Data protection compliance strategy

Practical Law UK Articles 4-632-0927 (Approx. 17 pages)

Data protection compliance strategy

by Thibaut D'hulst and Lily Kengen, Van Bael & Bellis

Introduction

It is critical for modern businesses to observe data protection laws. Companies handle an increasing volume of personal data in virtually every department of their organisation (for example, IT, marketing, human resources, sales and compliance). A strict new regulation obliging companies to be responsible in their use of personal data will apply as from 25 May 2018. The newly introduced principle of "accountability" means that companies need to be able to demonstrate that they have taken the steps needed to comply with data protection obligations. Therefore, companies need to recognise where they use personal data and adopt a strategy to use such data in the manner that suits the company and also complies with regulatory requirements. Companies can carry out a thorough data protection audit to help them devise a data protection compliance system. The compliance system also presents companies with opportunities to increase employee and consumer confidence and protect company information generally. Companies should therefore start reviewing their data protection policies and practices, to assess the effort that will be required to comply with the new rules.

Against this background, this article examines:

The growing importance of data protection law compliance.
The EU's new General Data Protection Regulation.
How to establish the right data protection organisation and compliance strategy.
The main steps in a typical data protection audit.
Establishing a data protection compliance system.
Implementing a data protection compliance system.
Maintaining data protection compliance.

Growing importance of data protection law compliance

With the constantly increasing volume of employee, customer and supplier data being handled by companies across the EU, it has never been more important for data protection laws to be respected by modern businesses. Particular compliance challenges are faced by businesses operating across several jurisdictions, not least because of the diversity of the rules on data protection.

The EU has taken measures to safeguard the individuals' right to privacy when their personal data is created, handled, stored or transferred. Currently, Directive 95/46/EC on data protection (Data Protection Directive) provides the framework for the protection of personal data in the EU. The Directive has been transposed into the national laws of each EU member state, meaning that the existing rules applicable in each member state differ to some extent. The Data Protection Directive will soon be repealed and replaced by Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (GDPR).

GDPR

The GDPR was published in the Official Journal of the European Union on 4 May 2016 and officially entered into force 20 days following its publication. The GDPR will be directly applicable across the EU, without the need for national implementation. However, the GDPR provides for a two-year transitory period in order to allow stakeholders to comply with its provisions. Companies are therefore advised to start taking the necessary measures to ensure that their data protection policies comply with the GDPR by the end of the transitional period. In light of the new and substantial fines introduced by the GDPR, data protection will no longer be an area in which businesses can afford to take compliance risks.

The GDPR changes the scope of EU data protection rules:

EU data protection rules take the form of a regulation rather than a directive. The purpose is to move away from the current fragmented implementation of the data protection framework by the individual member states. The GDPR therefore introduces a uniform and more harmonised system of data protection in the EU. Nevertheless, some national divergences persist.
The GDPR also simplifies and extends the scope of application of the EU data protection framework. Under the GDPR, companies operating in the EU will be even more likely to be subject to public and private enforcement of data protection rules. The GDPR will also apply to non-EU companies that offer services to or monitor EU citizens.

The GDPR strengthens the existing requirements and introduces a number of significant changes, including the following:

National data protection authorities have increased enforcement powers (powers of investigation, binding intervention, decisions and sanctions) and also the ability to engage in legal proceedings and to make them better equipped (in terms of both human and financial resources) for these tasks.
Certain controllers and processors are required to designate a Data Protection Officer (DPO).
Controllers and processors are obliged to maintain a register with records of their processing activities.
Facilitated damage actions for data subjects and representative actions by bodies, organisations or associations, which aim to protect data subjects' rights and interests concerning the protection of their personal data.
A general data breach notification obligation applicable to all controllers. This means that personal data protection breaches will be uncovered and, within a short timeframe, brought to the attention of the data protection authorities and, in certain cases, the individuals concerned.
Controllers will be legally obliged to implement appropriate measures to ensure compliance with the law and to actively document and demonstrate compliance (principle of responsibility or accountability).
Requirements with respect to consent are changed and tightened.
More information and new rights are granted to data subjects.
Greater responsibilities and obligations are imposed on data processors.
The use of codes of conduct and certification mechanisms is promoted and the use of such systems can provide significant practical benefits to companies.

