What Are The Positives Of GDPR?
So far, we have been hearing mainly about how the high fines under the GDPR can make life difficult for businesses. However, the GDPR is here to stay – so let’s concentrate on the positives and how to make the regulation work for us.
Financial organisations are likely to be overseen by multiple regulators. There are a range of common themes that financial regulators such as the Financial Conduct Authority have been focusing on for many years, including topics such as ‘treating customers fairly’, ‘good customer outcomes’, ‘fair contractual terms’ etc. The GDPR adds to this list, and is all about personal data. It includes information provisions for individuals, contract requirements for third parties, and achieving clarity in communications. In order to meet these GDPR requirements, organisations will have to enhance interactions between their departments and experts, and create the evidence trail to achieve the best outcomes for their customers.
While the GDPR is exclusively applicable to ‘personal data’, there is no reason why such good governance cannot be extended to all data. It makes sense for organisations to protect personal as well as commercially valuable data. So why not apply the same standards and best practice instead of enacting parallel processes labelled the GDPR? It would make commercial sense.
Many examples of a risk-based approach can be found in the GDPR. In fact, it uses language such as ‘where appropriate’, ‘nature, scope and context’, ‘likelihood’ and ‘severity’. This is a positive for businesses, as they are taking calculated risks all the time and are familiar with the application of risk management principles. The same principles stated in the GDPR take into account the impact on individuals. Don’t forget these individuals are your customers, potential third parties and your employees, so decide the level of risk you want to take – but not at the expense of these individuals’ rights and freedoms. If you are unsure, GDPR clears the path for you to consult your data protection authority.
There are three examples of high-risk activities under Article 33 of the GDPR: 1) systematic and extensive automated profiling that significantly affects individuals; 2) large-scale processing of special category data; and 3) large-scale systematic monitoring of a publicly accessible area. If these high-risk activities are taking place in your organisation, then you should carry out a privacy impact assessment and consider whether the processing is leading to discrimination, economic or social disadvantage. Remember, the disadvantage does not have to be only in financial terms – it also relates, for example, to revealing individuals’ intimate and personal details.
GDPR requires certain records to be kept by organisations. However, it does not burden organisations such as micro, small and medium sized enterprises and organisations employing fewer than 250 employees.
Controllers Based Outside The EU
Where data controllers are based outside of the EU offering goods and services to, and monitor behaviour of, individuals in the EU within the scope of the GDPR, organisations may be required to designate representatives within the EU. However, there is some flexibility around this requirement and data controllers based outside the EU should be assessing whether data processing only happens ‘occasionally’. This does not include the processing of large-scale special categories (we know this as sensitive data) and is unlikely to result in a risk to the rights and freedoms of the individual.
Notification of Breaches To Individuals
Under the GDPR certain affected individuals should be notified of a breach. This obligation is risk-based. If the breach is ‘unlikely to result in a risk for the rights and freedoms of the individuals’, there is no requirement to notify them. The same is the case if encryption is applied to the lost data, which is likely to reduce the risk of identity theft to the individual. In such a scenario, the firm can make a decision as to whether or not it wants to notify individuals. However, there is currently no flexibility with regards to notifying the data protection authorities.
Don’t forget there are 50 or so flexibilities in the GDPR text that member states have discretion to build into secondary legislation, so watch out for consultations from the Department of Culture, Media and Sport (DCMS).
Calculation of Fines Under the GDPR
Fines under the GDPR will ultimately be calculated by the data protection authority depending on the type of data breach, and taking into account several factors such as how much control the parent company has over a subsidiary. Under Article 83 of the GDPR, the basis of calculation for fines will be an organisation’s ‘worldwide annual turnover of the preceding financial year’.
Let us look more closely at what an undertaking is and how subsidiaries may or may not be captured. In Recital 150 of the GDPR it states that, ‘where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Article 101 and 102 TFEU for those purposes’. This outlines how an undertaking is defined in competition terms with reference to case law. As opposed to a legal entity structure, undertaking is a single economic unit that can be comprised of parent companies and their wholly owned subsidiaries.
It is not clear how GDPR fines will actually work in practice, as competition fines are calculated in terms of when the ‘relevant turnover’ is the turnover of the undertaking in the relevant product market and relevant geographic market affected by the infringement. The ‘relevant market’ is always going to be open to debate and requires some economic analysis in each case. In the Akzo Nobel NV case, the European Court of Justice ruled that it is sufficient for the EU Commission to prove that the subsidiary is wholly owned by the parent company in order to presume that the parent exercises a decisive influence over the commercial policy of the subsidiary. The EU Commission will be able to regard the parent company as jointly and severally liable for the payment of the fine imposed on its subsidiary, unless the parent company, with the burden of proof of rebutting the presumption, adduces sufficient evidence to show that its subsidiary acts independently in the market. It may be difficult to prove the level of control that the parent company has in terms of the position where the parent company is represented on the subsidiary’s boards.
Two points can be deduced:
- Competition calculations are concerned with the relevant turnover of a relevant product market and relevant geographic market, whereas significant data protection breaches in the GDPR may be a challenge to compare.
- If it is too complex in theory, it will also be difficult for data protection authorities to impose fines without challenge from the fined organisation.
Note that the reputational risk attached to data breaches remains the same. The higher threshold of four per cent or €20m for breaches relating to data subject rights, basic principles of processing data, and transfer of data to third country recipients. This means these are the high-risk areas where organisations should be able to demonstrate compliance.
Advice for organisations would be to make the GDPR part of your business processes, rather than approaching it as a pure compliance requirement. GDPR projects driven by fear of fines as opposed to achieving good governance will look very different in practice, and achieve different outcomes.