What to worry about now that the GDPR is here: Part 3

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  In the race to create documents to show they were in compliance, many companies inadvertently created documents that actually show that they are out of compliance.   The net result, is that instead of reducing liability, they have increased it.

Bryan Cave Leighton Paisner is publishing a multi-part series focused on what companies should be doing now that the GDPR is here.  This installment focuses on data inventories.

What is a data inventory?

Article 30 of the GDPR requires that most companies “maintain a record” of their processing activities.  For controllers that record should include the following information for each piece of personal data processed:

  • An explanation concerning the purpose of the processing;
  • A description of the categories of data subjects involved;
  • A description of the categories of personal data involved;
  • A description of the categories of recipients who receive the data;
  • A description of the countries outside the European Economic Area (if any) where the data is sent and the adequacy measures discussed to facilitate the transfer;
  • The time period before which the data is anticipated to be erased; and
  • A description of the security applied to the data.

In the lead up to the GDPR many organizations rushed to create data inventories in-house by using forms and templates supplied by law firms or supervisory authorities, or retained consultants to come in and complete a data inventory on their behalf. 

Why are data inventories dangerous?

Herein lies the problem.  Companies are required to “make the record [of their processing] available to the supervisory authority on request.”  That means that if a supervisory authority investigates your organization the data inventory will more than likely be the first thing that they request. 

This following is a case study of a multi-national organization that retained a well-reputed consulting company to conduct a data inventory and to create the documentation required by Article 30.  The consulting firm leveraged technology to interview hundreds of individuals (e.g., online surveys) and then created a complex data inventory for the organization.  The overall cost approached $100k. 

At the end of the project, the organization requested that BCLP evaluate the data inventory as part of a holistic GDPR gap assessment.  Our evaluation found that the descriptions for 80% of the systems that were inventoried were either inaccurate (at best) or documentation of per se legal violations (at worst).  Indeed, had the inventory been produced to a supervisory authority they would have identified what appeared to be at least ten systemic violations of the GDPR that crossed dozens of data systems.  The tragedy was that the organization’s actual data practices – if correctly described and correctely documented – did not violate the GDPR.  The only violations were the ones that the data inventory created.

While the errors or issues created in the inventory are too many to list, the following is part of a three-part case study that describes some of the main problems that the inventory – if it were ever seen by a regulator – would have created:

Part 3:  Compliance with legal obligations. 

The consulting company had listed “compliance with a legal obligation” in 67% of the data systems that were described.  This created many problems. 

First, and foremost, they had not indicated which statute, regulation, or rule applied for any data system.  As a result, it would have been impossible from the face of the document for a supervisory authority to confirm that a legal obligation existed for the collection of the information. 

Second, and perhaps more importantly, when you drilled down into the reason why they believed that processing was necessary for the compliance of a legal obligation the answer was that the company had an obligation under United States law to keep the data.  The problem is that the Article 29 Working Party – the organization that predated the European Data Protection Board and had authority to provide guidance on European data privacy law – had taken the position that the legal obligation must “refer to the law of the European Union or of a Member State” and, specifically, that “the law of third countries (such as, for example, the obligation . . . in the United States) are not covered by this ground.”

Third, some of the legal obligations that they identified were the fulfillment of contractual obligations (or the potential defense of potential contractual breaches).  Here as well they overlooked the fact that the Article 29 Working Party has taken the position that the legal obligation contemplated as forming the basis of processing cannot be imposed “by a contractual arrangement.”

BCLP has a global law firm with an internationally recognized data privacy and security practice.  It is sought out to provide GDPR advice and counseling, including reviewing and validating the data inventories created by companies or by third party consultants to companies.

1. GDPR, Article 30(1)(b)-(g).

2. GDPR, Article 30(4).

3. WP 217 at 19.

4. WP 217 at 19.

 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide