How does the regulation apply to member states in the EU?Although some, including the UK government, believe reform would be better delivered as a directive, primarily to afford member states some more flexibility and discretion in its implementation, the regulation would be directly binding on all member states immediately. The regulation will be self-executing and will not require any implementation measures, meaning there is no two year implementation phase after the date on which it comes into force. Read more about data protection:
- Top tips to help protect brands online
- Joint venture forged to incubate small cyber firms securing Internet of Things and big data
- BYOD is good for business, but don’t forget security and standardisation
So what’s new?1) Non-EU companies which offer goods/services to individuals in the EU and/or monitor their behaviour must comply with the regulation. 2) Companies cannot work on the basis of implied consent in certain circumstances. All consent must be explicit, for example by obtaining consent via opt-in tick boxes on websites. 3) The extent to which data controllers must collect and process data will be limited to the “minimum necessary” (rather than “not excessive”). This is a more robust data minimisation principle. 4) Individuals can request that the data controller erase all personal data relating to them (i.e. “the right to be forgotten”) and to abstain from further dissemination of that data. 5) Data processors are now specifically included within the scope of the regulation, meaning data subjects have enhanced protection where their data is processed by a party other than the data controller. 6) Companies may be fined up to €1m or up to two per cent of global turnover for data protection breaches, a significant increase on the maximum fine the ICO can currently impose (£500,000). 7) One set of rules will apply across the EU, meaning businesses will not need to deal with member states’ varying rules.
Top tips for compliance1) Conduct regular data protection audits and risk assessments. 2) Maintain and adhere to a remediation and security plan and appropriate controls and training. 3) Ensure you have clear internal data protection policies. For privacy policies/notices, use plain English, use language appropriate to the audience, and make sure your company is transparent about the purpose of collecting data. Enter into, and vary existing, written agreements with third parties to whom you pass personal data that you control and ensure such agreements are compliant with the regulation. Also, collect and process the minimum data necessary, and properly inform your users about what will happen to their personal data. And if applicable, identify yourself as a data controller, e.g. provide your email/website address. Remember: Failure to comply with the regulation comes at a price!
Next stepsThe expected date of the introduction of the regulation is 2016/2017. Businesses therefore need to start considering, and preparing for, the impending changes to ensure it is data protection compliant on a practical level moving forward. A failure to do so can lead not only to significant fines, but also damage to business reputation. Implementing new procedures and reviewing those which already exist to ensure compliance are, compared with the enormous costs that may be incurred for non-compliance, relatively small. Don’t be caught out by the Regulation, start making the necessary changes prior to its introduction. David McGuire is from the commercial team at Wright Hassall. Image: Shutterstock
Share this story