Increased regulatory powers to impose sanctions

Given the increased emphasis on the protection of personal data, and in anticipation of the GDPR, non-compliance with data protection rules is pursued more actively by authorities across the EU:

Breaches of data protection law can lead to the imposition of sanctions, including administrative fines or, in serious cases, even imprisonment.
Data protection authorities may also be entitled to order companies to give up or modify non-compliant data processing operations, causing costly business interruptions.
The trend has also been for national data protection authorities to be granted increased powers to impose sanctions. Under the GDPR, national data protection authorities will have powers to impose fines of up to EUR20 million or 4% of the company's worldwide turnover (whichever is higher).

Increased sensitivity of individual privacy

Even apart from the sanctions, compliance should be high on the agenda of any business because of the increased sensitivity of individuals to their privacy. Public awareness is fuelled by press reports about serious data security breaches that put personal data at risk. As a result, individuals may turn their back on companies that do not handle their personal data properly.

Data protection issues have captured news headlines since the Snowden revelations and the decision of the Court of Justice of the EU (CJEU) in the Schrems case, which stems from the Snowden revelations, and drew attention to international flows of personal data.

Companies operating in the EU risk significant damage to their reputation unless they resort to high levels of data protection compliance. Bad publicity can be extremely harmful for any business that relies on customer goodwill. The harm caused by "naming and shaming" in the press, or in publications such as data protection authorities' annual reports, has the potential to damage a company even more than the prospect of facing sanctions and damage claims. Data breaches can be caused by cybercriminals for whom personal data have become treasured targets, but many damaging breaches also happen by accident or human error.

Recently, Europe and other parts of the world were massively hit by two so-called ransomware attacks, "WannaCry" and "Petya". Cyber-criminals spread ransomware which blocked access to computers or their data and then asked affected companies for money to release the data. There is therefore a higher risk of data breaches due to this new trend of cyber-criminality. On the one hand, to the extent that such attacks affect personal data, companies may be obliged to report such attacks as data breaches under the GDPR. On the other hand, implementing GDPR compliance measures can put companies in a better position to fend off, or recover from, such attacks.

In addition, individuals increasingly rely on their rights to counter intrusions into their private life or to control their online life. For instance, a judgment of the CJEU of 14 May 2014 urged Google to take action to implement the "right to be forgotten". Data protection compliance ensures that companies can deal with such requests within the strict timing and requirements imposed. In just over a year following the judgment, Google received over 280,000 requests to remove links from their search results. Now, more than three years after the launch of the official request process on 29 May 2014, Google has received more than 580,000 requests from individuals to remove certain search results about them.

Opportunities presented by data protection compliance

Compliance with data protection rules is not simply a matter of risk minimisation:

It can be a useful tool in increasing employee and consumer confidence in an organisation.
In addition to providing an enhanced brand image, data protection compliance can also help in the management of company information.
Data protection compliance acts as a reminder to companies that they should also act to protect company data and business secrets generally.
Strong awareness of personal data can also facilitate future projects using such data.
For many companies, personal data (including contacts and profiles) is a key asset of the company. Documented compliance adds to the value of this information and the company.

A plan towards compliance: organisational and operational measures

The transitory period for the GDPR provides a clear incentive for companies to align their procedures and processes with the new rules by May 2018. Companies must realise that data protection compliance requires a long term investment. This investment must come from a clear and explicit commitment and support of the organisation's leadership to allocate resources and ensure that all staff place importance on their tasks in the compliance process.

Moreover, companies must make sure that decision makers and key people within the company are aware that the rules on data protection will change. It is therefore important to map out the areas within the company that could cause compliance problems under the GDPR.

The plan towards compliance must address the:

Organisational structure of the company.
Operational compliance strategy.

How these elements are implemented will depend on the activities, structure and size of the company or group of companies.

