GDPR: what do European companies need to do to comply?

After more than 4 years of negotiations and hundreds of amendments, the General Data Protection Regulation (GDPR) was finally published in April 2016. The new legislation, which replaces a Directive from 1995, enters into force in May 2018. And if businesses want to avoid a fine which could be imposed if the new European rules are violated, now is the time to comply.

The internet, social networks, the cloud… all of these barely existed when Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” was introduced. The GDPR is intended to bring European legislation in line with the times by taking these new uses into account.

But with such a wide range of sectors affected, businesses will now have their hands full with complying with the new rules. After all, everyone handles personal data in some way or other.

Is compliance a priority?

At the end of 2016, a report from Symantec showed that 96% of companies in France, Germany, and the UK only partially understood the GDPR. And just 25% of French companies considered compliance with the new legislation to be one of their top priorities over the next two years. « These results not only show that companies aren’t ready for the GDPR, but they also suggest businesses aren’t taking the necessary measures for compliance. There is a clear and considerable disconnect between the importance of confidentiality and data security for consumers, and the priorities of businesses,” explained Laurent Lecroq, Director General of Symantec in France.

More than 50% of companies today are not in compliance with the requirements laid down by the GDPR (Source: Veritas study)

Designating a Data Protection Officer

As it stands, a number of companies don’t seem to be aware of the urgency of ensuring compliance with the new EU legislation. And yet they will be subject to a range of new obligations. These include appointing a DPO (Data Protection Officer) for all organizations whose core activities require regular and systematic monitoring of persons on a large scale or result in the handling (again on a large scale) of data deemed to be “sensitive” or relating to criminal convictions.

The DPO must inform and advise the data controller, the sub-contractor, and employees processing the data about the data protection obligations incumbent upon them. According to Article 39 of the EU regulation, the DPO will also be responsible for ensuring compliance with the text, including “the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits”.

Data protection by design and by default

Until now, companies in France have been required to submit a declaration to the French data protection authority – the CNIL – whenever they carried out any personal data processing. This obligation will no longer apply once the GDPR enters into force, under the concept of privacy by design. Businesses will now need to take the protection of personal data in consideration as early as the design stage of a new product or service.

According to Article 25 of the new regulation “the controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”. In particular, “such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.

Creating and maintaining a processing record

On top of the issues related to the design of products and services, the text provides for the creation and maintenance of a record of processing activities. Article 30 of the new legislation stipulates that the record must provide information on the purposes of the processing and contain a description of the categories of data subjects and categories of personal data. Companies will also be required to declare the categories of recipients to whom the data has been or will be disclosed and, to the extent possible, the envisaged time limits for erasure of the different categories of data.

In case of a personal data breach, the DPO must notify the competent supervisory authority within 72 hours of becoming aware of it. Article 34 of the GDPR states that this notification will have to be made “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. The data controller will then have to take measures to ensure that the high risk is not likely to occur again.