This article appears in the October issue of our International Corporate Structures Newsletter.
GDPR stands for “General Data Protection Regulation”, a new regulation of the European Union which takes effect on 25 May 2018. It has been described by the Financial Times as “[the] most sweeping overhaul of regulations on personal information for two decades.”
The GDPR is significant for finance and tax professionals in two respects: firstly, the new levels of fines involved are economically significant, raising the issue of how associated risks should be allocated between group entities. Secondly, intra group contractual provisions between data controllers, data processors and subcontractors need to be integrated with the treatment of intercompany agreements for transfer pricing purposes.
Which organisations are caught by the GDPR?
The GDPR applies to ‘data controllers’ and ‘data processors’. A ‘data controller’ determines the purposes and means of the processing of personal data. A ‘data processor’ processes personal data on behalf of a data controller. As personal data includes pretty much any information of a personal nature, most companies will be data processors and/or data controllers.
Controversially, the GDPR does not just apply to data controllers and data processors within the EU. It also catches data controllers and processors outside the EU whose activities relate to the offering of goods or services (even if for free) to EU data subjects (individuals), or monitoring the behaviour of such individuals. A spokesperson for the American Bankers Association has been quoted as saying “From an architectural perspective, I think companies are going to assume everyone they’re dealing with is a European Union citizen.”
What obligations does the GDPR impose?
The GDPR contains stringent new conditions on data controllers to obtain valid consent from data subjects. These include conditions that:
- the controller must be able to demonstrate that the individual has consented to the processing; and
- the individual must have the right to withdraw consent at any time and it must be as easy to withdraw consent as to give it.
Data controllers must ensure that the processing of personal data complies with the GDPR. In addition, the GDPR introduces new standards of accountability, including obligations to:
- keep certain records;
- notify most data breaches to the relevant national data protection authority within 72 hours of becoming aware of them and, in some cases, to the data subjects affected “without undue delay”;
- conduct a data protection impact assessment for certain types of data processing; and
- in some cases, designate a ‘Data Protection Officer’ as part of their accountability programme.
What sanctions are there for breach?
The GDPR allows for fines of up to the higher of 4% of annual worldwide turnover and EUR20 million.
What impact does this have on multinational enterprises?
Multinational groups must review the basis on which they collect and use personal data, including their privacy notices and related policies. They will need to put in place procedures to ensure they can react quickly to data breaches, and establish an overall accountability framework. The handling of cross-border transfers of data to countries outside the EEA remains a key issue, and the increased level of fines makes it even more important to do this correctly, even when the transfer is intra-group. This involves imposing appropriate contractual safeguards, either through intercompany agreements or so-called ‘Binding Corporate Rules’. Intercompany agreements relating to intra-group transfers of personal data form part of our suite of intercompany agreements that we offer clients at LCN Legal, including in our popular Toolkit for Intercompany Agreements for Multinational Enterprises.