The organisational structure of the company's data protection compliance supervision must be supported by the management and requires that sufficient resources in terms of time, personnel and budget are invested in the project. Under the GDPR, some companies will be obliged to appoint a Data Protection Officer (DPO) (see, below, Establishing a data protection compliance system, Appointing a data protection officer (DPO)) who must have an independent position within the organisation. If a company is not obliged by law to appoint a DPO, it is important to allocate data protection responsibilities within the organisation. Moreover, data protection concerns each part of the company and therefore it is advised to establish a data protection network. This network, with contact persons in each department of the organisation, assists the DPO or data protection team in the implementation of compliance measures and provides information or feedback about data protection activities when required. Finally, most staff will come into contact with personal data and must be aware of the basic obligations under data protection laws and how to translate these to their daily tasks.

Once the organisation is set up, the operational compliance project usually begins with an audit of the personal data in the company. The audit will allow the company to map out its personal data and identify compliance gaps. Once the necessary compliance measures are determined, they will need to be implemented in the business practices and operations.

The remainder of this article examines in greater detail the performance of a data protection audit, the implementation of a compliance system and maintaining data protection compliance in an environment that, by its nature, is continually changing.

A data protection audit

Importance of a data protection audit

The responsibility for ensuring the legality of the processing of personal data lies, in principle, with the controller:

The controller is any natural or legal person, public authority, agency or other body which alone, or jointly with others determines the purpose and means of processing personal data. The data controller is liable in the first instance for breaches of data protection rules. Companies are usually considered to be the controller of the personal data of their employees, customers and suppliers and are therefore responsible for data protection law compliance.
However, the GDPR also extends certain obligations to processors. Processors are persons who process personal data on behalf of a controller.

While some countries have issued guidance with respect to particular data protection law-related issues, in general, controllers are free to determine how best to ensure compliance. Moreover, the GDPR provides that the controller must adopt policies, procedures and other methods to ensure compliance with the requirements of the Regulation. The most effective way to determine an organisation's level of compliance with data protection law is to conduct an audit. This is a prerequisite to developing appropriate compliance tools and setting up and maintaining an effective system suitable to the particular organisation.

Methods of carrying out a data protection audit

Data protection audits largely involve a systematic independent examination of an organisation's existing level of compliance with data protection rules, although the exact scope of an audit necessarily depends on the specific requirements of the individual organisation.

A data protection audit is time-consuming, which usually involves meeting and interviewing various key people. It is essential that an audit be carried out in a strict timeframe to ensure a consistent outcome. Over a longer period, the factual and legal position of an organisation may have changed.

An organisation can choose to delegate the task to a third party auditor. This will bring the added benefit of expediency and expertise, which may compensate for the auditor's lack of internal knowledge. Further, external auditors are more likely to approach the matter with an open, independent and objective mind.

Any audit needs to take the structure of the organisation into account by asking the following questions:

Is the audited organisation a single legal entity or does it belong to a group of companies?
What business units exist and what functions do they have?
Does the audited organisation have a matrix structure?
How are the data processing activities structured? In particular, have certain functions been centralised or are they carried out locally? Are databases shared among business units or legal entities?

Each audit will be different, and should be tailored to suit the particular needs of the individual organisation. In general, an audit will consist of three phases which are dealt with below.

Pre-audit stage

The pre-audit stage is important for determining the required resources which are to be dedicated to the audit. The more time and energy spent planning an audit, the more accurate and expedient the audit will be.

Define objective and scope. The crucial first step of any audit is to define the objective and scope. It must be decided whether the audit should cover:

All business units or only some of them (typically, at least HR, IT or marketing).
All data processing activities or only particular key processes or areas that have been identified as (potential) high risk areas or business drivers.
The whole group or only certain legal entities that are more important from a business perspective or are considered to be representative. However, even where only some companies are audited, the compliance solution will need to consider the data flows in the entire group, as well as the existence of global or shared databases and the (intra-group) outsourcing of certain processing activities (for example, the operation of a central IT helpdesk).

