Major Operational Impacts of the GDPR


December 21, 2017

The December Blog Series | Looking Ahead: What's to Come for 2018

Issue 16: Major Operational Impacts of the GDPR

As the General Data Protection Regulation (GDPR) goes into full effect in the spring of 2018, there are a number of new protections as it relates to EU data subjects that organizations must be aware of in order to avoid fined and penalties for non-compliance. The following operational impacts should be noted:

Cybersecurity and data breach notifications
Data processors and controllers have stricter operational procedures to follow on data security. Now, specific breach notification guidelines have also been developed and included. These specific actions are considered at risk and should have appropriate security protocols in place:

  • Encryption of personal data
  • Ensuring the confidentiality, availability, integrity and resiliency of processing systems and services
  • The ability to restore access and availability of personal data in a timely manner after an incident occurs
  • Processes in place for the testing, assessment, and evaluation of technical and organizational measures for ensuring processing security
Requirement of a mandatory data protection officer
A data protection officer is now required to comply with the new standards. This officer must be appointed for all public authorities. These data protection officers must have "expert knowledge of data protection law and practices."

There are specific requirements for obtaining data consent. The new law has distinct protocols for processing "special categories of personal data" with an expanded range of what falls under those categories. There are also restrictions on the ability of children to consent to data processing without parental authorization.

Cross-border data transfers
Although personal data transfers to a third country or international organization are permitted when adhering to certain conditions, there are some distinct changes. There is now an allowance of transfers based up on certifications, as long as binding and enforceable commitments are made by the controller or processor to apply strict safeguards.

For cross-border transfers, there are certain conditions and safeguards that must be followed. These are outlined in Articles 44-49 of the GDPR.

Profiling is restricted under the GDPR, giving data subjects rights to avoid any profile-related decisions. Under this rule, data processing may be viewed as profiling when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. This excludes data processing that is not automated. Controllers musts honor the rights of data subjects regarding profiling, or face penalties.

RTBF and data portability
The GDPR expands an individual's control over the use of personal data. Under this directive, two new rights were created:

  • The right to be forgotten -- individuals can request their personal data be deleted, and where the controller has publicized the data, require other controllers to comply
  • The right to data portability -- controllers are now required to provide personal data to the data subject in a commonly used format, transferring that data to another controller at the data subject's request
Managing vendors
There are now clear lines of accountability over data processing, outlining the responsibilities of controllers and processors in handling personal data. The rules have expanded with more detailed requirements and duties. There are also additional duties and restrictions for processors as it relates to subcontracting. Non-compliance can result in prosecution and hefty fines.

The GDPR encourages pseudonymization of personal data, which will render data neither anonymous nor directly identifying. It separates data from direct identifiers so linking to an identity is difficult without additional information. There are incentives under this directive for controllers to peseudonymize the data collected for stronger security measures. This process is not exempt from regulation, but the requirements of controllers are not as stringent.

Certifications and codes of conduct
Codes of conduct and certifications is encouraged by the GDPR to establish compliance, and offer third-party oversight as a means of checks and balances. Articles 40 and 41 should be used to establish codes of conduct for approved methods of compliance.

Non-compliance comes with strict administrative procedures and large fines that may exceed 20 million euros, or 4% of the annual global turnover of a company. There are two "tiers" of maximum fines, depending on whether the controller or processor committed any previous violations, and their nature. Larger fines will apply to more serious violations.

The changes in GDPR regulations is a significant shift in protecting data. Make sure your organization understands the new rules and are taking steps to fully comply moving into 2018.