Post GDPR era; from theory to practice
by our Risk Advisory Manager, Charis Photiou
Even after the General Data Protection Regulation (“GDPR”) has become enforceable by data protection authorities on corporations established in (and out of) the European Economic Area (“EEA”), there are still practical implementation challenges that organisations must tackle before they can effectively claim that they can mitigate data privacy related risks that can adversely impact their business case. Practical implementation challenges may arise due to absence of specific implementation guidance from data protection authorities in certain areas and lack of standardisation, amongst other things. It is also true that some organisations did little to comply with the previous Data Protection Directive upon which the GDPR is based.
Where is the data?
A crucial component of any GDPR implementation project is the creation of the Register of Processing Activities (“RoPA”). Despite the fact that, the creation of the RoPA is firstly mandated half way the GDPR text (Article 30), at Deloitte we believe that it is the cornerstone for any GDPR implementation and that RoPAs should be sufficiently detailed and, naturally, GDPR implementation should be data centric. Challenges arise when organisations adopt a “fill in the blanks” approach to fulfil minimum requirements. Whilst this approach may be appropriate to fulfil the requirements set out in article 30 for small organisations operating locally, it may not be appropriate for larger organisations or organisations with a diverse business model and/or internationally expanded group structure. Management decisions should be made and appropriate resource allocation should be effected concerning the methods for data discovery, human resources, records management, collaboration and integration with business processes. We witnessed situations when the solutions implemented may have been developed as part of “a one off” exercise or are not easily maintainable or impede multinational collaboration or are simply inadequate. Bottom line is that stakes are high when factual circumstances differ from what is prescribed in the established records.
Fair, transparent and purposeful processing in the name of law
Simply put, if processing is performed without a lawful purpose which may not be adequately communicated to individuals in a manner that may be impede, in any way, the protection of data subject rights then organisations are looking at the ceiling of GDPR fines. Implementation of the above criteria should be data centric. Posing real dilemmas in layman’s terms, an organisation may be concerned, among other things, about whether dynamic IP addresses are treated as personal data, whether it is appropriate to process data concerning criminal records, whether an XYZ EU law defines the purpose for such processing, or whether legitimate interest is sufficient as a lawful basis for direct marketing. In the case of international organisations additional challenges are posed, as to which is the dominant applicable law, when variations between EU member state legislation are observed. GDPR provides solutions that address instances where absence of a lawful basis is observed.
Transparent processing should be applied by disclosing, in sufficient detail and with appropriate methods, all required information to ensure that individuals are appropriately informed, irrespective of the medium used to capture the data subject’s information or their source.
Fair processing encompasses the respect of data subject rights. Having in mind that the process of handling data subject right requests may trigger complaints by data subjects, organisations must carefully consider the process, scope, applicability, methods and means to fulfil a data subject right request on a case by case basis.
Our experience in this area revealed that, among other things, wrong lawful bases may be used or insufficiently supported, inadequate application of data subject rights may be applied or insufficient transparency is demonstrated, or that local EU member state laws are ignored in the cases when they may impose stricter requirements. Other issues that we have come across include instances where cessation of processing activities was effected because a lawful basis to support them has not been identified. However, in certain cases the processing activities could have continued if a more diligent research was performed to identify an appropriate legal basis; Legal bases may even exist deep down in the realms of the European Court of Justice decisions.
Data processors are responsible too and the controller should verify this
Processors under GDPR can be considered as a subordinate figure to the controller by being required to processes the personal data “only on documented instructions from the controller”. However, processors maintain specific responsibilities which have to be demonstrated to the controller, and the controller needs to ensure that it employs only those vendors who “provide sufficient guarantees” concerning their data protection capabilities. Things get complicated when the processors are large multinational organisations or when they have bargaining power over the controller. The mere establishment of a data processing agreement will simply not qualify when controllers are challenged to demonstrate control over the processors. Variations in the performance of vendor due diligence, contract clauses and the methods that controllers use to verify the technical and organisational measures implemented by the processors are quite common. Controllers often seek to obtain third party assurance reports from the processors in the absence of, the much promised, approved certification mechanisms or codes of conduct. Reluctance is observed when costs have to be borne by either party or when taking a decision to change a processor seems to be the “right thing” to do. Ultimately, the controller maintains responsibility under GDPR and has to decide on whether the risk will be assumed or delegated.