Determine processes and personnel to be covered. The next and equally crucial step of the pre-audit stage is to determine the processes and personnel to be covered by the audit:

A member of the organisation's personnel should be delegated the task of managing the audit, to ensure that the process runs smoothly.
It is essential to determine which departments and personnel will be involved in the audit process, in which order and within what time frame.
It is also very important at this stage to inform personnel in advance about the audit, and to obtain the support of senior management and staff members involved in managing the audit and providing the audit responses.

Measuring compliance and status reports. To measure an organisation's compliance with data protection law, it is necessary to develop a benchmark against which the audit can be assessed. The benchmark may be the applicable law, or the organisation's internal policies and guidelines, or codes of conduct and certifications for which the organisation wishes to apply. When preparing for GDPR compliance, the benchmark should include GDPR requirements, and take into account the guidance provided by the local data protection authorities on preparing for GDPR compliance. Indeed, many national data protection authorities have published guidance on how to prepare. By making this guidance part of the benchmark, the audit will provide documented compliance that is in line with local recommendations and guidance, and show compliance to the local authorities.

Carrying out the audit

Questionnaires. An audit can be carried out based on face-to-face interviews conducted with the relevant staff members or the use of written questionnaires. Written questions have the advantage of being cost effective and ensuring that the audit is conducted in a standardised way across the organisation.

Questionnaires should be tailored to take account of the scope of the audit and the structure of the organisation, but will typically seek information on the following:

The legal entity or business unit being audited.
Existing policies, procedures, contracts and compliance measures as regards data protection.
Databases and software applications containing personal data as well as data processing activities.
Categories of personal data (including sensitive data) being processed.
Categories of data subjects whose personal data is being processed.
Purposes of the processing.
Controllers, processors and any other players.
Data flows within and outside the audited organisation, and inside and outside of the EU.
Technical and organisational security measures.

Data protection rules rely on concepts and terminology which may be difficult to understand for recipients of the questionnaire:

Questionnaires can also be accompanied with guidance which explains the key terminology, the purpose of the audit and indeed each question.
This guidance should also provide advice on the minimum standard for responses and may include examples.
Pre-audit training may further increase the value of the audit process and help to avoid a flawed or delayed audit process.
A written record of the audit process should also be kept to keep track of its progress.

Carrying out an audit consists largely of completing questionnaires and providing supporting documents such as internal guidelines and procedures:

It is important to ensure that the right questions are asked of the right people.
Relevant personnel should be given sufficient time to provide a comprehensive response.
After reviewing the responses, it may be necessary to seek further clarifications, if responses are found to contain contradictions or if they are not sufficiently concise.
Interviews with key personnel are a good way to ensure that the questionnaires are completed in an efficient and accurate manner.
It is important that the relevant staff members know in advance what is expected of them.

Assessment stage

Review of responses. Once the organisation is satisfied that the audit has been conducted properly, a review of the responses, including supporting documents, must take place:

This review will enable the responses to be compared to the relevant benchmark set during the pre-audit stage.
The purpose of the review is to identify all shortcomings and weaknesses of the organisation in relation to data protection law compliance.
If the information received is incomplete or contradictory, it may be necessary to go back to the staff members who provided the information to seek clarification.

Compliance reports. Once the areas of non-compliance have been identified, they should be described in detail and then given priority according to their seriousness:

At this stage, it is usually a good idea to compile a list of potential remedies for the issues that have been identified. This information can be contained in a compliance report. Compliance reports are also a useful tool in seeking the support of senior management for implementation of compliance tools.
A meeting should be held after the review of the report, to discuss the results of the audit and the potential remedies. The organisation should then decide the options it intends to pursue.

Action plan. An action plan should be completed which should identify for each compliance issue the:

Proposed action.
Person responsible for carrying it out.
Date by which the action should be completed. Companies should therefore implement measures in order to determine the priority of the highest risk or the implementation time.

The action plan therefore provides an easy-to-use checklist for the organisation and allows progress to be easily monitored.

Establishing a data protection compliance system

The next step is for the audited organisation to develop a data protection compliance scheme which will address the issues identified during the audit. The scheme should also ensure future compliance of the organisation with data protection law. A system of data compliance is not only good business practice, but is also increasingly required under legislation.

