Each time an organisation processes personal data, it will do so as either a controller or a processor. These roles bear different responsibilities. Therefore, it is critically important for an organisation to be able to:
What types of organisations are most affected?
All organisations are likely to process at least some personal data as data controllers (even if only in relation to their own employees). Therefore, all organisations that are subject to EU data protection law are affected by this issue.
What should organisations do to comply?
Each organisation that acts as a controller should:
Icons to convey information quickly
The following icons are used in the table, to clarify the impact of each change:
Commentary: Data protection by design and by default
Under the GDPR, in respect of each current or proposed data processing activity, organisations must "bake in" measures to ensure data protection compliance. This means that, for each new or existing product or service that involves any collection or further processing of personal data, organisations must ensure that the relevant product or service is designed with data protection compliance in mind.
In addition, in relation to all processing activities, organisations must ensure that, by default, they process personal data in accordance with the rights afforded to individuals under the GDPR. This is likely to require many businesses to re-think their data processing activities from the ground up.
Commentary: Liability of joint controllers
Under the Directive, joint controllers were generally only liable for the harm for which they were responsible. This meant that, in some circumstances (e.g., where one of the joint controllers became insolvent) data subjects may not have been able to obtain full compensation for any harm arising from the joint processing. The GDPR reversed this approach, making each of the joint controllers fully liable to the data subject. The data subject is therefore entitled to bring a claim against whichever of the joint controllers he or she wishes. Once "full compensation" (a term that is not further explained in the GDPR) has been paid, the joint controller(s) who paid that compensation may then seek to recover damages from any other joint controllers involved in the joint processing. There is an exemption, but it only applies if the controller is not in any way responsible for the harm. Consequently, where a joint controller only has minimal responsibility for that harm, it nevertheless remains liable to pay "full compensation" to affected data subjects. It is likely that, under the GDPR, joint controllers will increasingly seek contractual indemnities from one another prior to commencing any joint processing.
Commentary: Data breach reporting
The GDPR's 72 hour deadline for reporting data breaches to DPAs is likely to prove extremely challenging. In most cases, the amount that an organisation knows about the extent and causes of a data breach develops substantially in the first couple of weeks after the breach is discovered. It will be extremely difficult for organisations to ascertain whether or not a data breach poses a high risk (and therefore needs to be notified) within that timeframe.
In order to comply with the GDPR, it is important for organisations to:
NEXT CHAPTER Chapter 11: Obligations of processors
Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law
Chapter 12: Impact Assessments, DPOs and Codes of Conduct
Our Global Data, Privacy & Cyber Security Practice
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright. © 2016 - 2019 White & Case LLP