Top 10 Operational Responses to the GDPR - Part 10: Communicating with supervisory authorities

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.

This final installment in the 10-part series addresses why and how privacy professionals should establish communication channels with supervisory authorities, also known as data protection authorities (in parlance, DPAs). As the GDPR imposes obligations for breach notification, DPA collaboration, documentation and DPA consultation, privacy professionals anticipate having more frequent communication and interaction with DPAs once the GDPR is in force. This piece aims to tackle issues around establishing and strengthening a relationship with a supervisory authority. The previous installments of the series can be found here.

Identifying the appropriate DPA 

Knowing which DPA is the “lead” supervisory authority is the first step in establishing healthy lines of communication with that DPA. For data processors or controllers that carry out cross-border processing of personal data, or processing that “substantially affects or is likely to substantially affect data subjects in more than one Member State,” this is a critical task. The lead supervisory authority has the “primary responsibility for dealing with the cross-border data processing activity” and, additionally, engages in investigations that may involve other relevant supervisory authorities.

For organizations with a main establishment in the European Union, the DPA in that country will act as the lead supervisory authority. Identifying the country of main establishment requires determining the “central administration” of the organization in the EU, which is the place “where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented.” Recital 36 states that the main establishment of a controller in the Union “should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements.”

For organizations active in various member states, determining the main establishment may be more challenging. The Article 29 Working Party’s guidelines on the lead supervisory authority may assist. Notably, the data controller’s designation of its main establishment can be challenged by the concerned supervisory authority. 

For organizations that do not have an establishment in the EU, however, there may be no single lead supervisory authority, and they must anticipate interacting with several. As the Working Party explains, “controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.”

EU Representative

Data controllers not established in the Union must appoint an EU representative, someone “nearby” who is “available to both the local DPA and data subjects,” and who “speaks their language and understands their customs and expectations.” This representative is tasked with both passing messages to the data controllers and communicating back to data subjects and DPAs based on the instructions of the controller. 

A sticking point for law and consulting firms rushing to serve in the representative role is the potential liability they may face. Article 27(4) provides that the representative “shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities or data subjects, on all issues relating to processing, for the purposes of ensuring compliance with this Regulation.” The Article further notes that “the designation of such representative does not affect the responsibility and liability of the controller or the processor under this Regulation.” Nonetheless, Recital 80 explicitly states: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”

Because companies may be subject to up to €20,000,000 in fines (or up to 4 percent of global revenues) for wrongdoing, the risks for prospective representatives is formidable. Consequently, finding a representative is shaping up as a challenge for controllers established outside the EU. 

What to communicate to the DPA and when

Before creating a system for communicating with the DPA, privacy professionals should become aware of their legal obligations regarding what to communicate and when to do so. For example, the GDPR requires data controllers to document data processing activities, notify DPAs about personal data breaches and consult with them prior to undertaking certain processing operations.

• Making data processing records available

Article 30 anticipates that data processing record keeping will include cooperating with DPAs, and requires controllers, processors, and their representatives to make these records available to DPAs upon request.Although this replaces the obligation to “notify” (or file”) records with DPAs under the EU Data Protection Directive, organizations should anticipate cooperating with DPAs during investigations of complaints and should therefore prepare data processing records with an assumption that they will not be confidential. The task of cooperating with the DPA will likely fall to the data protection officer or privacy lead, bringing in the EU representative as appropriate. 

• Notifying the DPA about a personal data breach

Under the GDPR, data controllers have to notify the competent DPA about a data breach “without undue delay and, where feasible, not later than 72 hours after having become aware” of the breach, unless it “is unlikely to result in a risk to the rights and freedoms of natural person.” Data controllers who fail to comply with the 72-hour notification period must provide reasons for the delay.

As discussed in the eighth installment in this series, the content of the data breach notification should include at least the following information:

• Information about the breach (containing a description of its nature, approximate number and types of individuals affected by it, and the types of information compromised).
• Information about the organization (the name and contact information for the Data Protection Officer or another person who can provide necessary information).
• Information about the likely consequences of the breach.
• An explanation of measures to mitigate the potential adverse effects (taken or planned ones).