Regulation proposals

The GDPR requires data controllers to implement appropriate technical and organisational measures to ensure and demonstrate that processing is performed in accordance with the data protection rules. Measures envisaged by the GDPR include:

Maintaining extensive documentation of all data processing operations.
Implementation of data security requirements.
Performance of data protection impact assessments before high risk processing.
The mandatory appointment of a data protection officer.

Approach and scope of a compliance system

Subject to these fixed requirements, an organisation remains free to select the method and means best suited for it to achieve compliance:

This will depend, to some extent, on the applicable data protection laws, existing codes of conduct or certifications which are sought and the audit findings. However, account must also be taken of the organisation's structure and requirements, as well as the culture and business practices in different jurisdictions.
Group companies should decide whether to adopt a single approach across the entire group or whether to adopt different approaches depending on the jurisdiction. In certain situations, such as international data transfers, action will be required at group level, although some form of local action will almost always be required.
Whatever the approach adopted, it is likely to include a consideration of updating or changing data processing activities across the company, and implementing procedures to ensure the lawfulness of the company's data processing activities.

In summary, the key element of any data protection compliance strategy is the allocation of responsibilities, backed up by certain organisational measures and complemented by a range of actual compliance measures.

Appointing a data protection officer (DPO)

At present, most member states do not oblige companies to appoint a DPO, or outline the competences and responsibilities of a DPO. However, the GDPR makes the appointment of a DPO mandatory where either of the following apply:

The data controller is in the public sector.
The company's core activities involve systematic monitoring on a large scale.
The company's core activities involve large scale processing of sensitive data.

Companies that do not fall within the above categories may in any case wish to voluntarily appoint a DPO to co-ordinate implementation of data protection compliance systems.

A DPO can also:

Act as a contact person.
Monitor and supervise all data protection activities.
Drive the data protection compliance strategy.
Provide training to staff members.
Assist with data protection impact assessments.

In addition, in large organisations or where data processing activities or processes are particularly complex, it may be necessary to appoint other individuals in the organisation to assist the DPO in carrying out his tasks. Day-to-day compliance should be delegated to a representative in each relevant department, business unit or for certain systems.

DPOs and assistants' responsibilities and duties must be stated clearly.

DPOs should have sufficient authority to act independently and should be given the necessary resources and access to information to allow them to exercise their responsibilities.

It may also be necessary to impose reporting and other obligations on staff members (for example, from IT and legal) to assist the DPO in carrying out his tasks.

The GDPR contains requirements that a DPO must meet and also sets out the position and tasks of the DPO.

Privacy policy

Another key element of data protection compliance is a privacy policy. This will set out the procedures and steps the organisation should apply with respect to data protection. It is recommended that an organisation's privacy policy be available to all data subjects through its website. The privacy policy should also be properly communicated to staff, to ensure that they are aware of and understand it.

A privacy policy helps to increase transparency in the workplace and signals to both employees and data subjects that the organisation is fully committed to the protection of personal data. It is good company practice to adopt a privacy policy that provides the basic framework for all data protection compliance activities. This has also been recognised in the GDPR, which requires controllers to adopt policies and implement appropriate measures to ensure compliance.

The privacy policy will usually need to be complemented with more specific, in-depth policies and procedures relating to issues such as data security, data retention, data quality and the rights of data subjects.

All of the organisation's existing policies and procedures must be checked for consistency with the privacy policy. Compliance with privacy policies should be regularly assessed and accompanied by appropriate sanctions in case of breach.

The privacy policy may also include additional information which is not legally required. For instance, the privacy policy could be used to inform users how to protect confidential information or copyright protected materials.

Individuals' rights and requests for access

The GDPR creates some new rights for individuals and strengthens some of the rights that are currently already in place. The GDPR includes the following rights for individuals:

The right to be informed.
The right of access.
The right to rectification.
The right to erasure.
The right to restrict processing.
The right to data portability.
The right to object.
The right not to be subject to automated decision-making including profiling.

It is therefore important to review the procedures within the company to ensure they cover all the rights individuals have, including how personal data can be deleted or provided electronically to data subjects.