International organisations, transfers and main establishments of controllers
International operations may foster consolidation of administrative processing activities to achieve tax and/or operational efficiencies. Whilst centralization and consolidation may be effective for tax and financial reporting purposes, it may not be appropriate to be used in agreements governing international transfers. Use of the concept of a “main establishment” must be applied with care, as the treatment of the recent €50 million fine imposed on Google revealed that when factual circumstances differ, then the location of the main establishment can be challenged.
Concerning safeguarding of international intra group transfers, as of the date of publication of this article, Binding Corporate Rules (“BCR”) were adopted by approximately, 100 international organisations. The time consuming process for having the BCRs approved, has led organisations to look for alternative ways of safeguarding intragroup transfers. International organisations, that apply other safeguards or derogations in ways that reduce administrative costs, especially when not designed properly or used to bypass the adoption of a BCR program, are walking in uncharted territory.
End-to-end risk based data protection
Data protection must be embedded in the existing situation of an organisation covering all processing activities and also be considered during change management in a risk based, consistent, and systematic manner. Sometimes, we observe organisations adopt a “tick the box” approach which is, usually, a byproduct of an exclusively legalistic and siloed approach and which fails to adapt to specific circumstances; in most of these organisations implementation depends much on the intuition of the person performing the activity. Data protection should be applied by design and by default and requires application across the board. Whilst Data Protection shares common elements with the discipline of Information Security, organisations may maintain a clear separation between Data Protection and Information Security because of organisational siloes. Certain Data Protection Authorities published specific guidance and tools which support the Data Protection Impact Assessment process and which clearly promote the application of security measures according to Data Protection criteria. The recent fines imposed on Uber and hospital Centro Hospitalar Barreiro Montijo are good examples of inappropriate or misaligned information security practises.
Should I report it or not?
Treatment of data breaches under GDPR is a major challenge for organisations. GDPR requires disclosure to the supervisory authority and individuals affected, once organisations become aware of a data breach. Organisations face real dilemmas, which often resemble games of Russian roulette. Should an organisation report a data breach that has not been publicly known or should it remain silent? Again, management has to decide whether to assume the risk or mitigate it, by considering the possibility of the breach to be known to others before the organisation reports it. Currently, very few organisations from a global perspective have the organisational maturity to report a data breach before it is exposed to others just because they are confident about the data protection and security measures they implement. Facebook’s recent GDPR data breach which affected 50 million users and which followed the Cambridge Analytica breach, is the most prominent example of a data breach disclosure which was reported by an organisation without the data being exposed to others. The impact on Facebook due to its reported data breach will be known when the Irish Data Protection Commissioner completes its investigation which was announced on 3 October 2018. The Irish data protection Authority’s decision will definitely influence data breach reporting processes of organisations in scope of GDPR.
The DPO, the most powerful GDPR tool
Appointment of a Data Protection Officer (DPO) is mandatory for certain organisations which fulfil certain criteria under GDPR. Although the skills and competencies that a DPO should possess have not been explicitly determined by the regulators, it is clear that the DPO should possess a well-diversified skillset due to the breadth of coverage of Data Protection matters. The DPO should, among others, demonstrate proficiency in the Data Protection Regulation, Information Security, Risk Management, Audit and Regulatory compliance. The quality and personal attributes of the DPO shape the Data Protection culture in an organisation. The DPO is the person who will speak up when everyone else will stand down on Data Protection matters as well as be the person to be consulted on any matter concerning Data Protection. To achieve this, the DPO should maintain organisational/functional independence and perform his/her duties ethically and free from conflict of interest. Organisations face challenges when inadequate resources are assigned on GDPR implementation. It is quite frequent that the business users easily assume that the DPO is responsible to undertake GDPR implementation. DPOs who undertake tasks which conflict with their supervisory role, run the risk of downplaying the importance of Data Protection and ignore material Data Protection matters thus increasing the risk of the organisation being sanctioned due to infringements of the GDPR.
This article touches upon some of the challenges we faced in practice. The only way that these challenges can be successfully dealt with is through the provision of valid, actionable and quality advice and support. Our GDPR client portfolio includes organisations from every industry sector both locally and internationally.
For more information please contact:
Risk Advisory Manager
T: +357 22 360 824