February 14, 2018
The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The following is the latest update on BGRS’s approach to our commitment to privacy and data security.
The privacy of data within the member nations of the EU and the EEA (European Economic Area) has been governed, to date, by the 1995 Data Protection Directive, which will be replaced by the GDPR.
To distinguish the terminology on this subject, the 1995 Data Protection Directive, and the soon to be effective GDPR, both govern the handling of data originating in the EU/EEA, while the options of consent, Model Clauses, Safe Harbor and Privacy Shield are specific mechanisms to export the data from the EU/EEA to the United States and abroad.
Briefly stated, written consent from a transferee was the standard mechanism for exporting data outside the EU/EEA under the 1995 Data Protection Directive. A second option was the use of “EU Model Clause” agreements, particularly with clients who worried that the consent approach might be subject to legal challenge. A third option, dealing solely with the export of data to the United States, was the Safe Harbor Framework, which was the equivalent of a treaty between the EU and the US. BGRS was certified under the Safe Harbor Framework until 2015, when Safe Harbor was invalidated by the EU Court of Justice. In 2016, the Privacy Shield framework was enacted to replace Safe Harbor. BGRS successfully registered under the Privacy Shield framework in October 2016, and recently renewed that certification, thereby providing clients with multiple options for exporting data to the US and abroad.
All of these export mechanisms remain in place under the GDPR, while the handling of such data will be governed by the requirements of the GDPR, even after the data is exported.
BGRS Compliance With GDPR
In describing the new requirements under the GDPR, there is an avalanche of material, many times in the form of email alerts or links to articles from companies seeking to ply their services by instilling a maximum sense of panic. In broad strokes, the requirements of the GDPR pertinent to BGRS are as follows:
The Definition of “Personal Data” is Expanded
Consent Requirements Are Expanded
The current approach to consent will be insufficient under the GDPR. The GDPR requires informed consent in which the transferee is consenting to a detailed itemization of the data at issue, and not merely a blanket consent. The GDPR requires informed consent in all cases, and not merely as an option when data is being exported outside the EU. The consent from the transferee will also need to be obtained directly by the client, not by BGRS.
The “Right to Be Forgotten”
The GDPR precludes a company from retaining personal data longer than necessary, and also allows a transferee to demand the deletion of their data, by withdrawing the consent noted above. BGRS has updated its policies to properly balance the GDPR limitation with existing retention requirements, as well as the audit requirements set forth in client contracts. If a client requires BGRS to retain data beyond the term of the contract, we will have a process of “pseudonymization” (a GDPR term) which renders personal data unreadable in the absence of a cipher or key. If a transferee invokes their right to be forgotten, we can delete the data in the active operating environments or, to the extent the file is archived, we are developing an online back-up functionality that will surgically pull out the data at issue.
Data Protection Officer
The appointment of a DPO is a new requirement under the GDPR. The DPO, preferably located in the EU, must have a direct reporting line to the CEO, and has a number of responsibilities defined by law, including (1) conducting periodic audits of data protection efforts, (2) interfacing with EU regulatory authorities, and (3) working with data subjects who raise concerns or requests for information.
BGRS has prepared and distributed a Data Protection Amendment, which updates the data privacy safeguards in our supplier agreements, in accordance with the GDPR. This follows an earlier initiative in 2016 when BGRS augmented the “onward transfer” agreements with our suppliers to address certain changes driven by the Privacy Shield framework.
BGRS will be reaching out to a small number of clients where the existing contract requires BGRS to obtain transferee consent; a practice that will not be consistent with the GDPR. As for all other clients, BGRS stands ready to consider any proposed revisions that a particular client may deem prudent, although we are reasonably confident that our existing client agreements are legally sufficient.
The UK has confirmed that there will be no difference at the current time between how the EU and the UK handle data privacy or data export. That conclusion may change in the future depending on the nature of the Brexit model that is adopted between the EU and the UK.