What’s more, the world has become increasingly interconnected, the nature of data exchanges has become more globalised and the legislative approach across EU member states is widely acknowledged as being disjointed.
In response to these changes, and the consequent focus on the importance of protecting personal data, the European Commission has published proposals for the reform and harmonisation of EU data protection law. The regulation, a supposedly single comprehensive legal framework governing data protection, is expected to overhaul and replace existing data protection legislation.
The regulation’s objectives remain the same; protecting individuals with regard to the processing of personal data and enabling the free movement of personal data between member states via secure means. However, the effect of the new regulation will bring significant change to how businesses deal with personal data in practice.
Guidance suggests that the regulation will swing data protection law in favour of the individual, to ensure their personal data is adequately protected. Any individual data captured by a business will most likely be considered “personal data” and such businesses will therefore need to comply with the regulation. With the introduction of the regulation expected over the next year or two, now is the time to consider what steps must be taken to proactively address data protection risks.
How does the regulation apply to member states in the EU?
Although some, including the UK government, believe reform would be better delivered as a directive, primarily to afford member states some more flexibility and discretion in its implementation, the regulation would be directly binding on all member states immediately. The regulation will be self-executing and will not require any implementation measures, meaning there is no two year implementation phase after the date on which it comes into force.
Read more about data protection:
- Top tips to help protect brands online
- Joint venture forged to incubate small cyber firms securing Internet of Things and big data
- BYOD is good for business, but don’t forget security and standardisation
So what’s new?
1) Non-EU companies which offer goods/services to individuals in the EU and/or monitor their behaviour must comply with the regulation.
2) Companies cannot work on the basis of implied consent in certain circumstances. All consent must be explicit, for example by obtaining consent via opt-in tick boxes on websites.
3) The extent to which data controllers must collect and process data will be limited to the “minimum necessary” (rather than “not excessive”). This is a more robust data minimisation principle.
4) Individuals can request that the data controller erase all personal data relating to them (i.e. “the right to be forgotten”) and to abstain from further dissemination of that data.
5) Data processors are now specifically included within the scope of the regulation, meaning data subjects have enhanced protection where their data is processed by a party other than the data controller.
6) Companies may be fined up to €1m or up to two per cent of global turnover for data protection breaches, a significant increase on the maximum fine the ICO can currently impose (£500,000).
7) One set of rules will apply across the EU, meaning businesses will not need to deal with member states’ varying rules.
Top tips for compliance
1) Conduct regular data protection audits and risk assessments.
2) Maintain and adhere to a remediation and security plan and appropriate controls and training.
3) Ensure you have clear internal data protection policies.
For privacy policies/notices, use plain English, use language appropriate to the audience, and make sure your company is transparent about the purpose of collecting data.
Enter into, and vary existing, written agreements with third parties to whom you pass personal data that you control and ensure such agreements are compliant with the regulation. Also, collect and process the minimum data necessary, and properly inform your users about what will happen to their personal data. And if applicable, identify yourself as a data controller, e.g. provide your email/website address.
Remember: Failure to comply with the regulation comes at a price!
The expected date of the introduction of the regulation is 2016/2017. Businesses therefore need to start considering, and preparing for, the impending changes to ensure it is data protection compliant on a practical level moving forward. A failure to do so can lead not only to significant fines, but also damage to business reputation. Implementing new procedures and reviewing those which already exist to ensure compliance are, compared with the enormous costs that may be incurred for non-compliance, relatively small. Don’t be caught out by the Regulation, start making the necessary changes prior to its introduction.
David McGuire is from the commercial team at Wright Hassall.