The new European General Data Protection Regulation (GDPR) sets new obligations and responsibilities for Data Controllers and Data Processors. The GDPR also sets new powers for the national Data Protection Authorities (DPA) as defined by Article 4.21. This means the creation of an independent public authority which is established by a Member State and subsequent reshaping of the relationships between the Data Controller and the Regulator, i.e. Supervisory Authority. As a Data Controller, knowing your responsibilities and duties toward data processing is mandatory, and understanding your obligations to the DPA is also a necessary step towards compliance and success. See the article Implementing 3 main accountability principles under the EU GDPR.
Who are the DPAs and what can they do under the GDPR?
The GDPR does not essentially change the nature of the DPA. A DPA is an independent entity, autonomous in budget, but is not a ‘court’ or a body that belongs to the judiciary power. Instead, the DPA is attached to the executive power. In other words, it means that a decision, such as a sanction, taken by a DPA can be appealed to the Administrative courts.
Each member state of the EU must adapt provisions in their national laws relating to Directive 95/46 EC. There are necessary updates to be considered at a national level so that the administrative organisation of a DPA is adapted to the GDPR. If Data Controllers can refer directly to the GDPR in order to review its obligations and responsibilities, this will also provide a good understanding of the national law with respect to a DPA. Some EU member states such as the UK have such laws, for example, the UK Data Protection Bill, published 14 September 2017.
The DPA will no longer receive your notifications or filings. The GDPR intends to cut the red tape on this (very costly) administrative work. It can, however, evaluate your self-compliance with the GDPR. One example of this is requesting to examine your Register of Processing (inventory), as well as investigating your contracts, your clauses and your policies. It can also request access to your premises either based on a complaint or by its own initiative (or also known as ‘surprise visits’).
Fine, name and shame
A lot could be said about fines and sanctions in the GDPR. Regulation 45/2001 regulates the data processing activities of EU administrations (Commission, Agencies) and has been adapted to GDPR. Its central regulator, the European Data Protection Supervisor is an EU institution and is involved in the Board. They can issue a warning, an administrative reprimand and, ultimately, a monetary sanction, through a three-step escalation process. The fine that companies will pay will depend on the type of violation. For instance, consideration will be given to whether sensitive data is involved in the violation. Article 83 of the GDPR has set such criteria, notably Article 83.2.
Nevertheless, paying a fine is one thing, but the DPA’s main ‘pressure point’ is related to the company’s reputation and the trust of its customers, contactors and service providers. Being publicly known for not respecting the GDPR (i.e. name and shame) can have serious consequences for the future of the company such as the loss of shareholder trust.
How to establish a good relationship with the DPA
There are few basic steps to establish to ensure a stable relationship with the DPA.
1) The nomination of a Lead DPA – this is the area where the Data Controller’s activity is important (Article 4.16). This first step is important, as the Lead DPA will be the focus point for other DPAs when they wish to contact the data controller. In 2012, when the GDPR was still in draft phase, this aspect was nicknamed the ‘one stop shop’.
As an example, a Data Protection Authority contacts one of your affiliates located in country B and addresses a complaint it has received from a user of your service/product. If the complaint refers to the processing of personal data which are used in your activities, the Data Protection Authority should be invited to send the complaint to the Lead Authority in country A. Your main establishment in this country will then be able to deal with it under Article 56 of the GDPR.
2) The designation of a point of contact in-house – This generally leads to further communication and information exchange between the controller and the DPA. This in-house contact falls within the scope of the Data Protection Officer. The DPO is the face of the Data Controller and through him/her, the DPA knows that it can communicate with the Data Controller. Learn more about the DPO here: The role of the DPO in light of the General Data Protection Regulation.
An essential third step is to purge the current queries and complaints still addressed to a Controller under Directive 95/46 EC. One suggestion is to establish a diagnosis of pending complaints and to assess their state of play. A Controller should consider the fact that the old fines and sanctions are relatively small when compared to the new GDPR provisions. This is good motivation to deal with the pending queries as soon as possible and to show proactivity.
3) Registration of Binding Corporate Rules (BCRs). The current mechanism is administratively burdensome, but as of May 2018, the Consistency Mechanism (Article 63) will mean that, once the Lead DPA of a controller approves the BCRs and receives the Board’s blessing, such approval is valid in each of the EU member states. The consistency mechanisms place a time limit for adoption (i.e. 2 months, under Article 64.3). As the decision for approval is taken at EU level, the Lead DPA is invited to communicate such decisions to the Controller.
As of May, 2018, the Data Protection Authorities will be more and more vigilant and alert. Not only does the GDPR get more power and an enhanced role, the actual risk to a Data Controller’s reputation is without a doubt the key incentive to set good relationships with the DPAs.
Click here to download free Project Plan for EU GDPR Implementation to learn how to comply with all the requirements of the GDPR.