measures imposed by the Supervisory Authority pursuant to this Regulation. Numerically, there s a higher risk of being fined for an administrative breach under Article 79 and therefore it presents a much bigger risk than a data breach. Article 79, Amendment 118 (2)(J) provides a list of factors that will be taken into account in fining a company for an administrative breach: failure to implement data protection by default - Article 23 failure to take adequate steps to safeguard the security of data processing - Article 30 failure to have carried out a Data Protection Impact Assessment (DPIA) - Article 33 failure to carry out a Data Protection Compliance Review (DPCR) Article 33a failure to designate a Data Protection Officer (DPO) Article 35 In any of the above administrative breaches, a commercial organisation runs the risk of being fined between 2-5% of global turnover or 100m. So an administrative breach is just as serious as a personal data breach and don t assume you ll be able to get away with a slap on the wrist from the Supervisory Authority you won t. Further information: 2

3 In many respects an administrative breach lowers the bar for getting fined as there s no requirement to show damage or distress has been caused but merely a breach of the administrative principles of the EU Regulation. We ve identified 28 separate administrative breaches lurking in the GDPR that could catch out even the most vigilant of Data Controllers and which represent a major risk to business continuity. Hidden dangers of administrative fines buried in the EU General Data Protection Regulation (GDPR) Administrative breach under GDPR If the Data Controller takes longer than 40 working days in order to process a Subject Access Request (SAR) If the Data Controller charges the Data Subject for a SAR If the Data Controller does not do a full SAR in 40 working days showing the data being held on the Data Subject in a transparent manner If the Data Controller does not perform correct data erasure or data rectification that infringes the rights of the Data Subject If the Data Controller does not allow for data portability for the Data Subject s personal data Administrative fines<0.5% of annual worldwide Administrative fines <0.5% of annual worldwide If the Data Controller does not allow the Data Subject to object to profiling If the Data Controller has not sorted out joint Data Controller documentation and responsibilities if required under the GDPR (under contract) Further information: 3

4 Administrative breach under GDPR If the Data Controller has failed to keep documentation covering data processing upto-date and this includes not having conducted a Data Protection Impact Assessment (DPIA) and a Data Protection Compliance Review (DPCR) If the Data Controller has failed to keep documentation for a Personal Data Breach (PDB) If the Data Controller processes personal data without the correct legal basis for doing so or documented. For example, lack of consent or other conditions such as to perform the contract, the need to have conducted a DPIA and/or DPCR, etc If the Data Controller has failed to collect consent or is unable to show consent to data processing from the Data Subject If the Data Controller fails to process a child s (under 13 years) data correctly or does not possess the correct consent to do so If the Data Controller fails to process special (sensitive) data correctly or does not possess the correct consent to do so Further information: 4

5 Administrative breach under GDPR If the Data Controller does not allow the Data Subject to object to the outcomes of profiling If the Data Controller cannot demonstrate the organisation has the appropriate organisational and technical (security) measures to process personal data under the GDPR (has failed to conduct DPIA and DPCR) If the Data Controller is outside of the European Union and does not have a representative in the European Union Where a Data Processor is used, the Data Controller has not assured itself that data processing is compliant with the GDPR If the Data Controller does not report a PDB notification to the Supervisory Authority in time or correctly with full information If the Data Controller does not inform the Data Subject about a PDB (if required) by the Supervisory Authority Further information: 5

6 Administrative breach under GDPR If the Data Controller does not carry out a DPIA prior to data processing or in lieu of that fails to consult with the Supervisory Authority prior to the DPIA If the Data Controller does not comply with the GDPR and uses a EU Certified Data Seal If the Data Controller does not transfer data outside of the EU in accordance under GDPR If the Data Controller does not stop data processing after an Enforcement Order (or in breach of an Undertaking) If the Data Controller transfers data after an Enforcement Order (or in breach of an Undertaking) If the Data Controller does not allow access to its premises and/or documentation with respect to data processing as governed under the GDPR Does not designate a Data Protection Officer (DPO) Further information: 6

7 Administrative breach under GDPR If the Data Controller does not use or cannot demonstrate data protection by design and by default If the Data Controller does not carry out a DPCRs when required The precedent for this move was set with the removal of the need to show pure harm or distress in Regulation 21 of the EU Privacy and Electronic Communications Regulations (PECR) that happened in April At a simplistic level, an administrative sanction applied say in Germany needs to be the same as that applied in the UK and vice versa, given that the GDPR is for the whole of the European Union. The internal European Commission document places a duty on the shoulders of Supervisory Authorities to harmonise financial penalties and sanctions that will implement a system which provides for effective, proportionate and dissuasive penalties in accordance with European competition law. Further information: 7

8 About the authors of this White Paper Martin Hickley is Director of Data Protection & Privacy at GO DPO EU Compliance Ltd. A data governance, protection and privacy specialist with 25 years of experience mediating with regulators (FCA, ICO, DVLA and Dep Ed) in the world of data and information, working in blue chip companies where data is the raison d'être of the organisation. Experienced in data management, data governance, privacy, risk, compliance and security he takes a global and enterprise view of how data should be fashioned to meet all known current and future business objectives within the evolving regulatory framework. Martin is a Fellow of the British Computer Society. Co-author of Data Protection and Privacy: A Practical Guide to complying with the EU General Data Protection Regulation and Data Protection Officer s Handbook, both to be published by Kogan Page in Martin Hickley can be reached on / martin@godpo.eu Ardi Kolah LL.M FCIM is Director of Training and Content at GO DPO EU Compliance Ltd. He is co-author of Data Protection and Privacy: A practical guide to complying with the EU General Data Protection Regulation and The Data Protection Officer s Handbook: Your guide to the skills and knowledge required under the EU General Data Protection Regulation to be published by Kogan Page in early He s Chairman of the Law & Marketing Committee, Worshipful Company of Marketors and formerly a director of The Defence Academy of the UK. Ardi Kolah can be reached on / ardi@@godpo.eu Further information: 8