In order to move forward towards a greater compliance with the GDPR, associations should pay a good deal of attention to the following aspects, Benjamin Docquir writes.
Mapping the data flows and the entities responsible for them
One of the cornerstones of the GDPR is that organisations, including associations, must be able to identify what categories of personal data they process and who may decide upon the usage of such personal data. The entity identified as the “data controller” is accountable for the processing of the personal data vis-à-vis the individuals concerned (e.g. the employees or the individuals members of an association) and must be ready to answer requests from the regulatory authorities.
Where an association is active on a global scale or across several countries, including outside the EU, the GDPR may nevertheless be entirely applicable. The data controller must therefore ascertain whether and to what extent the GDPR applies to its activities and, where necessary, appoint a representative in the European Union.
Not only must the data controller have a comprehensive view of the data flows and data processing operations, it must also determine and implement appropriate policies and measures to ensure that the provisions of the GDPR are fully respected. Such measures will generally include drafting a comprehensive data protection policy, which will disclose in plain language the policies and practices of the association with respect to the processing of personal data.
Implementing the rights of employees and members (individuals)
Generally speaking, associations are likely to process the personal data of (i) their employees and internal resources and (ii) their individual members. The GDPR gives the so-called “data subjects” (i.e. the people whose data are processed) a number of rights in order to reinforce the degree of transparency and control over their personal data.
As a result, the associations must be prepared to inform the employees and members in a comprehensive manner, through the data protection policy or by giving them notice of a specific document, and make sure that they are provided with a number of information such as the categories of data processed, the purposes of processing, the legitimate aims pursued by the association, the storage duration of the categories of data, the recipients or categories of recipients of data, etc.
Managing relationships and contracts with data processors
The data controller may entrust an external entity, called the data processor, with the a number of tasks on its behalf. In such situations, the associations must carefully select the external provider, but also make sure that there is a written agreement in place that takes full account of all the obligatory mentions under the GDPR. The first and foremost of such mentions is that the data processor must process the personal data only upon the documented instructions of the data controller.
Again, associations must therefore have a clear picture of what categories of data they are making available or transmitting to their data processors, so as to be able to keep control of such data. Other topics that must be addressed in the written agreement with the data processors are the security requirements, the notification of data breaches, the obligation to take part to audits, the duty to assist the associations when dealing with a request from a member or an employee, etc.
Creating and maintaining a register of data processing operations
Associations must set up – and keep updated – a register describing the data processing operations. This register may be held in English. It must be made available on request to the regulators and contain a description of the categories of data processed, of the purposes of the processing, of the recipients or categories of recipients of data (i.e. who has access to the data), of the existence (if any) of transfers of data outside the European Union (or the EEA), etc.
Implementing security measures and data breach notification procedures
Associations must determine and implement appropriate security measures and policies to address the potential risks for rights and freedoms of individuals whose data are processed. Those measures may include encryption, pseudonymisation, access control and access management, training of employees, etc.
Whenever a security incident occurs, that may trigger an additional risk for individuals, the associations (data controllers) must notify such breach to the data protection authority, with a description of the data that is leaked or compromized, of the potential impact of the security breach and of the measures taken to remedy such impact, to address the flaws and errors that were identified and to mitigate the risks. In some circumstances, the data controller must also notify the individuals themselves about the breach.
International data transfers
Last but not least, associations must ensure that the rules on the transfer of personal data outside the EEA (EU + Liechtenstein, Norway and Iceland) are respected. Such transfers occur whenever a database is centralized in a third country (like the US for instance), or when personal data may be accessed from that third country.
Also, when associations appoint a service provider or a cloud computing services provider, there is a possibility of the data being hosted/stored outside the EEA. That shouldn’t happen without the association being aware thereof, because basically the GDPR states that such transfers are only allowed under specific circumstances or subject to specific conditions. These conditions may involve the fact that the third country is regarded as “safe” or providing an adequate level of protection, or the conclusion of specific agreements related to the data transfer, to ensure that the entity importing the data in the third country will abide by a minimum of fundamental principles of data protection.
The full version of this article can be read in the November issue of Boardroom. Benjamin Docquir is Partner at Osborne Clark, a law firm working across key industry sectors offering agile, insightful solutions, ground-breaking legal planning and a passion for bringing about meaningful, positive change. More information on www.osborneclarke.com.