Data controllers must therefore document personal data breaches when they occur, including information about “the facts relating to the personal data breach, its effects and the remedial action taken” to “enable the supervisory authority to verify compliance” with the GDPR. Documenting a data breach or potential data breach is particularly important because, as the Article 29 Working Party suggests, even if no notification is initially required, “this may change over time and the risk would have to be re-evaluated.” Moreover, the Working Party clarifies that “[t]here is no penalty for reporting an incident that ultimately transpires not to be breach.”

• Consulting with a DPA following a DPIA

Depending on the results of their data protection impact assessments (DPIAs), data controllers may also need to communicate with their DPA. If a DPIA suggests that the data processing would bring “a high risk in the absence of measures taken by the controller to mitigate the risk,” then the data controller should consult the DPA prior to undertaking the data processing.

During the consultation, the data controller should provide following information to the DPA:

• The “respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings.”
• “The purposes and means of the intended processing.”
• “The measures and safeguards provided to protect the rights and freedoms of data subjects.”
• The DPO’s contact information and any further information requested by the DPA.
• Evidence that the DPIA was carried out in accordance with the GDPR.

Data controllers should also make sure to check whether their member state laws require consultation with the relevant DPA for data processing activities related to performing a task “in the public interest, including processing in relation to social protection and public health.” 

• Communicating results of verification and changes to BCRs

The GDPR explicitly recognizes binding corporate rules (more commonly referred to as "BCRs") as appropriate mechanism for data transfers, and sets forth the details regarding their use. At a minimum, BCRs must include mechanisms “for ensuring the verification of compliance” with them, such as “data protection audits and methods for ensuring corrective action.” 

Importantly, the results of these verification procedures “should be available upon request to the competent supervisory authority.” Thus, data controllers should devise a plan for communicating the results of the verification of compliance to their DPA. In their BCRs, data controllers must also specify “the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority.” A mechanism must also be in place to communicate to the DPA “any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules.”

As the Article 29 Working Party guidelines on BCRs state, “Any substantial changes to the BCRs or to the list of BCR members shall be reported once a year to the competent Supervisory Authority with a brief explanation of the reasons justifying the update.” Modifications that may affect the BCRs or the level of protection they offer must also be “promptly communicated” to the relevant DPA.

• Certification

Under the GDPR, controllers that are certified by a data protection certification body must, where applicable, be able to provide, “the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.” Certification mechanisms, including data protection seals and marks, are potential tools for demonstrating GDPR compliance “at-a-glance” including for transferring data to controllers in jurisdictions that do not have “adequacy” designations. Although many organizations eagerly await the development of accredited certification bodies, they are currently engaged in a waiting game for both A29 Working Party guidance as well as entrepreneurial programs to seize the role. 

How to communicate with a DPA

Many privacy professionals have already established working relations with their DPAs, especially if they have notified them of data processing or worked with them on approving BCRs. Regarding communication mode, some privacy professionals may choose to communicate with their DPA through email, or even with DPA employees over the phone anonymously or without revealing a client’s identity.

Attending events where DPAs often gather – such as an IAPP conference or the ICDPPC annual conference – is another way to meet a member state DPA and create a relationship. For indeed, relationships matter. In the absence of clear rules and guidance on how many of the GDPR’s provisions should be interpreted, building strong relationships with DPAs is becoming increasingly important. Communicating with DPAs is not only an issue of GDPR compliance, but it is also one of the factors affecting decisions about administrative fines in individual cases. Organizations that lack their own channels of communication with DPAs should engage outside counsel who have established and maintained mutually respectful relationships with their member state DPA.

Conclusion 

There may be no silver bullet to creating and establishing communication channels with a DPA. Communication may be done on an ad-hoc basis, through occasional meetings at conferences, or through more intensive working relationships, as dictated by the provisions of the GDPR. The stricter rules of the GDPR indicate that formal interaction and communication mechanisms are expected. Finding ways to effectively communicate will not only guide organizations in their business operations, but it will also encourage consistent and transparent data protection.