Applying GDPR to the legacy data environment and the processor engagement framework
June 14, 2017
How to handle the "legacy data" environment is one of the big challenges of the GDPR. For the purposes of this blog "legacy data" means personal data that are processed before and after the GDPR comes into force. The key question is whether the law requires a controller to apply GDPR standards to those data. This question materialises in many situations, such as in the controller - processor relationship governed by Article 28, explored below.
The legal analysis builds up as follows:
The starting point is first principles, which is definitions: does the idea of "processing" (the regulated activity for personal data) bridge the transition from the 1995 Directive to the GDPR insofar as legacy data are concerned? In my view, the law permits a clear construction due to how the idea of processing is defined. In Article 4(2) the definition of processing includes "storage" of personal data. Therefore, if a controller merely continues to store legacy data after the GDPR comes into force, that act of storage constitutes a continuing act of processing, hence the GDPR applies to those data.
Building upon this first principles analysis, what is the impact for Article 28? Plainly, Article 28 applies to legacy data, which means that due diligence will have to be re-performed and new contracts will have to be created if the pre-existing due diligence and contracts do not address the full requirements of Article 28.
This is where the law delivers operationally difficult results, because the focus of Article 28 is considerably broader than the focus of its predecessor in Article 17 of the 1995 Directive. The focus of Article 17 is essentially security and confidentiality. The focus of Article 28 is all the principles, all rights and all of the "compliance" mechanisms of the GDPR. Of course, some "visionary" controllers will have built processor engagement frameworks which deliver everything that Article 28 requires (there's a ROI case for "gold plating"!), but most will need to uplift their frameworks to bridge the legal gap for their legacy arrangements.
Another way to look at this is to consider the ICO's 12 step guide to the GDPR, which was recently relaunched. One of the areas highlighted for treatment is consent, with the guide explaining that controllers "should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard."
The idea of refreshing consents is that same as refreshing processor engagement frameworks.
Another way of looking at this is to look at the purposes of the GDPR. The purposes are to uplift data protections, to deliver greater legal harmonisation and to repeal the 1995 Directive. These purposes would be neutralised by a construction of the law that enabled the 1995 Directive and the GDPR to co-exist after May 2018. Legacy data has to be regulated by something and that can only be the GDPR.
Finally, look at the words at the very end of the GDPR, immediately before the date: "this Regulation shall be binding in its entirety". That means binding on legacy data.
Some large multi-nationals have many thousands of suppliers and the operational impacts of uplifting lots of processor contracts might feel oppressive. The choice, or feasibility, of taking a legal compliance route is a matter only for them, but regardless of where they land in their decision making, there are still valuable "risk mitigation" measures that can be deployed, even if the outcomes fall short of compliance. For example, sending out notices to suppliers about the need to deliver on the substantive requirements of Article 28 will deliver some risk mitigation benefits.
This takes me to risk mitigation in a general sense. If the GDPR stands for anything, then it stands for reducing the risk of privacy harms and it would be a great shame if entities were to get lost in legal compliance cul de sacs and dead ends at the price of taking meaningful preventative steps to reduce these risks. With creative and lateral thinking, it should be possible to get to risk reduction fast in many situations, regardless of what legal compliance means. Entities often talk about taking a "risk based approach" but sometimes without a clear sense of what that actually means for them. We have found that a focus on real harm scenarios can help to deliver a risk based vision.
To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.