Although May 25, 2018 - the date of effective enforcement of Regulation no. 679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter "the Regulation" or "GDPR") - is approaching very fast, the question "Are you ready for GDPR?" still creates confusion, in certain circumstances, regarding the new regulation on the protection of personal data brought by GDPR and its applicability.
The various publicly available articles on GDPR as well as the many events that took place at the end of 2017 and early 2018 on the subject of personal data protection had the role of informing, in a detailed and varied manner, on the implications of the Regulation and the need to comply with its provisions.
Unfortunately, despite all the information available, it seems that the GDPR regulation is still unknown (or far too little known) to a rather large number of people working in different areas of activity, one of the very common explanations being the hypothesis that GDPR is not applicable, since personal data is not processed.
Somehow easy to understand in case of individuals (the processing of personal data by them as part of a purely personal or domestic activity being excluded from the scope of the GDPR), in case of legal persons, it is rather difficult to imagine situations of non-applicability of the Regulation, in general, especially if we consider the classical situation of an organized entity operating under the laws of a Member State of the European Union and operating within that State and/or within the European Union.
Possible matters to clarify
In this context, even in the case of entities operating in fields/industries where the interaction with individuals is limited, at the very least the answers to the following questions may prove extremely useful in confirming the application of GDPR:
(a) Are there any employees within the company?
Application of GDPR is also required in the field of labor relations, given the personal information that an employer has on the employees.
(b) Are there relationships established with other natural or legal persons?
Personal data can also be processed based on or in relation to relationships established by an entity with various partners/suppliers, especially if the services provided directly involve the exchange of personal data (e.g. in case of relationships with payroll or health and safety providers).
(c) Is it possible that the actual activity excludes any kind of personal data processing?
GDPR does not only apply to entities that directly address individuals or are related to individuals (such as retail, recruitment, couriers, medical services etc.), but to all persons who, in the course of their work, process personal data.
The impact of the GDPR regulation can be assessed according to the actual circumstances (including the level/ volume of the processed data and/or the processing method).
Making an assessment
In view of the implementation of the GDPR, it is therefore necessary to carry out a general assessment of all personal data processing operations carried out at the level of a person in order to have as detailed a picture as possible of the processes carried out internally and/or with external partners regarding said data.
On the basis of such a preliminary assessment, the necessary steps can be taken to ensure compliance with the provisions of the Regulation.
However, given the specific requirements imposed by the new regulation, it should be stressed out that the GDPR impact assessment should not exclude current processing operations that have been notified to any regulatory authority1 or previous assessments from this perspective.
Depending on the actual findings of the assessment of personal data processing operations, the concrete steps that are required to address the provisions of the Regulation (which imply, first of all, the need to raise awareness of the importance of personal data), can be determined, such as:
(a) provide legal bases for processing personal data, particularly in view of (more restrictive) specific requirements to obtain consent from the data subjects2 - in this respect, it may be necessary to adopt different processing grounds that can respond much better to new regulatory requirements;
(b) compliance with the principles of processing, including limitations on the purpose of processing or minimization of processed data – one of the beneficial effects being the removal of unnecessary data;
(c) fulfillment of the conditions relating to the processing of special categories of data;
(d) ensuring observance of the rights established by GDPR for the data subjects (in particular, the right of access, the right to be forgotten and the right to data portability, which can pose serious problems from an administrative/operational perspective);
(e) ensuring that adequate technical measures are in place to meet the data protection requirements both from the time of designation of the processing facilities and at the time of processing (data protection by design and by default) – with implicit effects on the accountability of the persons involved in processing operations;
(f) assessing potential controller – processor relationships;
(g) keeping records of data processing;
(h) implementing internal measures to notify personal data breaches;
(i) where necessary, carrying out an impact assessment3 (Data Protection Impact Assessment); and
While apparently both the awareness of GDPR implications and the implementation of related measures that can ensure compliance with the requirements of the Regulation may be difficult to achieve by May 25, 2018, it should be taken into account that this date is only the initial moment when the rules imposed by GDPR begin to apply.
Compliance with the Regulation will be an ongoing process, which will need to be subject to ongoing evaluations to ensure full compliance with the privacy principles set out therein.
In conclusion, the question "Are you ready for GDPR?" will continue to be present in the public space even after May 25, 2018. Fortunately, with the inherent benefits brought to both personal data processors and persons whose data is processed.
By Vlad Irimia, Senior Associate, Voicu & Filipescu