7 March 2017

The General Data Protection Regulation – Are you ready for 2018 changes – Part 2

Greater harmonisation

The start date of the European Union’s (EU) General Data Protection Regulation 2016/679 (the ‘regulation’) is Friday, May 25th 2018. It applies to the EU and European Economic Area (EEA).  In this our second note we complete our run down on what you need to be considering.

This is the second part in our update series on the upcoming changes for data controllers and processors.


Rules on registration with National Data Protection Authorities (‘NDPAs’) are changing. The regulation will require businesses to maintain detailed documentation (known as article 30 information) recording their processing activities and the regulation specifies the information this record must contain.  Mandatory registration with NDPAs is no longer to be required though in the post Brexit scenario the UK may wish to maintain mandatory registration.

Data processors must keep a record of the categories of processing activities they carry out on behalf of a controller. The regulation specifies what this record must contain.

These obligations do not apply to an organisation employing fewer than 250 people unless the processing is likely to result in high risk to individuals, the processing is not occasional or the processing includes sensitive personal data. What constitutes ‘occasional’ has not been defined.

In addition, controllers or processors can be required to appoint a data protection officer, and it remains best practice to do so.

Controllers should:

  • Check any current compliance programmes to ensure compliance with the regulation.
  • Ensure that records of all processing activities are kept.
  • Engage a data protection officer (it is mandatory to do so for businesses with 250 or greater employees) with expert knowledge of data protection. That employee may have protected employment status in some EU member states.

New obligations of data processors

The regulation introduces direct compliance obligations for processors. Under the directive processors generally were not subject to fines or other penalties, under the regulation they are treated more like controllers. The regulation impacts both processors and controllers that engage processors, in the following ways:

  • Processors will have their own compliance obligations.
  • In controller/processor negotiations, processors should seek to ensure that the scope of the controller’s instructions is clearer.

Processor agreements should be reviewed early on since changes are likely to require time to implement.

Strict data breach notification rules

The regulation requires businesses to notify, the NDPA of data breaches without undue delay and where feasible within 72 hours. 
If the breach is likely to result in high risk to the individuals, the regulation requires businesses to inform data subjects ‘without undue delay,’ unless an exception applies. Processors must notify the controller.

A data breach response plan, designating specific roles and responsibilities, training employees, and preparing template notifications and enabling them to react promptly in the event of a data breach will need to be compiled. A single plan will suffice for the whole of the EEA.


The regulation introduces a new concept of ‘pseudonymisation’ (that is, the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual, without additional information but where those data can be re-married with identity information). 

There are currently differing approaches to anonymisation and pseudonymisation. The criteria for determining whether data are truly anonymised or pseudonymised are different between EEA member states.  We shall be monitoring the approaches in Europe and are happy to provide updates.

Binding Corporate Rules (BCRs)

BCRs are agreements used to provide a basis for the lawful transfer of personal data out of the European Economic Area (EEA). The regulation formally recognises BCRs, which will still require NDPA approval. The approval process should become less onerous than the current system. BCRs will become available to both controllers and processors. 

However, in relation to the CJEU’s judgment (Schrems v Data Protection Commissioner), declaring the Commission Decision on EU-US Safe Harbor invalid, the UK’s Information Commissioner has confirmed that:

“The terms of the judgment inevitably cast some doubt on the future of these other mechanisms [standard contractual clauses and BCRs], given that data transferred under them is also liable to be accessed by intelligence services whether in the US or elsewhere” (ICO Blog, 27 October 2015).

On May 25th 2016 the Irish Data Protection Commissioner confirmed it was seeking a declaratory judgment from the Irish High Court on the validity of standard contractual clauses, and a referral of the issue to the CJEU.  At present there is no information as to when this might be.

The regulation provides for a number of mechanisms to regulate the transfer of personal data out of the EEA. The regulation also formally recognises BCRs as a lawful data transfer mechanism (the directive does not). Under the regulation it is easier for businesses to obtain approval from NDPAs of their BCRs. Pre Schrems, the view was that once the regulation applies, then there will be an increase in the number of businesses that seek to implement BCRs. However watch this space, the Schrems decision has not reached the end of the road.

The right to be forgotten – in truth the right to stop certain profiling of your data such as to make parts more prominent in searches than others

The actual right is the right not to have one’s personal data aggregated indiscriminately by an aggregating search service such as Google.

Subjects will have the right to request that controllers delete their personal data in certain circumstances (for example, the data are no longer necessary for the purpose for which they were collected or the data subject withdraws their consent). It remains unclear precisely how this will work in practice especially since there is an informal practice that records are kept for accounting purposes of at least 7 years.

In May 2014 in Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, 13 May 2014, on a referral from a Spanish court, the CJEU looked at that aggregation problem and ruled that in an aggregation case an individual has a right to rectification, erasure or blocking of that information so as to stop aggregation, and a right to object to the processing of the information so as to result in aggregation. The case is no authority for token or single uses on the internet. 

The right to object to profiling

In certain circumstances, subjects will have the right to object to their personal data being processed (which includes profiling).

‘Profiling’ is defined broadly and includes most forms of online tracking and behavioural advertising, making it harder for businesses to use data for these activities. Profiling must be disclosed to the subject, and a privacy impact assessment is required. 

The European Data Protection Board is thought to be in the process of providing further guidance on profiling, though no time has been set for when this might be.

The right to data portability

Subjects have a new right to obtain a copy of their personal data from the controller in a commonly used and machine-readable format and have the right to transmit those data to another controller (for example, an online service provider). In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where technically feasible. It is well known that the reason for this rule is to enable users of Facebook to defect to competing social networks.

Data subject access requests

Business must reply within one month from the date of receipt of the request and provide more information than was required under the directive. No fee is payable and the old 40 day rule will not apply. The 40 day rule states that data which are processed for no more than 40 days are not disclosable.

Businesses should plan how they will respond to data subject access requests within the new time scale and how they will provide the additional information required.