Also procedures with respect to individuals' right to access the personal data should be updated. The GDPR provides a one-month term for responding to access requests. Furthermore, in most cases, the request will entail no cost for the data subject and refusals must be explained and can be appealed.

Internal register of databases or processing operations

The audit should have identified all of the organisation's data processing activities within the scope of the audit, including:

Databases and processing operations that include personal data. The audit may identify personal copies or files which an individual created on its own initiative and uses for business purposes.
All categories of personal data that are being processed.
All players, including data subjects, controllers and processors.
All data flows within and outside the audited organisation, including disclosure to third parties and international data transfers.
All existing contractual clauses, policies and notices.
All existing security measures.
The purposes of the processing and its legal basis.
Retention periods.

In some jurisdictions, keeping an internal register of databases or data applications is mandatory and the GDPR provides for extensive documentation and record-keeping obligations regarding all processing operations. However, irrespective of whether such a statutory obligation exists, organisations are well advised to keep an internal register of databases and to regularly update it. Such a register:

Is an important source of information for the development of the actual compliance measures.
Facilitates the management and maintenance of the data protection compliance system (including preparation of notifications or responses to data subjects' requests).

Consent

Under the GDPR, the requirements for consent will become stricter. Consent must be a freely given, specific, informed and unambiguous indication of the individual's wishes. This means that an individual must undertake some form of clear affirmative action. In other words, there must be a positive opt-in. This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or some other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Therefore, consent cannot be inferred from silence, pre-ticked boxes or inactivity.

Furthermore, the GDPR seeks to do away with the practice of hiding consent in the body of vast terms and conditions. Under the GDPR, consent must be separate from other terms and conditions and a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. When a processing activity has consent as lawful basis, it is important that data controllers are able to demonstrate that the data subject has given consent to the processing of his or her personal data. Consent mechanisms that do not meet these criteria must be altered in a GDPR-compliant manner. Lastly, companies should document consent in order to demonstrate before the data protection authorities that an individual has really given his or her consent.

Contractual clauses

Through the audit, the organisation will have identified its relationships with third parties such as processors and third party controllers that receive or access data from the organisation:

The audited organisation may want to put in place contractual arrangements with these third parties to ensure compliance with data protection law.
Contractual assurances should be obtained from third parties from whom personal data is received that the data has been lawfully collected and that it may be used for the intended purpose.
Where controllers make use of processors, the national data protection laws and the GDPR lay down certain requirements, and require the conclusion of a written processor agreement. Clauses in employment contracts may also be legally required, or at least advisable, to ensure that personal data handled by employees is kept confidential. Terms and conditions of employment agreements may need to be amended in this respect.
A contract management system should be set up, to identify any third party or supplier/customer contracts that need to be reviewed and possibly revised. Further, the organisation will need to ensure that the appropriate clauses are inserted into all new contracts.

Fair processing notices and rights of data subjects

Under the data protection laws, certain information must be provided to data subjects, such as:

The identity of the controller.
The purposes for which the personal data will be processed.
How data subjects can request access to data which relates to them.

The GDPR requires that this information must be provided at the time of collection of the data. In particular:

Existing notices and forms may need to be amended and so-called fair processing notices may need to be developed, to ensure that all the required information is provided.
The information should be provided in an intelligible form, using clear and plain language and at the appropriate time. In fact, the GDPR makes explicit provision for the principle of transparency, and even introduces the possibility of short form information notices using standardised icons.
Besides complying with their information obligations, organisations will need to implement procedures to enable data subjects to effectively exercise their rights. Under the GDPR, this is made mandatory.

The internal register of databases can assist the organisation in responding to data subject requests within the applicable time periods.

International data transfers

Data controllers are responsible for ensuring that international transfers of data are done lawfully:

Controllers are generally prohibited from transferring personal data outside the EU if the country to which the data is being transferred does not provide an adequate level of data protection.
For personal data to be lawfully transferred to a third country, the Commission must officially recognise that country as providing sufficient protection.
Countries that have been given approval include Andorra, Argentina, Canada (subject to certain limitations), the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

Following the invalidation of the Safe Harbor decision, the European Commission together with the US Federal Trade Commission, announced a new framework for transatlantic flows of personal data: the EU-US Privacy Shield. The Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles, the Privacy Shield Framework Principles (Privacy Principles). The EU-US Privacy Shield was formally approved by the European Commission on 12 July 2016.

