You should document –

• what personal data you hold
• where it came from
• where it is held
• who has access to it
• who you share it with
• how is it being secured

You must give and display notices that –

• provides complete details of the grounds that you are used to justify processing
• highlights that consent may be withdrawn, the existence of the data subject rights (see action 4) and the right to lodge a complaint with the Supervisory Authority (DPA)
• the format of the notices must be concise, transparent, intelligible and in an easily accessible form using clear and plain language.

The main rights for individuals under the GDPR will be –

• the right to access to their personal data held
• the right to have inaccuracies corrected “without undue delay”
• the right to have their information erased on request “without undue delay”
• the right to object to the processing of personal data for direct marketing purposes
• the right to prevent automated individual decision-making and profiling
• the right of “data portability”

Data subjects will have a right to request a copy of their personal data undergoing processing

They may also request –

• the purpose of processing of their data
• inaccuracies to be amended
• their data to be removed and deleted
• the period of time for which data will be stored
• any recipients of the data (e.g. any other processors)
• the logic of automated decision-making, including profiling, and the envisaged consequences of any such processing

The controller must take the appropriate action “without undue delay” or at the latest within a month of the request

The GDPR introduces Data Protection Impact Assessments (DPIA) as a means to identify and deal with high risks, notably to the privacy rights of individuals when processing their personal data

The DPIA requirement is linked to processing “likely to result in a high risk for the rights and freedoms of natural persons,” taking into account “the nature, scope, context and purposes of the processing”

The data protection authorities (“DPAs”) have promised to provide guidance before the end of 2016 on this aspect of the Regulation – this is still awaited

Individual DPAs have authority to publish guidance on the kinds of processing operations that require a DPIA and those that do not, and these individual guidance documents might differ from country to country.

Consent must be “freely given, specific, informed and unambiguous”

Consent has to be specific to the processing operations – the “data controller” cannot request open-ended or blanket consent to cover future processing

GDPR requires the data subject to make a statement or clear affirmative action removing the possibility of “opt-out” consent or the interpretation of silence, inactivity, and pre-ticked boxes as a means of providing consent

GDPR allows member states to enact laws that restrict the processing of some categories of data even if the data subject explicitly consents.

The data controller bears the burden of demonstrating (auditability) that consent was obtained lawfully

GDPR introduces specific protections for children who are identified as “vulnerable individuals” and deserving of “specific protection”.

This applies to children under the age of 16, unless a Member State has made provision for a lower age limit (lowest age limit is 13).

Where online services are provided to a child and consent is relied on as the basis for the lawful processing of his or her data, consent must be given or authorised by a person with parental responsibility for the child (very difficult to prove)

A “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In the event of a personal data breach, as a general rule, data controllers must notify the supervisory authority –

• Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
• If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
• Moreover, in most cases, data controller will have to communicate the personal data breach to the data subject, without undue delay

A notification to the authority must “at least” –

• describe the nature of the personal data breach, including where it is possible the number and categories of data subjects and personal data records affected
• provide the data protection officer’s contact information
• “describe the likely consequences of the personal data breach”
• describe how the controller has addressed or proposes to address the breach, including any mitigation efforts

Controllers and processors are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”

Specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including –

• the pseudonymisation and encryption of personal data
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Both data controllers and data processors that adhere to either an approved code of conduct or an approved certification mechanism (e.g. ISO 27001) may use these tools to demonstrate compliance with the GDPR’s security standards

GDPR codifies both the concepts of privacy by design and privacy by default

A data controller is required to implement appropriate technical and organisational measures both at the time of determination of the means for processing and at the time of the processing itself in order to ensure data protection principles such as data minimisation are met.

Any such privacy by design measures may include, for example, pseudonymisation or other privacy-enhancing technology

GDPR takes a flexible, risk based, approach to privacy by design.

In implementing privacy by design, a data controller is expected to take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the likelihood and severity of risks to the rights and freedoms of natural persons posed by the processing of their personal data

GDPR requires all organisations to implement a wide range of measures to reduce the risk of contravening GDPR requirements and to prove that they take data governance seriously.

Accountability measures include: Data Protection Impact Assessments, audits, policy reviews, keeping records of processing activities and (potentially) appointing a Data Protection Officer a (“DPO”)

For those organisations which have not previously designated responsibility and budget for data protection compliance these requirements will impose a heavy burden.

Controllers and processors are free to appoint a DPO but the following must do so:

• Public authorities (with some minor exceptions)
• Any organisation whose core activities require “regular and systematic monitoring” of data subjects “on a large scale” or “large scale” processing of sensitive data or criminal records
• Those obliged to do so by local law (countries such as Germany are likely to fall into this category).

DPO tasks include:

• informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws
• monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits
• advising with regard to data protection impact assessments when required and monitoring its performance
• working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data
• being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights

GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection.

In the absence of an adequacy decision, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).

BCRs require approval from DPAs, but once such approval is obtained, individual transfers made under BCRs do not require further approval.

Derogations are also permitted under limited additional circumstances.

Organisations operating internationally outside the EEA should review and map their international data flows, including –

• intra-group data flows
• extra-group data flows where a EEA group company controller is exporting to a controller or processor outside of the EEA
• extra-group data flows where a non-EEA group company is importing as a processor or controller
• consider what existing data transfer mechanisms are in place and whether these continue to be appropriate. Countries that are currently white listed remain so until a Commission review finds otherwise (Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay and New Zealand)
• consider whether BCRs or PBCRs would be a viable option for intra-group data transfers
• consider putting in place a process for responding to requests for information from non-EEA litigants, regulators or law enforcement agencies and ensure that relevant staff are made aware of such a process
• ensure export obligations flow down through subcontractor chains and across to other controllers where required