General Data Protection Regulation (GDPR)

The GDPR imposes a high duty of care upon controllers in selecting their personal data processing service providers which will require procurement processes and request for tender documents to be regularly assessed. Contracts must be implemented with service providers which include a range of information (e.g. the data processed and the duration for processing) and obligations (e.g. notification when a security breach occurs, pseudonymization, encryption measures and audit obligations). Where a service provider hires a sub-processor, that entity must also comply with GDPR .

• A data subject’s consent to the processing of their personal data must be freely given, specific, informed, and unambiguous, shown either by a statement or a clear affirmative action which signifies agreement to the processing. Consent cannot be assumed due to inaction.
• The enterprise will be required to demonstrate that consent was given. It should be noted that further guidance of the GDPR emphasizes that “consent is not freely given if the data subject had no genuine and free choice and is unable to withdraw or refuse consent without detriment.”
• Existing consents remain valid, provided they meet the new conditions.
• Where personal data is processed for direct marketing, research or statistical purposes, the data subject will have a right to object. This right will have to be explicitly brought to their attention.

With regard to Privacy by Design, the enterprise will need to ensure implementation of technical and organizational measures to show that they have integrated data compliance measures into their data processing activities, such as adopting policies that ensure compliance with data minimization obligations. This is one main reason that Data Protection Officers must have expertise in technical and administrative data protection controls.

The enterprise will be required to provide information to individuals about the processing of their data, including but not limited to, identity and contact details of the controller, purpose of processing and legal basis, data recipient(s), details of the data transfer outside the EU and retention.

In certain circumstances, the enterprise may need to designate a Data Protection Officer (DPO) as part of its accountability program, but it largely depends on the type and volume of data being processed. The threshold is:

• Processing is carried out by a public authority;
• The core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale; or
• The core activities consist of processing on a large scale of special categories of data.

Apply to become a Certified in Data Protection (CDP) professional and demonstrate a comprehensive knowledge of data privacy and security in all areas of IT and operations.

An individual has the following rights with regards to a data controller:

• to obtain confirmation whether his/her personal data are being processed;
• to access the data (i.e. provide a copy); and
• to be provided with supplemental information about the processing.

The controller must comply “without undue delay” and “at the latest within one month”, with limited exceptions.

GDPR contains essentially the same toolkit as previously available for international data transfer to counties not deemed to have adequate data protection measures, including but not limited to, model contract clauses and binding corporate rules. The GDPR does nothing to resolve the issues around the European Court of Justice’s invalidation of US-EU Safe Harbor, which was one of the primary mechanisms utilized to transfer data from Europe to the U.S.