Collaboration Under New General Data Protection Regulations in the European Union
The General Data Protection Regulation will impact businesses that operate or collaborate in Europe. How will businesses have to update policy?
26 February 2016
EU officials announced agreement on a final text of the General Data Protection Regulation (GDPR) on December 15, 2015. The final text will be formally adopted by the European Parliament and Council early this year. It has become clear that the regulation will impact businesses that operate or collaborate in Europe. The question remains, how will businesses have to update policy to adhere to the regulations?
Let’s take a look at this regulation from the perspective of business-to-business collaboration. What are the key questions you need to answer with regard to your business partners and service providers? And how do you ensure that your company isn’t at risk of incurring the hefty fines announced in that final text?
Am I subject to the regulation?
The General Data Protection Regulation expanded the scope of the current data protection rules in a number of ways to ensure that the personal data of European citizens is adequately protected. Both the controller and the processor will be subject to the regulation. So if you have data containing the personal information of a European citizen, or are a service provider who processes such personal data, you are subject to the regulation.
The next key question is: Are you doing business in the EU? Remember, even if your work is pro bono, this is considered as doing business in the EU. Therefore, if you are collaborating on a project with a European partner that involves the use of the personal data of a European citizen, you are subject to the regulation.
What are the risks?
Once you have established that you are working with regulated data, the next step is to determine where this data will be stored and processed as you are collaborating. You must be certain the collaboration platform you use meets the data security standards. With fines up to 4% of annual turnover or €20 Million (whichever is greater), the security policies of your company, your partner’s company, and any service providers you use to collaborate are critical when dealing with personal data.
Additionally, both controllers and processors can be held liable for data breaches. The GDPR also indicates that both the processor and controller are both liable for the entire damage. In accordance, with national laws, the liability can be apportioned depending on responsibility for damage for the breach (if the controller and processor are joined in the litigation proceedings).
What questions should I ask my partners and service providers?
When establishing a collaborative relationship that includes data covered under the GDPR, understanding the data protection policies of all parties involved is critical. Looking at the areas the GDPR addresses in terms of security will help shape the questions you ask of existing and future partners.
The GDPR requires data controllers to report a security breach involving either accidental or unlawful access to personal data to the competent supervisory authority within 72 hours. To ensure compliance with the regulations, you must validate that data processors can produce the necessary information to meet the requirement. This includes the nature of the breach, the data impacted and steps taken in remediation.
If you are collaborating across borders, Binding Corporate Rules (BCRs) and models clauses will apply. This addresses the hole left behind, for transfers to the United States of America, when the Safe Harbor framework was deemed invalid. When working on cross-border collaboration, ensure your partners have either BCRs in place. If they do not, confirm that they are willing to sign model clauses to ensure compliance to any cross-border collaboration outside the European Economic Area.
There are accountability measures in place, including the requirement to document information systems and processing operations to ensure compliance.
While the text of the GDPR is finalized, time remains while it takes effect. The final text will be formally adopted by the European Parliament and Council at the beginning of 2016. Following adoption, it will take up to two years for the regulations to be implemented. For companies collaborating with personal data in the EU, ensuring any data processors you choose are prepared to meet the regulatory requirements within the next 24 months will be critical to ensure your business is not interrupted.