GDPR - A Swiss Summary
Of all the information, I have read over the last months about GDPR (General Data Protection Regulation) one stood out. It is a non-Software-vendor initiated study from the law firm Linklaters LLP (limited liability partnership registered in England and Wales with registered number OC326345).
Please refer to
- GDPR at glance and it gives you in fact a nice overview
- DATA Protection Survival Guide – all you need to know to survive
First of all, let me give you a short description of one basic term: What is PII? It stands for personally identifiable information and it encompasses any data that could potentially identify a specific individual. This includes data that almost all of us store, including IP addresses, names, phone numbers, addresses, supplier records, and more. According to an AIIM recent research, we're storing PII in a variety of ways – 76% are storing in email/email servers, 66% in the cloud, 61% on network drives. However, no matter where it's being stored, the most important piece is it needs to be protected or it may soon cost you. (Source: AIIM eMail “A Costly Slice of 'PII'” from May, 26, 2017)
The most important aspects are summarized in this OpenText Blog by Claudia Traving : “Data protection laws are nothing new in the European Union. However, the new GDPR rules presents some significant impacts and changes to current data privacy regulations. For one, what used to be a directive, is now a regulation with full force of the law, valid across all EU countries. And despite BREXIT, the UK government has confirmed that UK will implement GDPR (read the UK Information Commissioner’s blog on this topic). The other important aspect is that GDPR now imposes substantial fines upon individuals and enterprises that do not adhere to the law. Minor breaches will be fined up to 10 Million EURO, or up to 2% of the total worldwide annual turnover of the preceding financial year for a business, whichever is higher. Major breaches will be fined up to 20 Million EURO, or up to 4% of the total worldwide annual turnover of the preceding financial year for a business, whichever is higher. And it should be re-emphasized that the turnover is not just the turnover of the EU located part of the enterprise, but the worldwide turnover of the enterprise.”
Under the Regulation, you must not only comply with the six general principles, but also be able to demonstrate your compliance (in other words, provide documentation) as stated by AIIM/John Mancini and referenced in a Docuware blog. Personal information (see above) shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant, and limited to what is necessary.
- Accurate and, where necessary, kept up-to-date.
- Retained only for as long as necessary.
- Processed in an appropriate manner to maintain security.
As a Swiss Company: am I affected by GDPR?
You will have to comply where your business processing activities relate to the offering of goods or services (both free and paid for goods and services) to, or monitoring of, individuals in the Union and you process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects. In either case, the Regulation will only apply to personal data about individuals in the Union.
So, what can you or rather what are you obliged to do today?
(Extracts from the Linklaters Data protection survival guide)
- Appoint a representative That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data.
- Review your existing compliance. Work out if you are processing genetic or biometric information, or information about criminal offences. If so, bring that processing into line with the new requirements of the Regulation.
- Set up a process Consider if individuals are likely to exercise their rights against you and what they mean for your business in practice. Based on that analysis, set up processes to capture, record and act on those requests.
- Update your existing privacy notices. You should use the most effective way to inform individuals of your processing, such as layered or just-in-time notices
- Update or create suitable policies that set out how you process personal data Also consider other compliance measures, including setting up a clear compliance structure, allocating responsibility for compliance, staff training and audit.
- Record keeping obligations
If you act as a data controller, you must keep a record of the following information:
- your name and contact details and, where applicable, any joint controllers, representatives and data protection officers
- the purposes of the processing
- a description of the categories of data subjects and of the categories of personal data
- the categories of recipients, including recipients in third countries or international organizations
- details of transfers of personal data to third countries (where applicable)
- retention periods for different categories of personal data (where possible) and
- a general description of the security measures employed (where possible). Small businesses employing fewer than 250 employees are exempt from these record keeping requirements unless their processing activities are risky, frequent or include sensitive personal data.
- You should adapt your product development processes to include a privacy impact assessment, where necessary.
- Appoint a Data Protection Officer
- Work out if you need to appoint a data protection officer. Even if you don’t need to appoint a data protection officer, consider if you want to make a voluntary appointment.
- Consider if you want to appoint a single data protection officer for the whole of your business or if you want to make individual appointments for each legal entity and/or jurisdiction.
- Create a job specification for the role and appoint someone to that role.
- Data Security
- The Regulation requires you to keep personal data secure. This obligation is expressed in general terms but does indicate some enhanced measures, such as encryption, may be needed.
- Controllers must report data breaches to their supervisory authority (unless the breach is unlikely to be a risk for individuals). That notification should normally be made within 72 hours. You may also have to tell affected individuals.
- Consider setting up a central breach management unit to collate, review and notify breaches, where appropriate.
- Review and update your security measures in light of the increased security obligations in the Regulation.
- If you act as controller, update your contract templates to include the new processor language. Consider if you need to update the contracts with your existing suppliers.
- The Regulation prohibits the transfer of personal data outside of the Union, unless certain conditions are met. Those conditions are broadly the same as those under the Data Protection Directive. Full compliance with these rules will continue to be difficult. The new minor transfers exemption is unlikely to be much benefit in practice. You should review your current transfers and consider if they are justified now and will continue to be justified under the Regulation. You should consider implementing a “structural” transfer solution (such as binding corporate rules or an intra-group agreement) as these provide a general justification for your transfers.
Legal Disclaimer: IseoLabs AG is not a law firm and is not giving any legal advice with this blog. The blog is a summary of information available in the Internet.