The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid hefty enforcement penalties, each EU Member State government has to pass implementation laws. Furthermore, regulators are slowly providing guidance on how to apply and interpret the GDPR.
What is happening in the EU Member States?
The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States” (Recital 3). Yet the GDPR itself provides a lot of leeway for Member States in its implementation, including room for derogations from at least 50 articles. This “margin of manoeuvre” (Recital 10) creates a degree of uncertainty for data controllers and data processors, and there are some areas where companies (especially those processing sensitive personal data, where Member States have the most flexibility) will need to wait and respond to what Member State governments are proposing.
This wait might be a long one — with only a few exceptions, Member States are trundling towards national implementation plans. Only Germany has passed a first phase implementation law. Some Member States have published drafts of implementation bills and others are still in the process of consultation and preparation. Together with our colleagues at partner law firms, we have set out a summary table of how the GDPR is being implemented across the different Member States.
Click here to view the summary table.
For many Member States, the national implementing legislation is still at the early stages, which creates uncertainty for businesses and risks divergent interpretations. While the GDPR acknowledges that Codes of Conduct (Article 40) and the European Data Protection Board itself will be important mechanisms for harmonisation, we cannot yet assess whether this crucial first step of implementing rules will create unnecessary divergence.
So what has been agreed?
Helpful guidance for data controllers and data processors exists, including guidance by the Article 29 Working Party (WP29) on the new right to data portability, lead supervisory authorities, data protection officers and data protection impact assessments. Further guidance on consent and profiling, data breach notifications, as well as administrative fines and data export is also expected. It should be noted, however, that some of this guidance is not without controversy: even the European Commission wrote to the WP29 expressing concern that the WP29’s interpretation of the new right to data portability is overly broad.
National regulators have also stepped up to assist data controllers and data processors in meeting their obligations. The UK’s Information Commissioner’s Office (ICO) has issued draft guidance on consent and profiling, and plans to release further guidance on contracts and liability. In France, the Commission nationale de l’informatique et des libertés (CNIL) has prepared guidance on Privacy Impact Assessments (PIAs). In Germany, the Bavarian Supervisory Authority issued a series of short guidance papers on the GDPR and the Spanish regulator (AEPD) has issued a form of processing agreement.
What should data controllers and data processors do now?
While further guidance is expected, businesses cannot afford to wait. The need for compliance, especially for longer-term projects such as records of processing and compliant contracting, must be addressed as soon as is practicable.
Businesses that operate, target customers or monitor individuals in the EU should do the following:
Audit: Review Latham’s GDPR Checklist [link] to identify key remediation areas.
Record of Processing: This mandatory record will require significant internal resources, but will also help to plan and implement GDPR processes. Start this now.
Contract Renegotiations: The GDPR requires that contracts with data controllers include additional obligations. As companies come to renegotiate contracts, ensure that adequate data protection clauses are added.
With one year left to go, we will continue to keep you updated of new guidance and developments.