If an organisation intends to transfer personal data to any third country outside the EU (other than the European Economic Area countries of Norway, Liechtenstein and Iceland) and the above white-listed countries, it must implement adequate safeguards to protect the personal data transferred (unless it can benefit from a statutory derogation for such a transfer).

Such safeguards may be provided, for example, by means of:

Contractual clauses (for example, based on one of the sets of standard contractual clauses adopted by the Commission).
Binding corporate rules, in case of intra-group data transfers.

The GDPR also allows adequate safeguards that take the form of standard clauses by national authorities as well as codes of conduct or certifications.

Following the Schrems decision, international data flows attract increased scrutiny from national data protection authorities. Companies should therefore identify all their data flows and examine the legal basis for any international data transfer. If required, they should also determine and implement the appropriate safeguards. The organisation will also need to comply with any registration requirements applicable to international data transfers.

Registration requirements

Current data protection laws provide for prior notification requirements (subject to exceptions) either through prior checking or prior authorisation by the data protection authorities.

During the audit:

All databases and processes requiring notification to, prior checking by, or authorisation from the relevant data protection authorities should have been identified.
It should also have been determined whether these registration requirements have been met. If not, the relevant notifications and/or authorisation requests will need to be prepared and submitted to the relevant authorities.
The registration requirements and procedure have not been harmonised in the EU and therefore differ from country to country.
A co-ordinated approach among different departments and legal entities may be required with respect to central databases or certain data processing activities, such as international data transfers. This may require action to be taken at group level to ensure uniformity of approach.

Although the GDPR abolishes the general registration requirements, it is still necessary to interact with the competent supervisory authority in certain cases. Prior consultation will be required in cases of high-risk processing operations and prior authorisation is still necessary for certain measures such as Binding Corporate Rules. In addition, the GDPR requires companies to keep internal records and leaves room for national law to provide for additional interactions with supervisory authorities.

Data security

Under the data protection laws of the EU member states, adequate organisational and technical security measures must be taken to protect personal data against:

Accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
All other unlawful forms of processing.

In the past, companies have typically focused on the protection of their own data and business secrets, notably through enhancing the security of their IT systems. However:

Additional security policies may need to be established or existing policies amended with respect to personal data.
It is also necessary to establish procedures for the secure disposal and deletion of such data.
Companies should also not overlook the importance of organisational security measures (for example, overall security policy, assignment of responsibilities, and training).
Systems should be put in place to ensure that compliance with the policies is monitored and the DPO alerted of any breaches which may have been discovered and indeed prevented in future.

This requirement is all the more important considering that a notification of a breach of personal data will become mandatory under the GDPR and is already applicable in certain jurisdictions such as Germany, Austria and The Netherlands. Moreover, some sectors, such as telecom already have breach notification obligations throughout the EU. Therefore, it is important to ensure that the right procedures are in place to detect, report and investigate a personal data breach. In the context of the data protection audit, it is also helpful to assess the types of personal data a company holds and to document where it would be required to notify the national data protection authority or the affected data subjects if a personal data breach occurred. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

In addition, more specific security measures may need to be established, including:

Physical access control, which aims to prevent unauthorised persons from gaining access to data processing systems. This may include measures to secure the premises (for example, securing entries and exits) as well as measures in the building (for example, alarm systems and restricted access to server rooms).
Control of use and access to data, which aims to protect data processing systems from unauthorised use. Persons entitled to use a data processing system must only have access to the specific personal data they are authorised to use. Safeguards must be put in place to prevent personal data from being read, copied, modified or removed without authorisation (for example, by establishing and maintaining an up-to-date user account management system, including user identification and authorisation, and strict password requirements).
Control of data transmission, which aims to ensure that personal data cannot be read, copied, modified or removed without authorisation during transmission or transport (whether electronic or not). In addition, it must be possible to check and establish to whom the personal data will be transmitted (for example, by keeping logs of data transfers and mobile data carriers, the encryption of electronic data and the control of remote access to databases).
Input control, which aims to ensure that it is possible to check and establish whether and by whom personal data has been input into data processing systems, modified or removed (for example, by keeping input logs or using audit trails).
Availability control, which aims to ensure that personal data is protected from accidental destruction or loss (for example, by virus protection, backups and the implementation, regular testing and maintenance of a business continuity and disaster recovery plan).

