By: Indriana Pramesti, S.H.
Associate in Energy at Rahayu and Partners in Association with HFW
In the wake of the enactment of European Union (EU) General Data Protection Regulation (GDPR), protection of natural persons in relation to his personal data is re-affirmed as a fundamental human rights. As such, GDPR seeks to provide stronger regulatory framework to protect personal data in each stage of data collecting, transmitting and processing. Hailed as the de facto global data protection governance, GDPR’s extra-territorial reach forces companies inside and outside of EU who process personal data of subjects in the EU to comply with its standard. This is the closest we have to worldwide convergence of data protection framework and the principles contained therein have set a benchmark for the development of data protection legislation around the world. Given the prominence of GDPR, this article briefly outlines obligations set out by the regulation and offers initial steps to help your company in line with the regime.
Disclaimer: This piece aims to give an overview of and general guidance to the GDPR. The following piece is not and should not be considered as a legal advice or a substitute thereof. Any questions you have on aspects of GDPR specific to your business shall be addressed to an expert qualified to give advice on the matter. In no event will the Author or her affiliations be liable to you or anyone else for any decision made or action taken in reliance on the information in this writing or for any consequential damages.
Introduction
GDPR has been effective since 25 May 2018 to replace Data Protection Directive of 1995. GDPR requires data controllers and processors to process data in lawful, fair and transparent manner. The key feature of GDPR is the increase in territorial scope to cover the processing of personal data of data subjects in the EU by a controller or processor not established in the EU if the activities relate to either offering goods or services to EU Citizens and monitoring the behavior that takes place within the EU. The term ‘personal data’ encompasses any information which are related to an identified or identifiable natural person.
To ensure that the standard is maintained by institutions outside of EU, GDPR restricts the export of data to third countries unless several conditions are met. First, the data subject has given consent to the processing of his personal data for stated specific purposes. Second, the transfer of data to third country is allowed only on the condition that such third country has met the adequate level of protection. So far, countries with adequate level of protection are Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and USA (if the recipient belongs to the Privacy Shield).[ii] Data transfer to these countries is expressly permitted. Alternatively, the controller must commit to provide a sufficient protection of personal data with Binding Corporate Rules (BCR) or Standard Contractual Clause (SCC) for each business deal.
Pursuant to Article 83 paragraph 6, non-compliance with the GDPR shall be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Who are affected by GDPR?
GDPR concerns the processing of personal data by controller and processor of data. Controller is the party who determines the purpose and means of the processing of personal data and the processor is the party who processes the data for the controllers. Personal data is broadly defined under Article 4 of GDPR as any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Meanwhile, according to Article 2 and 3 of GDPR, the processing of personal data shall include any operation or set of operations which is performed on personal data or on sets of personal data. This shall include activities such as collection, recording, organizing, using and erasing data. In conclusion, any activities involving personal data can be considered as ‘processing’.
GDPR would be applicable to (i) processor and controller established in the EU, regardless of where the data is processed and (ii) outside the EU that offers goods and services to data subjects in the EU or monitor their behavior. As such, it will affect any companies processing personal data of data subjects in the EU, whether or not it offers goods/services to data subjects in EU.
Obligations of data processor and controller
GDPR lists six principles governing the processing of personal data, namely:
- awfulness, fairness and transparency;
- collected for specific, explicit and legitimate purpose and not further processed in a way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purposes for which they are collected;
- accurate and where necessary, kept up to date;
- kept in a form that permits identification of the data subject for no longer than is necessary for the purpose for which the data were collected;
- processed in a manner that ensures appropriate security of the personal data.
In relation to the above principles, data subjects are provided with several rights, including right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object to processing and rights in relation to automated decision making and profiling.
Obligation to obtain consent stipulated under Article 6 par. 1 of GDPR underpins the enforcement and maintenance of those rights. GDPR requires that consent must be freely given, informed, specific, explicit and unambiguous. This means, data subject gives his consent on a voluntary basis, without pressure that might affect the provision of consent. For consent to be informed and specific, data subject must be notified, at minimum, about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing. The data subject must also be informed about his or her right to withdraw consent anytime and how they could file a complaint. The consent must be given to specific purposes that is clearly informed to data subjects, especially if the purpose is related to the use of special categories of personal data such as sexual orientation, ethnicity or race and medical history. Last, consent must be unambiguous, meaning that it must come in the form of statement or affirmative act.
Certain processor and controller of data must also adhere to several other obligations. First, controller and processor, whose core activities consist of processing operation which require regular and systematic monitoring of data subject on a large scale, must appoint Data Protection Officer (DPO). DPO’s main tasks is to provide advice and monitor the compliance of the company with GDPR, assist the company in conducting and performing Data Protection Impact Assessment (DPIA) and cooperating with supervisory authority and acting as contact point (Art. 39 (1)). Second, data breach that might resulted in a high risk to the rights and freedoms of natural persons should be communicated to the data subject without undue delay (Art. 33). Third, where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the processor and controller must conduct a DPIA (Art. 35). Such assessment is required particularly where evaluation of personal aspect produces legal effect to the natural persons, processing involve data relating to criminal convictions and offences, and monitoring of publicly accessible area on a large scale.
