By Stuart Buglass, VP Consulting
Don’t hold your breath, but it looks like the EU General Data Protection Regulation is finally on its way. We have been tracking the progress of the Data Protection Regulation (“the Regulation”) for a number of years due to its potential impact on international business
The reason for the legislation’s delay is due to the fact that it takes the form of an EU Regulation. An EU Regulation has direct legal effect, and all EU member states must comply with a Regulation once it has been enacted. This stands in contrast to the current EU Data Protection Directive, which only acts a guide for EU member states. Knowing that there will be no wriggle room for local tailoring after the EU General Data Protection Regulation has been enacted, each member state has been sensitive to its provision, which in turn has led to much discussion and slow progress towards compromise.
A tipping point was achieved earlier this year when a final draft was presented for tripartite approval by the European Parliament, the European Commission and the European Council. These three bodies are in the throes of creating the final legislation, and by all accounts the Data Protection Regulation is likely to become law early in 2016.
So after three years of waiting, the new Regulation and its requirements are not far away. And we must now wake up from the stupor brought on by the legislative process and refocus our attention on what the Regulation will actually require from us.
Timing
The first thing to emphasize is that despite the fact that the Regulation will likely become law in early 2016, its applicability and enforcement will be rolled out during the following two years. Initially, the Regulation will only apply to businesses with 250 or more employees that process 5,000 or more records of personal data per annum. The exact timetable for rolling out the Regulation has yet to be finalized.
Privacy by Design
The focus of the Regulation is on ensuring that data controllers consider data privacy during each step of the data-handling process. For example, at the point of collection, explicit consent from the data subject is required, and the subject must be provided with a simple means of withdrawing consent.
Right to be Forgotten
Data controllers will need to take active steps to ensure that data that is no longer required is erased.
Breach Notification
Most EU member states currently do not require a data
Penalties
The Regulation takes a tougher line on sanctions than the Directive; just how tough will depend on whether the final draft takes the view of the EU Parliament — which would like to see fines of up to €100 million or 5 % of company revenue — or the EU Council, which would cap fines at €1 million or 2% of company revenue (whichever is higher).
One Stop Shop
Under the Regulation, data controllers will be able to register and report to one regulator within the EU (i.e., register and report to authorities in one particular member state).The current position requires a business to register in each member state in which it is established.
Extra Territorial Reach
The current EU Directive ensures that EU data privacy rules are confined to data controllers of any business assessed as being “established” in the EU. The Regulation, by contrast, applies to any business that processes data about EU residents in the course of offering goods and services, whether or not that business is established in the EU. The same rule will apply to any business that monitors the behavior of EU residents (including online behavior).
Data Processors
Currently the Directive only creates statutory duties (and liabilities) for data controllers (i.e., those individuals that determine the purpose for which, and manner in which, data is processed). Third parties that process personal data under the direction of a data controller are considered mere “data processors” and under the Directive and do not have statutory duties, which remain with the data controller. The Regulation will ensure that formal duties apply to data processors as well as to data controllers.
What You Need to Do Now
For existing data controllers in Europe, the need to comply with data protection laws is more pressing than ever.
While the pending Regulation is widely known, there is no doubt that it will be launched with huge fanfare, which will further alert the residents of Europe to their data privacy rights. Data subjects will become increasingly familiar with what compliant data collection looks like, and any business which fails to communicate in similar terms will be conspicuous in their noncompliance. Additionally, given the principles of “privacy by design” and the “right to be forgotten,” it is inevitable that data subjects will increasingly interact with their data controllers beyond the point of initial collection to ensure that aged data is either corrected or destroyed. The challenge for data controllers will be to provide data subjects with assurance that adequate security measures are in operation.
Many data controllers have cited the “one stop shop” element of the Regulation as a big improvement on the current position, which requires local registrations in each EU member state. However, under the Regulation, local standards will still need to be upheld in each country of operation, regardless of the need to register. In our opinion, the new “one stop shop” rule only serves to transfer more responsibility onto the data controller. That is, the data controller will be responsible for ensuring that local internal systems are capable of reporting the primary country locations of any breaches and data-subject access requests.(It also remains to be seen whether local data privacy officers will be required in lieu of a registration.)
Given the above concerns, including the increased penalties for noncompliance, we strongly advise all EU data controllers to review the following three key areas of their existing data processing practices:
- Your process for collecting data from data subjects; you should ensure that your subjects are fully informed of how their data will be used and that you have evidence of their consent.
- Your process for handling data once it is received; you should ensure that you satisfy the security, access and
management requirements of the existing Directive. - Your process for transferring personal data to third parties and to those outside of the European Economic Area; you should ensure that you are not breaching related statutory requirements under the existing Directive.
It is important to note that all of the above are minimum requirements under the existing Directive. In order for data controllers to comply with the new Regulation, it is assumed by EU legislators that these practices are already in place. If they are not in place, then complying with the increased demands of the new Regulation will be an uphill task. We strongly recommend, therefore, that you achieve compliance with the current Directive. This will greatly increase your chances of meeting the new Regulation’s requirements when they take effect for your organization.