Implementing the data protection compliance system

Once the compliance tools have been prepared, they need to be rolled out.

The roll-out of the data protection compliance system needs to be co-ordinated with all the relevant business units of the organisation. For this purpose:

The parties responsible for each compliance task/issue should be designated and deadlines set for each task to be completed.
There should be regular reporting on the status of implementation to allow monitoring of any progress made.
To ensure that the data protection compliance system is being applied in practice, proper communication is necessary to ensure that all employees understand the meaning and purpose of the measures and apply them properly.
Employees must be educated about their responsibilities and the applicable rules.

Therefore, the privacy policy and other applicable rules must be made available to employees in the appropriate format (for example, through inclusion in employment contracts, staff handbooks, employee notices and the intranet). There should also be formal training sessions for employees, including introductory sessions for new staff members and regular refresher courses for long-standing employees. Ideally the training should be tailored, with a practical focus on answering day-to-day questions in relation to the organisation's handling of personal data and concrete examples. Employees should have the opportunity to raise questions and provide feedback in relation to data protection matters. For this purpose, the organisation should designate a contact person (typically, the DPO) for employees.

Maintaining data protection compliance

It is important not only to implement but also to ensure that normal business operators master the compliance measures. In addition, compliance is an ongoing exercise. The organisation must test, monitor and review their data protection compliance systems. A company's database and processing operations will change constantly. Such changes will require a corresponding evolution in the company's compliance systems.

Data protection compliance needs to be embedded in a company's organisation and must be integrated and aligned with other policies, initiatives and so on. Companies are well advised to endorse the principle of privacy by design (which will be required under the GDPR) to ensure that data protection is taken into account in any projects from an early stage.

Data protection compliance requires a holistic programme, encompassing people, process and technology:

The organisation must create a compliance culture, ensuring that data protection becomes a consideration in day-to-day business decisions, and that future changes are data protection compliant. This will require certain reporting and information obligations.
Companies should consider carrying out data protection impact assessments for new databases, processing practices, processes, hardware, software, providers, and tools.
The compliance system and existing compliance tools must be regularly updated, amended and adjusted to keep abreast of all important changes to the processing environment, including changes to data protection laws.
Regular monitoring is also crucial to ensure that an organisation remains data protection law compliant. There should be regular checks, including occasional audits and spot checks.
Breaches, including breaches of data security, must not only be brought to the attention of the DPO and designated persons, but appropriate escalation procedures must be followed. Any breaches must be sanctioned.

A data protection compliance system is not just good business practice and a basic necessity that enables companies to comply with their obligations under the data protection laws, it is also mandatory for all companies to be accountable under the new GDPR.

Companies will have to comply with the GDPR by 25 May 2018. They should therefore start reviewing and auditing their data protection policies and practices, allowing them to implement critical measures to comply with the new rules.

Contributor profiles

Thibaut D'hulst

Van Bael & Bellis

Image 1 within Data protection compliance strategy

T +32 647 73 50
F +32 640 64 99
E [email protected]
W www.vbb.com

Professional qualifications. Member of the Brussels bar

Areas of practice. Data protection and privacy; IP law; new technologies and competition law.

Lily Kengen

Van Bael & Bellis

Image 2 within Data protection compliance strategy

T +32 647 73 50
F +32 640 64 99
E [email protected] 
W www.vbb.com

Professional qualifications. Member of the Brussels bar

Areas of practice. Data protection and privacy; IT, IP and e-commerce; litigation and arbitration; M&A.

Data protection compliance strategy | Practical Law