Personal data: consequences of processing, assessment of risk and threats, rules for profiling

13 July 2017

It is only by May 2018 when enterprises have time to adapt to new EU legislation on personal data processing and protection. Now is a good time to start implementing relevant organisational and technical measures, as well as staff training, to avoid problems with following the new regulations when the time comes.

The General Data Protection Regulation of the European Parliament and of the Council (GDPR) comes into force on 25 May 2018. The GDPR introduces a completely new approach to personal data protection and processing. First and foremost, the data controller will have to perform by itself a data protection impact assessment and an analysis of potential risk involved (risk-based approach). The risk analysis includes the verification of the data processed, the assessment of risks involved in the processing of specific personal data and the planned safeguards, security measures and mechanisms to minimise risks and threats.

The data protection impact assessment will have to be performed before commencing the processing. It will be compulsory where the nature, scope, context and purposes of the processing are likely to result in a high risk to the rights and freedoms of natural persons, as well as when a given type of processing is subject to compulsory assessment under the decision of the supervisory authority.

Profiling of personal data of natural persons

The GDPR lays down the rules of profiling. The law defines profiling as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."

Profiling is legal if:

• it is clearly allowed by law,
• it is necessary to conclude and perform an agreement between the data subject and the data controller,
• the data subject consents to profiling.

Right to be forgotten – data controller must erase the personal data

The new regulations give more rights to data subjects. They will have the right not only to access the data (view them), rectify them, restrict their processing, but also to have the data erased (i.e. "the right to be forgotten"). The data subject will have the right to request that the controller immediately erase the data of the data subject. What is more, if the personal data have been made public, the controller who received a request to erase the data will be obliged to take steps to inform other controllers which are processing such personal data that the data subject had requested that the other controllers erase any links to, or copies or replications of those personal data.

Where technically feasible, the data subject will also have the right to have the personal data transmitted directly from one controller to another (the so-called right to data portability). For example, when the customer changes his mobile network operator and would like the previous operator to transmit the data to the new one.

The GDPR will require enterprises to take a number of steps and implement new procedures, both legal and IT, for example:

• review the reasons and grounds for personal data processing,
• review the need and legitimacy of appointing a data protection officer,
• analyse and review HR records and the principles of the recruitment process,
• provide staff training,
• review the contracts for outsourcing of personal data processing, as well as information clauses and consents to personal data processing under the GDPR,
• prepare data protection records under the GDPR (e.g. risk analysis) and to review them regularly (e.g. once a quarter/half-year).

When it comes to IT systems, an in-depth analysis of risks inherent in possible incidents of making the data public or losing the data will be of particular importance. The risks will have to be assessed on the basis of the technical state of the art and the knowledge of real threats. A perfectly implemented risk analysis process should also include continuous monitoring of information on safety gaps identified in the systems and applications, as well as allow quick response to emerging threats causing high risk for data security.

Therefore, another challenge is to implement technical and organisational (formal) measures which will protect personal data against security incidents in the best possible way. The decision on which measures to take will be left entirely to enterprises. Apart from that, the new obligation to monitor security incidents related to personal data processing may be a big change for enterprises.

Data controller will have only 72 hours to report the discovered data "leak" to the supervisory authority, including the time necessary to analyse the scale of the problem, determine the amount and type of the "leaked" data. If the problem could result in "a high risk to the rights and freedoms of natural persons", the controller will also be obliged to notify each of the affected data subjects of the risk. What is more, it will also be necessary to raise employee's awareness of threats so that a potential incident was identified and immediately reported to the data controller.

Liability and sanctions for violating the GDPR

Infringement of the GDPR is punishable under civil and administration law. Civil law liability will apply to any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Such a person will have the right to receive compensation from the controller or processor for the damage suffered. If data are processed by more than one controller or processor, the liability will be joint. Where a controller or processor has paid full compensation for the damage suffered, that controller or processor will be entitled to claim back from the other controllers or processors involved in the same processing the part of the compensation corresponding to their part of responsibility for the damage.

Administrative liability, in turn, is to be restricted to fines imposed by the supervisory authority.

Violation of the GDPR – penalty factors

When deciding whether to impose a fine and deciding on its amount, the authority will take into consideration, among other things, the following:

• the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them,
• the intentional or negligent character of the infringement;
• actions taken by the controller or processor to mitigate the damage suffered by data subjects,
• the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them,
• any relevant previous infringements by the controller or processor,
• the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement,
• the manner in which the infringement became known to the supervisory authority, in particular whether, and if so – to what extent, the controller or processor notified the infringement,
• adherence to approved codes of conduct or approved certification mechanisms and
• any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

The amount of the fine depends on the type of infringement and will total even as much as EUR 20 million and in the case of an enterprise – up to 4% of its total worldwide annual turnover of the preceding financial year.

Who will be subject to the GDPR

The obligation to process personal data in compliance with the new regulations will apply to:

• data controllers established in the EU, irrespective of whether the processing takes place in the EU,
• data controllers not established in the EU but have an establishment in a place where Member State law applies by virtue of public international law,
• data controllers not established in the EU who process the data of persons who are in the EU if:

the processing activities are related to offering goods or services to persons who are in the EU, irrespective of whether involving a payment,

the behaviour of the data subjects who are in the EU is monitored, in so far as their behaviour takes place within the EU (e.g. web browsers, Google).