Preparation and corrective action in the event of breach
GDPR provided two years ‘grace period’, commencing from 24 May 2016 to 25 May 2018, for entities falling under the scope GDPR to prepare for compliance. However, many organizations are still unaware or have yet to fully comply with the regulation. Tech Radar reported that three-quarter of UK organizations failed to address personal data requests. In Indonesia, the figure is less clear, mainly because Indonesian companies that are subject to the regulation is more difficult to identify.
Considering the GDPR’s strategic position in the flow of goods and services to EU market, doubled down with a whopping eight-digit administrative sanction for non-compliance with the regulation, it is important that your company determine whether or not it is subject to GDPR, and if it is, what steps should you take to ensure compliance.
We will not provide in detail the procedure for the compliance with GDPR. Rather, in this part we will outline key steps towards GDPR compliance as presented below:
a. Self-assessment
The purpose of this step is to identify whether the GDPR would apply to your company and what is the current state of your compliance. An audit that maps your data subjects, what data you are collecting and the purpose of data use is necessary. The following questions are to be considered:
- Is data processing activity the core of your business and subsequently whether the company should appoint a DPO or conduct privacy impact assessment;
- How long is the data retention period;
- Are there any disclosure of information to data subjects in relation to the collection and use of data;
- Are the data given by data subjects based on consent that are documented;
- Are there mechanisms to prevent data breaches, i.e. encryption;
- Are there mechanisms to retract consent, update, amend, and remove data based on data subject’s request;
- Are there any officers in charge of overseeing the collection, storage, use, transfer and security of data.
The result of this audit will be the starting point in identifying your obligation under GDPR and the course of action necessary to improve your compliance.
b. Investing in adequate workforce
Given the onerous requirement under GDPR and the complexity involved in maintaining compliance, it may be necessary to build a team to execute compliance plan. The team should at least include: (i) human resources officers, if the personal data is related to management of workforce; (ii) information technology expert, who will maintain the system and security of data processing; (iii) legal advisor, who will advise on the lawfulness of data collecting and processing, adequacy of legal documents (i.e. consent and notices) as well as identifying other obligations under GDPR. This team should also be responsible to assist DPO in performing his/her duties, if DPO is appointed.
c. Designation of DPO
A company must appoint a DPO if their core activities involve regular and systematic monitoring of data subjects on a large scale or processing on a large scale of special categories of data or personal data relating to criminal convictions. Please note that ‘core activities’ in this case refers to key operations necessary to achieve the controller’s or processor’s goals. The definition should include activities where processing of data forms an inextricable part of the controller’s or processor’s activity. If an education provider cannot deliver its services without processing educational background of the students or prospective students, the processing of these data should be considered as ‘core activity’.
A DPO can be positioned internally within the organization or appointed as from a third party contractor. In the latter case, a single DPO may cater to several organizations as long as he/she is easily accessible from each establishment (Art. 37 (2)).
d. DPIA
DPIA is conducted based on the advice of DPO and should include (Art. 35 (1)): (i) a description on the processing and purpose of processing; (ii) assessment of the necessity and proportionality of the processing operations; (iii) assessment on the risk to the rights of data subjects; and (iv) risk mitigation plan.
e. Preparing documentations
Compliance team or DPO with assistance from compliance team should prepare the relevant documentations, including but not limited to: (i) notification to data subject containing sufficient information as required under Art. 13 and 14; (ii) consent form for the collection and processing of data in accordance with Art. 7.
The transfer of data from EU to outside of EU may only take place if the recipient also comply with the GDPR. Indonesia has yet recognized by the European Commission as having an adequate level of protection. Therefore, transfer of data is allowed only if there is a safeguard to ensure Indonesian companies’ compliance with the rule, such as standard contractual clause (SCC) or binding corporate rules (BCR) (typically enforced in multinational companies).
When preparing and executing the relevant documentations, the controller and processor must also take into account the relevant laws and regulations in Indonesia, in particular on the valid form and substance of consent and the evidentiary force of consent.
f. Preparing a standard operating procedure
The controller and processor must enforce standard operating procedures that addresses, among others, the management of consent, amendment and erasure of data, management of complaint, and safeguard or security measures. GDPR requires a quick remedial action in the event of data breach, and as such having a procedure dealing with breach of data, including investigation and reporting procedure is critical.
REFERENCES
- The General Data Protection Regulation, adopted by European Parliament and Council in April 2016.
- Intersoft Consulting, “GDPR – Third Countries,” https://gdpr-info.eu/issues/third-countries/ (accessed 18 June 2019).
- Intersoft Consulting, “GDPR – Consent,” https://gdpr-info.eu/issues/consent/ (accessed 17 June 2019).
- Anthony Spadafora, “Majority of companies still aren’t GDPR-compliant,” https://www.techradar.com/news/majority-of-companies-still-arent-gdpr-compliant (accessed 17 June 2019).
- Philip Gordon, “Ten steps: What U.S. multinational employers must do to prepare for the impending GDPR,” https://iapp.org/news/a/ten-steps-what-u-s-multinational-employers-must-do-to-prepare-for-the-impending-gdpr/ (accessed 18 June 2019).
- Article 29 Data Protection Working Party, “Guidelines on Data Protection Officers (‘DPOs’),” 16/EN WP 243 rev.01, adopted on 13 December 2016 as last revised and adopted on 5 April 2017, https://iapp.org/media/pdf/resource_center/WP29-2017-04-DPO-Guidance.pdf (accessed 18 June 2019).