Data privacy has become a critical factor to business success.
The growth of the Internet and the use of new technologies, such as cloud, social media, mobile communications or big data, enabling the collection, storage and mapping of large amounts of data, easy tracking and global sharing of information have opened up new opportunities for many businesses. At the same time, countries around the world, including the EU and Switzerland, continue to adopt new or stronger regulations to address the rapid development of new technologies and the growing concerns and expectations of consumers, employees and other stakeholders regarding the access, collection, use, disclosure and security of their personal information.
What is data privacy about?
Data privacy is about the individual’s right to take decisions in respect to information relating to him or her and to control the collection, use and disclosure of his or her personal data.
Personal data is any information relating to a person, irrespectively of whether the person is identified, for example by a name, or is only identifiable by someone, for example through a passport number or a code.
Why should you care about data privacy?
Companies have a legal obligation to protect personal data and privacy rights. When designing and developing new IT systems or introducing new business practices, for example global data management systems or outsourcing, companies must ensure compliance with applicable privacy laws and should therefore consider privacy requirements from the outset.
Non-compliance with legal obligations may lead to significant risks for companies and the consequences can be serious.
The reputation of a company can be severely affected by poor information management practices. Stakeholders’ trust and confidence can be damaged. Further consequences of violations may be heavy fines, injunctions, governmental inspections and criminal liability.
What should you do?
Be prepared to respond to increasing privacy-related challenges and cyber risks. A structured privacy approach simplifies privacy management by providing a framework that enables companies to respond proactively to the ever-increasing challenges in data privacy and security management and to meet jurisdictional, organizational and strategic requirements and thus to reduce risk. At the same time, privacy governance and management practices enable companies to demonstrate accountability and enhance trust among stakeholders.
How can we support you?
We assist companies in establishing an adequate level of privacy compliance and minimizing legal and commercial risks in a structured and straightforward risk-based approach, taking into account the legal and regulatory requirements applicable to the company and its specific needs.
Would you like more information? Then contact us via e-mail: email@example.com or call us: +41 61 544 44 01.
Privacy by Design in practice
The concept of controller and processor in practice
May 4, 2016: The new EU General Data Protection Regulation (GDPR) published
On May 4, 2016, the EU General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union. The GDPR will replace the current EU Data Protection Directive and will be directly applicable in all EU Member States. Companies will have time until May 25, 2018 to implement all required steps necessary to comply with the new regulation.
The GDPR contains strengthened and new rights for data subjects, such as a right to be forgotten or a right to data portability, and new obligations for data controllers and data processors.
Here are some of the key changes:
1. The territorial scope has been expanded to include data controllers and (new) data processors that are established in the EU. Importantly, also companies that are NOT established in the EU, but offer goods or services to, or monitor the (online) behaviour of data subjects in the EU, fall under the scope of the GDPR.
2. Controllers must demonstrate their accountability to comply with the GDPR. This includes the obligation to:
- Maintain a documentation of processing activities
- Establish policies and guidelines
- Appoint a data protection officer (DPO) in certain cases
- Implement security measures
- Implement data protection by design and by default and
- Conduct privacy impact assessments
Accountability may be demonstrated by various means, such as with Binding Corporate Rules (BCR), certifications or codes of conducts.
3. The requirements for obtaining consent have been strengthened. Consent must be freely given, specific, informed, unambiguous and explicit for sensitive personal information and must be revocable at any time. It must be clearly distinguishable from other matters when requested in the context of a written document and it must be provided in an intelligible and easily accessible form, using clear and plain language. Also, consent will not be valid, if there is a clear imbalance between the data subject and the controller, which may be the case for example in the employment context. Importantly, a controller may not make a service conditional upon consent, unless the processing of personal data is necessary for that specific service.
4. Data Processors have now direct statutory obligations under the GDPR. This includes the obligation to:
- Maintain records of processing activities
- Implement appropriate data security measures
- Cooperate with supervisory authorities
- Assist controllers to comply with the GDPR
- Comply with cross-border data transfer restrictions
- Notify controllers in case of a data breach
- Become joint controller, if data is processed beyond instructions of the controller
- Enter into written data processing agreement with the controller
- Appoint a DPO in certain cases
5. Data controllers must notify supervisory authorities about data breaches without undue delay and, where feasible within 72 hours after having become aware of the breach. Where the breach is likely to result in a high risk to individual’s rights and freedoms, such individuals must be notified about the breach without undue delay.
6. Violations of the GDPR may result in fines up to EUR 10 m or 2% of the annual worldwide turnover for example for failures to comply with the general obligations, to appoint a DPO or to implement security measures and privacy impact assessments. More severe failures, for example to comply with the basic privacy principles for data processing, such as consent requirements, data subject rights or data transfer restrictions, may result in fines up to EUR 20 m or 4% of the annual worldwide turnover.
What should companies do now?
Companies subject to the GDPR should start now to implement appropriate measures to comply with the GDPR in two year’s time by taking the following steps:
- Get familiar with the GDPR and the obligations applicable to your organization
- Conduct an assessment of the current privacy management practices within your organization and of the gaps in respect to the new requirements under the GDPR
- Identify measures that must be taken to comply with the GDPR and define an action and time plan for the remediation
- Watch out for guidelines and opinions that will be published by national Data Protection Authorities and the Article 29 Working Party in the coming months
How can we help you?
We are happy to assist organizations in getting a better understanding of the requirements under the GDPR applicable to them; conducting assessments and gap analysis, providing guidance on remediation and developing necessary policies, guidelines and processes to ensure compliance with the GDPR and minimizing risks.
You can find the final text in various languages here:
Would you like to get more information? Then contact us via e-mail: firstname.lastname@example.org or under +41 61 564 01 08.