Some initial notes on current version of the #GDPR
The General Data Protection Regulation draft has passed the trilogue negotiations and will likely be voted on by the European Parlament in January. This means that it will become applicable across the EU by February 2018.
Who is affected in the B2B space?
Much has been written in the press regarding the effects on consumers and the big international Internet services such as Google and Facebook. Also, it was originally planned to mandate the appointment of data privacy officers for all organisations above a certain size, which was so far only required in certain countries. However, it was apparently realised that there is not enough skilled talent in Europe to fill all these positions, so this requirement was softened to include only certain organisations who monitor data subjects in a large scale and processing of special data categories.
Now, I want to take a look at the points more relevant in a B2B context, i.e. subcontracting data processing to suppliers or providing such services to other organisations subject to the GDPR rules.
One common misunderstanding in this context: There has to be no data transfer to the supplier at all. You come into scope of these regulations, if you grant a third party access to the PII, for which you are accountable. This is the case especially also, if the data resides in your systems and the suppliers work in your systems. It is not even necessary that the supplier is specifically tasked to work on the PII, access is the imperative word here (e.g. think about IT suppliers maintaining your laptops).
What is the impact?
The GDPR draft brings the standards of responsibility for Data Controllers and Data Processors to a generally higher level more in line with the requirements for Auftragsdatenverarbeitung added to the German Data Privacy regulations in 2009.
One of the core additions, for example, lies in the requirement for the Controller to demonstrate a process to regularly assess the proper implementation of technical-organisational measures at the Processor.
However, in the last version there is also the addition that organisations can adhere to so-called Code of Conducts to be published in the future or to be certified against the GDPR requirements.
Now, when subcontracting, the GDPR allows Data Controllers to rely on such Code of Conduct accreditations or certifications for their regular assessment of appropriate technical-organisational controls.
Ways out of the Safe Harbor mess
With the recent European Court of Justice decision to invalidate the EU-US Safe Harbor agreement, this has become very relevant to also organisations outside of the EU, if they provide services to EU B2B customers.
If these EU companies would have done their job right, they would have already listened for a couple years to the concerns about Safe Harbor and tried to get contracts with their non EU-suppliers including EU commission model clauses. This was a tough sell on many of the US-based cloud and SaaS providers before, as they were insisting on the applicability of their Safe Harbor certification (Microsoft being a notable exception).
So, what is new in the GDPR for this situation? The above mentioned codes of conduct and certifications specifically also allow for non-EU companies to demonstrate the adequacy of their technical-organisational controls and get their EU-based B2B-customers out of the legal bind, which they have been in so far. Et Voila!