By 25 May of this year, you are supposed to be “GDPR-compliant”.
What does that mean exactly?
The GDPR is the “General Data Protection Regulation” (n°2016/679), a piece of European legislation adopted in April 2016 and which becomes applicable on 25 May of this year (in 3,5 months!). This regulation strengthens the existing data protection principles and data subjects’ rights, who are entitled to be informed about their personal data being processed in a language which they will understand. Moreover, the GDPR introduces new compliance obligations for any entity processing data, whether established in the European Union or targeting European citizens.
Data controllers, i.e. entities which determine the purpose and the means of the data processing, are under more obligations than data processors, i.e. the entities that carry out the processing on behalf of the data controllers.
Many online service providers are both data controllers and data processors: they are data processors to the extent that they process the (personal) data, which their clients submit while using their (cloud) services and they are data controllers to the extent that they process their client’s personal data for their own purposes (e.g. invoicing, newsletters, salaries and HR operations). It is not always straightforward to qualify the operations and the role, especially in highly technical and specialised services. A legal and (detailed) factual analysis may be required to identify which entity determines the purpose and the means of processing (the means of processing may be left to the processor, up to a certain extent). The Article 29 Working Party has summarised the criteria as follows (cf. Opinion 1/2010):
Determination of the “purpose” of processing is reserved to the “controller”. Whoever makes this decision is therefore (de facto) controller. The determination of the “means” of processing can be delegated by the controller, as far as technical or organisational questions are concerned. Substantial questions which are essential to the core of lawfulness of processing are reserved to the controller. A person or entity who decides e.g. on how long data shall be stored or who shall have access to the data processed is acting as a ‘controller’ concerning this part of the use of data, and therefore has to comply with all controller’s obligations.
Once you have identified your roles as a data controller and/or as a data processor, you should identify your obligations and in any case, by 25 May 2018, you should:
- Know which data you hold and for which purposes you use and re-use them. You should list the types of processing activities you carry out in a register. You can find models here: CNIL or Privacy Commission.
- Check whether your processing activities respect the “principles for processing” (such as data minimisation and purpose limitation) and are justified by the right legal basis (such as the performance of a contract or consent – in the case of consent additional rules apply!);
- Review your contracts with subcontractors, data processors or sub-processors and other partners to make sure they ensure an adequate level of protection of personal data ;
- Review and/or adopt appropriate technical and organisational security measures (depending on the risk entailed by your processing activities) ;
- Demonstrate your compliance (e.g. record of processing activities, risk analyses).