Your word against mine
The reversal of the burden of proof is probably “the biggest revolution brought about by the GDPR,” asserts Sybille Boese-Tarsia. According to previous legislation, the user had to prove that the company had infringed the law. Now, the company has to prove that it has done everything possible to protect the personal data it is using. Everything, starting with an impact analysis for organisations using new technologies. Other companies must sign a declaration stating they follow the musts of the GDPR.
One for all and all for one!
And, there is no point in pointing the finger at the subcontractors in charge of processing the data. If your company decides why and how the personal data should be processed, you are also responsible for its processing in the eyes of the law. Your company is therefore jointly responsible legally with the subcontractor in charge of processing the data. In Germany, company directors can even be personally prosecuted.
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Article 35 of the GDPR
When sanctions start to fall…
Instead of the previous maximum of €300,000, fines can now reach €10 or even 20 million or 2-4% of annual turnover, depending on the infraction. If this change isn’t yet fully visible, apart from the €50 million demanded from Google by the CNIL, this is partly because most players have chosen to cooperate with authorities. They have been reactive when breaches are discovered, and even proactive in reporting anomalies themselves. But, “the Commission has never hidden its objective of dissuading companies. Stricter application of the text won’t be long in coming,” warns Sybille Boese-Tarsia.
Turning contracts upside
Now, the person in charge of processing the data has 72 hours to notify the competent authority (in France, the CNIL) of any personal data violations. This requires a robust IT system and also the implementation of carefully planned emergency procedures inside and outside the company. As cloud computing continues to develop, leading to the externalisation of personal data protection, contracts have had to be reviewed from top to bottom. Don’t hesitate to re-read the ones you’ve already signed.
About Sybille Boese-Tarsia
Currently a lawyer registered at the Bar of Berlin, Sybille Boese-Tarsia began her legal career working privately in Berlin and Brussels, before joining various practises run by Belgium, English and Italian lawyers. For more than 20 years, she worked within the legal department of European, Asian and American companies.
In parallel, Sybille Boese-Tarsia has published numerous articles, taken part in international conferences and organised legal training relating to anti-trust laws and data protection. She is also certified as an IT and Freedoms correspondent (CIL) and Data Privacy Officer (DPO) for the European Union.
Understanding GDPRI download my copy