Data privacy regularly hits the headlines these days, and the incoming EU General Data Protection Regulation (GDPR), the most significant overhaul of EU data protection law in recent years, will ensure that this remains the case.
Despite the significant changes being introduced and the fact that the GDPR is set to become law in May 2018, however, a recent report suggests that few businesses have actually begun to take action to comply with the new law.
The fact is that all organizations operating in the EU or otherwise targeting EU customers will be caught by the new laws.
So what does the GDPR actually look like and what does it mean for the aviation and maintenance industries?
Who has to comply?
The GDPR applies directly to “controllers” and “processors.” What this means, in summary, is that those currently subject to EU data protection laws will be subject to the GDPR and processors (not subject under the existing regime) will also have direct liability for the first time.
Importantly, the aviation and maintenance industries should not see Brexit as a “get out of jail free” card. While it is unclear what a post-EU United Kingdom will look like, it is generally accepted that after the U.K. leaves the EU, U.K. laws will nevertheless track the GDPR (e.g. via some form of implementing legislation or a new U.K. law that effectively mirrors the GDPR). In other words, those purely U.K. companies, or those outside the U.K. and targeting U.K. consumers only, should not ignore these changes and should still look to comply.
What does the new law say?
The GDPR will replace current EU Data Protection Directive 95/46/EC. As a regulation, and unlike the old law, the new rules will be directly applicable in all EU member states. Key changes include:
- Accountability--crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work.
- Breach notification--new rules requiring breach reporting within 72 hours (subject to conditions) are introduced and so processes in place (or not) will need to be revisited to accommodate these rules.
- Consent--new rules are also introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward.
- Data protection officers (DPOs)--in many circumstances, those caught by the GDPR also will need to appoint DPOs, and so thought will need to be given as to whether this applies and, if so, who that person or persons might be.
- Enhanced rights for individuals--new rights are introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, amongst others.
- International transfers--Binding Corporate Rules for controllers and processors as a means of legitimizing transfers are expressly recognized for the first time and so should be considered as a transfer mechanism.
- Privacy policies--fair processing notices now need to be more detailed, e.g., new information needs to be given about these new enhanced rights for individuals. Policies will need updating therefore.
How do businesses prepare?
With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer and supply chain confidence caused by non-compliance, nothing should be left to chance. Companies need to ensure that they have robust policies, procedures and processes in place and in terms of first steps, should consider prioritizing the following as a minimum:
- Review privacy notices and policies--ensure these are GDPR compliant. Do they provide for the new rights individuals have?
- Prepare/update the data security breach plan--to ensure new rules can be met if needed.
- Audit your consents--are you lawfully processing data? Will you be permitted to continue processing data under the GDPR?
- Set up an accountability framework--e.g., monitor processes, procedures, train staff.
- Appoint a DPO where required.
- Consider if you have new obligations as a processor--is your contractual documentation adequate? Review contracts and consider what changes will be required.
- Audit your international transfers--do you have a lawful basis to transfer data?
The reality is that May 2018 is about a year away and companies within the aviation and maintenance industries need, more than ever, to be thinking about what they can do to demonstrate compliance.
Rafi Azim-Khan is head of data privacy, Europe, at Pillsbury Law and Steven Farmer is Counsel, Pillsbury Law