The heavy burden on data controllers

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

The GDPR focuses on stakeholder accountability. Unlike the 1995 directive (the first major European data protection text), it does not require prior authorization or declaration. This is a clever move on the part of its designers: the lack of prior control helps make the efforts required to comply with the new rules acceptable.

As we have seen, the GDPR identifies a "data controller" in each structure, who must be responsible for ensuring the required compliance, and then for ensuring the proper functioning of data processing. The tasks of this controller are onerous: not only must they implement the appropriate measures, but they must also be able to "demonstrate" that the processing is carried out in accordance with the regulation (art. 24-1). This is not an obligation, but reference to a code of conduct (art. 40) or certification (art. 42) advocated by the supervisory authorities can facilitate the required demonstration.

The controller's guiding principle is simple: use personal data as little as possible. Article 25 thus recommends "pseudonymization" and "minimization," already mentioned above. It adds the principle of data protection by default: "The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed" (art. 25-2). Unlike current practices, where everything is "taken" unless expressly stated otherwise, only what is strictly necessary to achieve the stated objective must now be used. Protection by default seems, in a way, at the time of processing, to complement data minimization at the time of collection.

Two professionals may be jointly responsible for the processing; in this case, the role of each is precisely defined and brought to the attention of the data subject (art. 26). When the data controller(s) are not established in the European Union, they designate a representative established in one of the Member States, who will be mandated to be the contact person for the data subject and the supervisory authorities (art. 27). Calling on the services of a subcontractor is possible, provided that the latter presents sufficient guarantees that the processing is carried out in compliance with the GDPR (art. 28-1).

Keeping a "register of processing activities" is mandatory (art. 30). It must include the contact details of the controller, the purposes of the processing, the categories of persons, data, and recipients concerned, any transfers to a third country, the deadlines for erasure, and a general description of the security measures. This register must be made available to the supervisory authority if it requests it. It is not mandatory for a company or organization with fewer than 250 employees, "unless the processing they carry out is likely to involve a risk to the rights and freedoms of the data subjects, if it is not occasional..." (art. 30-5). Be careful, therefore: the size of the company alone is not a sufficient criterion for exemption from the register. If you process data frequently, or if your activity can in any way be linked to the "rights and freedoms of individuals," you are required to keep a register of the activities carried out.

A regulation is not a technical manual. Article 32, devoted to processing security, nevertheless recalls some fundamentals: pseudonymization and encryption, means of guaranteeing confidentiality and integrity, of restoring the availability of data and access to them in the event of an incident. The drafters of the text do not neglect the risk of hacking: "When assessing the appropriate level of security, particular account shall be taken of the risks presented by the processing, resulting in particular from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data" (art. 32-2). In other words, a processing system will only be deemed compliant if it offers the necessary guarantees, at least the maximum, in terms of data protection and security. We remember the uproar caused by the hacking of the membership database of the North American dating site for married people, when tens of thousands of confidential profiles were released onto the internet.

If, despite the precautions taken, a personal data breach is discovered, the data controller must inform the supervisory authority within 72 hours "unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons" (art. 33-1). This caveat provides some leeway, even if the entire text suggests that it should not be abused to conceal a problem. The report must indicate the nature of the breach, the approximate number of people concerned, the likely consequences of this breach, and the measures taken or suggested to remedy the problem or limit its consequences.

The data controller must also inform the victim of the breach as soon as possible (Art. 34). This communication is not necessary if the stolen data is "incomprehensible", for example due to encryption, or if the measures taken mean that there are no risks to the rights and freedoms of the data subject, or if such communication "would require disproportionate efforts. In such cases, a public communication or a similar measure enabling data subjects to be informed in an equally effective manner shall instead be made" (Art. 34-3c). This paragraph targets mass hacks, and frees data controllers from sending a personalized email to each individual in their files.

Finally, let us clarify that the spirit of the GDPR is unequivocal: in a company organized with subsidiaries, the obligations of the latter are the same as those of the parent company.