DO YOU REALLY HAVE GDPR SORTED OUT? DO YOU KNOW ALL THE NEW METHODOLOGIES?

GDPR has been the bogeyman of the past few years. In 2018, everyone was revising internal data processing rules, updating vendor contracts, deleting old data, and putting new and longer data processing information memoranda on the web.

Do you think you're over that now? Unfortunately, it's not that easy. The interpretation of GDPR is evolving and controls are focusing on weak points. The risk of fines is increasing.

The GDPR and the Czech Data Processing Act are general regulations. The basic rights, obligations and rules apply to all those who process personal data in practice, regardless of size, sector of operation, number of clients or employees. Interpretive practice, case law and methodologies of supervisory authorities specify how to comply with individual obligations. It is also important to take into account sectoral regulation, which in many areas contains specific conditions for the use of personal data.

 

We could count dozens of important case law and new methodologies since 2018. Let's summarise the most important changes and updates:

 

Transfer of personal data outside the European Union

Do you share information about your clients, employees or suppliers with a parent or sister company based outside the EU? Do you use cloud services from a US company or have a customer support service in India?

 

The GDPR places specific requirements on such data transfers. There are at least two recent developments that are important to note:

 

 

• New binding contractual templates (clauses) are effective from 28 December 2022.

 

To ensure the protection of data transferred outside the EU, so-called European standard contractual clauses are often used. This means that you enter into a specific contract with the data recipient (e.g. a supplier). In it, the supplier guarantees how it will protect the data, that it will not use it for its own purposes, allow your clients to exercise their rights, etc.

 

In 2021, the European Commission issued new model contract clauses that must be concluded in such a case. The old contracts could only be used until 27 December 2022. Have you concluded a new contract in time?

 

 

• Obligation to document data transfers outside the EU

 

The European Data Protection Board, a body bringing together supervisory authorities from each EU member state, issued detailed recommendations in 2021 on what data protection measures to take before transferring data to third countries. This goes beyond standard contractual clauses. All risks associated with such data disclosures must be documented in a "transfer impact analysis". And with them, the additional measures taken by the data exporter to protect the persons concerned.

 

Have you mapped all cases where your personal data is accessed by non-EU entities? Have you analysed the risks involved, can you demonstrate to the Data Protection Authority, when asked, what measures you have taken and why? And when did you last assess whether these measures are effective?

 

Online cameras now covered by the GDPR

The Czech Data Protection Authority was previously of the opinion that the rules on the processing of personal data applied only to camera systems with recording equipment. It did not address online cameras.

 

However, this has changed in 2022.

 

The European Data Protection Board has issued a comprehensive methodology on cameras, which does not use this distinction (online cameras vs. cameras with recording). And the DPA, rather quietly, modified the position on cameras on its website in July 2022. It now assesses compliance with GDPR obligations for all cameras, regardless of whether or not permanent footage is taken from them.

 

What does this mean in practice?

If you operate an online CCTV system, for monitoring traffic, monitoring building access, assessing workload at individual sites, warehouses etc., and the camera also captures individuals, you are in the GDPR regime. You need to define and describe the purpose of the processing, its legal title, set parameters, document security, inform employees and other affected persons about the data processing, etc.

 

If your cameras record employees, you must also take into account the relevant provisions of the Labour Code. The latter provides for some detailed or stricter requirements for workplace surveillance than those generally introduced by the GDPR.

 

Do you use (online) cameras in the workplace? Are they compliant with the regulation?

 

Do you have an authorised officer? And could we see it?

The GDPR has required a number of regulated entities to appoint so-called data protection officers.

 

Anyone who carries out extensive and regular processing of client or employee data, regularly monitors individuals or processes sensitive data must designate an employee to deal internally with processing compliance with the regulation. Equip him or her with sufficient resources, competencies, and involve him or her in business and operational issues impacting personal data. And document everything.

 

The actual functioning of the data protection officers will be the focus of inspections by the European Data Protection Authorities in 2023. And the Czech Data Protection Authority too.

 

And they will ask questions like this:

 

• Are you required to appoint a Data Protection Officer? If so, have you appointed one and informed the authority?
• Does your Data Protection Officer have a conflict of interest, perhaps because he or she holds a senior position in IT, HR or Operations?
• Does he/she have sufficient competences and status as described in the internal rules?
• And can you document with concrete examples how your delegate has been involved in internal processes, the development of new products, the handling of transfers of personal data outside the EU, the investigation of security incidents?

As long as you can easily document all this during the audit, you can rest easy.

 

How do you manage security incidents and personal data leaks?

GDPR requires every regulated organization to identify security incidents impacting personal data. Data leaks, but also data unavailability, loss, unauthorized modification, access by unauthorized persons.

 

All incidents must also be assessed in a timely manner. In terms of impact and potential risks to the affected persons, employees, clients, etc. If the risk to the affected persons is relevant, but not small, then the organisation must inform the OIOS about the incident. Within what timeframe? The GDPR says that the organisation must comply with this obligation without undue delay, no later than 72 hours after the incident is discovered.

 

Relevant risk, greater than low risk, without undue delay... Yes, these are all rather vague terms that everyone can interpret in practice in their own way.

 

To standardise the approach, the European Data Protection Board has prepared two methodologies.

 

• In the first one, from 2021, the European Data Protection Board, in 30 pages, discusses examples of individual incidents and attacks and assesses the risk associated with them. In other words, whether it is necessary to report such incidents to the supervisory authority.
• The second methodology, coincidentally also 30 pages long, provides detailed guidance on how to set up a process for managing security incidents. From when to calculate the notification period, how the rules should be handled in relation to suppliers, including suppliers from third countries, how incidents should be recorded, what the role of the delegate should be, etc. The methodology was published in the autumn of 2022, the public consultation ended in November and the final version is expected to be issued shortly.

Do you know about all the security incidents in your organisation? Are you managing them, fixing vulnerabilities, addressing data leaks? And do you have a documented process, a methodology for assessing incidents, communicating with the authority? Are you confident that you will be able to notify the OSSA of a significant security incident within 72 hours?

 

What can we help you with?

• review of internal process to ensure compliance with GDPR,
• updating the mapping of processing operations and compliance with individual obligations (determination of the purpose and title of processing, limited scope and duration of data, etc.),
• identification and control of the most risky areas and their coverage,
• updating internal regulations and methodologies,
• updating and completing information memoranda,
• reviewing contracts with suppliers, data processors,
• checking that sufficient precautions are in place for the transfer of personal data outside the European Union,
• analysing the obligation to comply with individual requirements, e.g. appointing a Data Protection Officer and defining his/her position in the internal rules,
• completing and updating training for staff,
• monitoring legislative and interpretative developments.