On 25 May 2018, the long wait was over and the EU General Data Protection Regulation (GDPR) finally entered into full force and effect and became applicable in all EU Member States. During the preceding two-year transition period, companies worked hard to prepare themselves for and to ensure compliance with the new requirements under the GDPR. This required a lot of commitment and efforts (and, towards the end of the transition period, perhaps even blood, sweat, and tears– at least figuratively speaking) from both internal and external resources. However, what needs to be remembered is that there is most likely still work to be done and thus no time for a rest. Below, we have listed some areas that are still likely to require attention from companies.
(i) Shift in areas of focus
Whereas before the big day of 25 May the focus was much on data mapping and drafting external-facing documentation and internal guidelines & policies, during the “GDPR era” the focus is now shifting towards making data protection a part of companies’ everyday operations and building a corporate culture in which data protection is a natural ingredient. This also stems from the privacy-by-design and privacy-by-default principles under the GDPR, which require data protection aspects to be built as an inherent part of product and service development processes.
Of course, the level of GDPR maturity varies between different companies, but based on our experience, the changes in the deeper levels (i.e. the cultural level) do not happen overnight, or even over months. Having said that, it is now time to not only fine-tune the practices but also to create and test different tools and practices for the purpose of assessing how well the different guidelines and policies are followed by employees handling personal data.
(ii) Data processing agreements
It is very likely that many of you who have an ever-increasing pile of data processing agreements (DPAs) on your desk (or email) waiting to be commented or negotiated wish that the EU Commission would have introduced standard contractual clauses for DPAs. However, there are unfortunately no standard contractual clauses and, furthermore, the market practices are still developing and vary depending on who you are asking.
The requirement for having a written data processing agreement in place between the controller and the processor has led to a peculiar situation: on the one hand, the GDPR does provide minimum content requirements for DPAs, but on the other hand, it leaves open several issues, such as the division of costs and liabilities. In our experience, the most negotiated issues in DPAs concern the right of a processor to be compensated for the work it is performing for the controller (for example in relation to assistance in responding to data subjects’ requests) and – quite naturally – liabilities. As regards liabilities (or limitations of liability inter partes), the main factor driving the negotiations is the ultimate threat of administrative fines of 4%/EUR 20M. Naturally, neither of the parties –the controller or the processor – is willing to expose itself to extensive liability in case the party is not complying with the requirements of the GPDR. Without going into nuances of the various mechanisms for liability clauses, our “pro tips” are as follows: (i) always check the DPA liabilities together with the main agreement (there is almost always an existing agreement with some sort of liability provisions) and assess what type of carve-outs and changes are required to be made in the DPA and (ii) use the principle of “liability follows control”, which means that the party having control over the actual processing operations should also be liable for the consequences if something goes wrong.
From a controller’s perspective, it should also be remembered that putting a proper DPA in place is not sufficient as such. As the first step, controllers should assess the processor’s data protection capabilities and, as required by the GDPR, only use “processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject”. Therefore, it is advisable to include data protection aspects as part of the controller’s vendor due diligence process.
(iii) Keep an eye on the development of market practices and guidance
As we know, the GDPR leaves a lot room for interpretation with respect to certain requirements. The European Data Protection Board (former Working Party 29) has already provided some guidelines on the GDPR (e.g. regarding consent, transparency, data portability, and data protection impact assessments) and, in addition, other official and non-official stakeholders, such as the UK’s Information Commissioner’s Office (ICO) and the Data Protection Network (DPN), are also producing their own useful guidances on a variety of GDPR-related matters. However, at the same time we are still seeing a lot of “fake news” and – quite frankly – false and incorrect information on the GDPR requirements. Therefore, if ever in doubt, we urge companies to conduct double-checks and sanity checks on interpretations and non-official guidances, especially if the matter is important for the company’s business.
(iv) The E-privacy Regulation is lurking behind the corner
Managing Associate at Hannes Snellman