Is GDPR an important topic which deserves all our attention? We at Sentia feel it is, which is why we have organized an event dedicated to all aspects involved with GDPR on May 18th in Edegem. And, judging from the full house that attended these information sessions, we can conclude that you consider it equally important. That’s why we thought it useful to wrap up the most important takeaways from the various sessions of that day.
As 25 May 2018, the deadline for GDPR, is approaching, organizations are getting more and more aware - and concerned. They are starting to feel the width of the impact on their infratsructure and procedures, and of the consequences: fines of up to 4% of your annual turnover.
But some of us are more involved than others. Every data-intensive organization will therefore be forced to thoroughly investigate what consequences the new GDPR law will have for their organization. And the focus of this investigation will vary depending on which role you play in the data handling process.
SETTING THE SCENE: DATA CONTROLLERS, DATA PROCESSORS AND DATA SUBJECTS
Are you a data controller, in charge of creating, managing, analyzing and sharing data? Then you will have to focus on the privacy aspects, such as the customers’ right to be forgotten and the controllers’ duty to inform the customer - aka the data subject - of whom they will share their data with.
Are you a data processor? Then, like us, you are bound to the notorious data breach information notification obligation: every data controller is legally bound to inform the supervisory authority of every data breach involving personal data within 72 hours following the breach. But as a data processor we also have the duty to inform the data controller of any breach that has occurred involving some or all of the data controller’s data.
The relationship between data controller and data processor is not always that obvious when it comes to GDPR. Both are in charge of the data they handle, but each with their own set of responsibilities. But, as the example above indicates, these responsibilities are often shared and not as clearly distinct as one would expect.
Therefore it is very important to draw up a mutually agreed upon model of shared responsibilities and to sign an agreement on who performs which actions in all possible scenarios. What this model should look like? And how can you ensure a GDPR compliant relation between Controller and Processor?
This was the general canvas that Sentia’s Product and Compliance Officer Jannick Fabel drew before some experts expanded on their specific domain of expertise.
DON’T GET LOST IN THE LEGAL MAZE!
We all want to be GDPR-compliant, that goes without saying. But becoming legally compliant is not as easy as we would like, agreed Johan Vandendriessche, partner at legal firm Crosslaw. To start with: there are many language versions of the GDPR Regulation, and it turns out that not all versions share the same content. So it might well be that, according to one version you are compliant, whereas you can be fined according to another. Not a situation you would like to be in.
But it is not all doom and gloom, reassured Vandendrriessche: if you can prove that you have done your utmost best to ensure compliance, you will be judged far less harshly than when extreme negligence could be proved.
Doing your utmost best means mostly: keeping a record of all processing activities, both as a data controller and as a data processor. And we really mean ‘all’: from describing the current and desired state of securing and safeguarding data, to the processes agreed upon when a data breach would occur.
As a data controller, you need to identify and asses the suitability of each new data processor, and to review the contractual arrangements with existing processors, to asses if they remain applicable after 25 May 2018. All these steps need to be fully documented as well, as you would expect by now.
As a data processor, you need to make sure that not only your agreements with the data controllers are fully GDPR-compliant, but also that every term of the agreement with the data controller also appears in the agreement with each sub-processor (subcontractor). This is called the “unbroken chain” of data processing agreements. A data controller also has the right to object against the selection of a specific sub-processor, when they fear this sub-processor could mean an increased risk for non-compliance.
All the above agreements need to be drawn up in writing. In Belgium, this could mean a paper as well as an electronic document, in other countries a paper document may be required. In the agreement, details should be included on defining aspects such as: subject matter, duration, nature and purpose of the processing, type of personal data and categories of data subjects. Data processors are also obliged to assist data controllers in the exit procedure when an agreement is terminated.
CODES OF CONDUCT MAY SAVE THE DAY
Confused? And we haven’t even gone into detail yet! Indeed, the legal framework is very complex and extremely difficult to comply with, if only because it is very hard to know all legal constraints, let alone abide by them. Especially because each industry has its own complexities and specific situations which will require different approaches to becoming compliant.
That is why, fortunately, specific Codes of Conduct are being drawn up for several industries, for approval by a competent DPA (Data Processing Administrator), which makes it easier for the organizations within the member state of the DPA and within this industry to know what applies to them and what specific regulations they should take particular care of. In a next phase, this code of Conduct may even be approved by the European Commission, to declare general validity of this Code of conduct within the entire European Union, specified Frank Ingenrieth, Manager Legal Affairs at Scope Europe, an entity established to host and andminister Codes of Conuduct and to foster their development on a European level.
The Codes of Conduct are meant to simplify everybody’s life. Data processors can prove more easily (because they are backed by an independent monitoring body) that they are GDPR-compliant and more, and they have a more specific set of conditions to meet, which makes compliance easier to achieve.
And rest assured: the Cloud Code of conduct is already available. And, obivously, Sentia will gladly help you on your journey to become compliant.