Organisations inside and outside the European Union should start preparing for a range of additional duties that its new data protection regime will be placing on them
This article was first published in the May 2016 international edition of Accounting and Business magazine.
Back in 1995 when the European Union issued its first data protection directive, perspectives on data were very different – and understandably so. Data was not yet ‘big’. Some 40 million people had access to the internet and they were mostly using it for email, as there were just 23,500 websites in existence. But there were signposts to the direction of travel.
1995 was the year that Amazon.com and the first online dating site, Match.com, opened for business. It was the year when cinematic techno-thrillers such as Hackers and The Net introduced the general public to nascent trends such as digital identity theft and telecommuting, and highlighted the dangers of making too much corporate and personal information available online.
Since then, there have been significant developments in information technology and the ways in which individuals and organisations communicate, share and use information and data. Meanwhile EU members have diverged in their implementations of the directive. So the EU has been working towards reform (see box) and a regulation that will not require national legislation to be implemented.
After four years of political negotiations and lobbying, the final text of the proposed general data protection regulation was agreed in December 2015. Formal adoption is expected in the coming months, and the regulation will apply from approximately two years later, establishing a modern and harmonised data protection framework across the EU.
Same but different
‘Businesses have time to prepare, but there is much work to do,’ says Ross McKean, partner and head of data protection at law firm Olswang. When the new regulation comes into force it will significantly change EU data protection law, strengthening individuals’ rights, increasing compliance obligations and expanding both territorial scope and regulator enforcement powers.
However, some approaches to data protection and core concepts will remain unchanged. For example, personal data, data controllers and processors are defined in a similar way in both the existing directive and the new regulation. However, there will be new approaches and concepts, such as ‘pseudonymised data’ (personal data that cannot be attributed to an identified or identifiable person).
Business will face extra burdens because individuals will have the right to:
- be forgotten – and request that businesses delete their personal data in certain circumstances
- easier access to their personal data – and be informed in a clear and understandable way how their data is processed
- data portability – and request the transfer of their personal data (in a commonly used format) between service providers
- object to profiling – and give their consent before businesses can engage in a broad range of profiling activities such as online tracking and behavioural advertising
- know when their data has been hacked – organisations must notify the supervisory authority of serious breaches as soon as possible.
Other proposed changes likely to affect business include:
Increased fines and enforcement powers. Fines can be 4% of annual global revenue or €20m, whichever is greater. Supervisory/enforcement powers across the EU will be coordinated.
Expanded territorial scope. Many non-EU businesses not currently required to comply with the existing directive will be required to comply with the new regulation.
Rules for obtaining valid consent. Consent must be freely given, specific, informed and unambiguous, and organisations will have to demonstrate it has been given.
Risk-based approach to compliance. The new rules will not take a one-size-fits-all approach, but will be tailored to reflect high and low data protection risks.
Exemptions for small and medium-sized enterprises. SMEs will be exempt from some obligations. They will be able to charge a fee when requests for data are excessive or unfounded.
One-stop shop. Businesses will have a single ‘lead’ supervisory authority to deal with even if they operate in multiple EU member states.
Data protection by design and default. Businesses will have to build data protection safeguards into products and services from the earliest stages of development.
Rules to support innovation. Privacy-friendly techniques such as pseudonymisation will be encouraged to reap the benefits of big data innovation while protecting privacy.
New processor obligations. Data processors will have direct compliance obligations, with fines for non-compliance. Also, third-party contracts must contain detailed data protection provisions.
Strict data breach notification rules. Businesses must notify the supervisory authority of data breaches within 72 hours. They must also notify affected individuals without delay if there is potential for serious harm.
Some of these changes (and others in the regulation) will have a positive impact on business, some will be negative and some will be neutral. Either way, the transition will not be easy. Organisations need to assess the regulation’s impact across every division and department, review their policies, procedures and technologies for compliance, and then make the necessary adjustments and updates.
Window of opportunity
There will be a two-year period for organisations to update their data protection compliance programmes and change any affected business processes and IT infrastructure to meet the new requirements of the regulation. Even so, as McKean observes: ‘In that time, organisations will need to completely transform the way they collect and use personal information.’
On the upside, the regulation aims to be technology-agnostic, more future-proof and more proportional than the current EU rules – and change is overdue. Around 3.4 billion people now have internet access, there are over a billion websites as well as myriad wirelessly connected devices and objects with embedded sensors: from cars to smart meters. The big data universe is exploding around us.
‘Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European digital single market,’ says Vera Jourová, commissioner for justice, consumers and gender equality. ‘These new pan-European rules are good for citizens and good for businesses.’
Lesley Meall, journalist
"Organisations will need to completely transform the way they collect and use personal information"