Below is a list of questions from the SureCloud GDPR Webinar. The questions have been answered based on our presenters’ understanding of the Regulation and are for guidance only. Before acting these guidance we would recommend seeking legal clarification.
Question 1 – I’m with a US company. Does the EU-US Privacy Shield mean I don’t have to comply with the EU GDPR?
Though it’s considered a good-faith effort, the EU-US Privacy Shield does not exclude participating US companies who operate in the EU from meeting the requirements of the General Data Protection Regulation.
The Privacy Shield deals specifically with data transfers between two political areas (EU and US) in support of transatlantic commerce. That’s just 2 of the 10 identified GDPR requirements noted on the chart below, exposing Privacy Shield members to possible EU penalties.
Question 2 – Does personal data under GDPR include the combination of multiple assets within an organisation in the same way that DPA does?
Yes – Article 4 of the Regulation (link to online PDF) defines data as personal according to whether a natural person can be identified, irrespective of how the data is stored or collated. Hence an operation or process that collates multiple sets of data (i.e. assets) that allows a natural person to be identified where otherwise they wouldn’t, it applies. This is a key consideration for the Data Protection Impact Assessments.
Question 3 – If a supplier has 27001 and provides evidence will this be deemed as an adequate assessment of the supplier?
No – Certification to existing standards such as ISO 27001 and/or Cyber Security will help to demonstrate compliance with elements of GDPR but is unlikely to be sufficient evidence on its own given the much wider breadth of the new regulation. Ultimately it will be possible to obtain accreditation for GDPR once Supervisory Authorities and the European Data Protection Board (EDPD) establish a certification mechanism as outlined in Articles 42 & 43.
Question 4 – Security CCTV cameras, would these be covered in a restaurant?
Yes – CCTV is covered by GDPR in Article 4(14) as physical characteristics such as facial images, classifying it as biometric data. This type of data belongs to the special category of prohibited data which can only be used under specific circumstances as outlined in detail within Article 9. The one that is likely to apply in this case is sub-paragraph (c) where: “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
Until further guidance is provided with regards to CCTV under GDPR, we recommend that you review the existing ICO’s guidance and a Code of Conduct for the Data Protection Act . Click here to access.
Question 5 – What constitutes a cross-border transfer?
Data that can be viewed by a body outside the EU via any mechanism constitutes a cross-border transfer. In principle, GDPR will retain the cross-border data transfer rules of the Data Protection Directive whilst improving upon adequacy decisions and formalizing Binding Corporate Rules (BCR) to name a few changes. The principal change, however, is that GDPR has shifted focus onto the whether the data belongs to residents of the EU as opposed to where that data is held. Hence where there is a chance of personal data being used beyond the jurisdiction of the EU and recourse of its data subjects (e.g. download outside of the WAN, printed or a photo taken of the screen) it’s likely to constitute as a cross-border transfer.
Security measures to prevent these activities such as limited permissions for non-EU staff, encryption, transfer limitations or pseudonymized data may help in such a situation. In a recent survey by PwC, nearly two-thirds of US participants have plans to centralize their data centres in Europe, whilst more than half intend to de-identify data to reduce their exposure to GDPR. More significantly, nearly a third planned to reduce their presence in Europe altogether.
Question 6 – Can you provide an example of how control would work and is there a definitive list of legitimate reasons for processing data?
Yes, some good examples of controls that organisations will need to implement are data protection policies, procedures and processes that proves data subjects have given consent. Bird & Bird provide a good assessment regarding Legitimate Interests. In summary, recitals 47 to 50 of the GDPR list several examples of the most common:
- 47 “Processing for direct marketing purposes or preventing fraud” this legitimacy is based on the data subject’s reasonable expectation of how the data is used based on the time and context of the collection.
- 48 “Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (note international transfer requirements will still apply – (see section on transfers of personal data”
- 49 “Processing for the purposes of ensuring network and information security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems”
- 50 “Reporting possible criminal acts or threats to public security to a competent authority”
Question 7 – Can the platform be used for a full DPIA once you’ve identified that once is needed?
Yes. One of the key processes in the GDPR Controls application allows organisation to undertake DPIAs for each data processing activity following a series of screening questions. The screening questions will also indicate when a DPIA is not required for a given processing activity. DPIAs may also be referenced by multiple processing activities where applicable, again saving time and effort.