On 16 May 2022, PwC’s Data Protection & Technology team organised a panel discussion which saw the Information and Data Protection Commissioner and members from the PwC team discuss a number of aspects pertaining to the lifecycle of personal data from a practical and pragmatic view point.
The key takeaway points from this discussion were:
The Principle of Transparency
The GDPR provides an exhaustive list of information that should be provided to data subjects by controllers when personal data is collected. Indeed, Articles 13 and 14 of the GDPR highlight that the controller must take a positive action to ensure that sufficient information is provided to the data subject. On this point, the ‘Guidelines on transparency under Regulation 2016/679’ adopted by the Article 29 Working Party and consequently endorsed by the European Data Protection Board, recommend that entities adopt a layered approach, when providing the required information to data subjects.
In practice, controllers typically put in place a privacy policy or data protection notice setting out the requirements of the GDPR. Of course, drafting a privacy policy or data protection notice should not be a ‘one-time’ event; but rather, controllers should ensure that the information provided is updated and shared with data subjects accordingly.
Adopting Security Measures
Personal data should be afforded sufficient protection and therefore, controllers and processors must adopt adequate security measures particularly in view of the increased risk brought about by the continued development of technology. The crucial need of ensuring adequate security measures has been especially evident during the pandemic, and more recently, the war in Eastern Europe. Entities must assess the cyber risks which may affect their information technology systems and ultimately, affect the capital of businesses.
How can risks be mitigated?
In assessing the measures to be adopted, a risk-based approach must be undertaken assessing the specific practices of the organisation’s operations and the specific personal data being processed. That being said, the security measures must consider all sorts of situations so as to ensure that the entity is sufficiently protected in the event of an incident. From an organisational perspective, there are various measures controllers may implement to minimize the risks, such as having in place:
a risk assessment highlighting the vulnerabilities and threats;
data classification;
an information security policy;
an incident management or response playbook;
regular employee awareness training.
Similarly, from a technical standpoint, controllers should seek to determine the appropriate security measure required to secure the personal data, such as:
Implementing access controls;
Encryption, anonymisation and pseudonymisation;
Security assessments, including vulnerability assessments and penetration testing, supported with an effective patch management process.
International Data Transfers
When personal data is transferred to a third (non-EU) country, certain additional requirements may be necessary in terms of the GDPR, unless an adequacy decision had been issued in favour of the said third country.
In this context, following the Schrems II judgment, the Privacy Shield was declared not to be a valid mechanism to transfer personal data from the EU to the USA. As a result of this decision, a new version of Standard Contractual Clauses (SCCs) was issued by the European Commission on 4 June 2021. Consequently, as from 27 September 2021 it was no longer possible to conclude contracts incorporating the earlier sets of SCCs. Accordingly, by 27 December 2022 data exporters and/or data importers must ensure that any existing SCCs are amended to reflect the newly implemented SCCs.
Perhaps a couple of salient changes brought about by the new version of SCCs include the following:
The new SCCs incorporate the provisions of Article 28 of the GDPR. This means that controllers/processors do not need to enter into a separate data processing agreement if they are harnessing the new SCCs;
The possibility to avail of a docking clause within the SCCs;
- The requirement that the jurisdiction selected for the purposes of Clause 17 (Governing law clause) allow for third party beneficiary rights. Indeed, this requirement may pose a few issues from a Maltese perspective since in the large part Maltese law does not cater for such third party beneficiary rights. Nevertheless, from the discussion it transpired that considerable progress has been made in this regard and a legal notice has already been prepared which provides that third party beneficiary rights may be allowed solely and exclusively for the purposes of Article 46 of the GDPR.
Personal Data Breaches
Personal data breaches may result in catastrophic incidents which may consequently lead to the accidental or unlawful loss or unauthorised access of personal data.
When a personal data breach is suspected, the point of departure is to carry out a risk assessment in order to determine whether there are risks to the rights and freedoms of data subjects and, consequently, whether the breach is notifiable. In carrying out such an assessment reference may be made to the EDPB guidelines on this topic which (Guidelines on Personal data breach notification under Regulation 2016/679), through examples, shed light on how breaches should be handled in practice.
Data Retention
Data retention goes hand in hand with the principle of storage limitation. The retention period has to be taken as part of a journey whereby the first step is to have a register of processing activities in place and identifying the categories of data since different data categories may require different retention time frames.
Indeed, the GDPR provides that personal data should not be kept for a period which is longer than necessary - but how should ‘necessary’ be interpreted? The answer is twofold - there may be legal obligations to which the controller is subject which aid in establishing the retention period. However, where the law is silent it is possibly up to the controller to determine, in terms of business requirements, for how long to keep the data. Retaining data just in case one might require it at a future date is not a justifiable approach.
