I wrote a piece about 10 years ago about how data protection was climbing to the top of the business agenda. I was wrong. It's now. That view was certainly reinforced by having attended an excellent Seminar organised by the Society For Computers & Law yesterday.
The Commission's Proposal for a General Data Protection Regulation will replace the 1995 Data Protection Directive. It contains some major changes which make data protection a major compliance issue and could even impact on how businesses which process large amounts of personal data are organised.
Here is a flavour of some of the proposed changes:-
- Data Processors (e.g. 'cloud' service providers who process data for their customers) will now be regulated globally. Currently,it is only 'Data Controllers' who have to comply with European data protection requirements.
- For international data transfers (i.e. outside the EU), contractual provisions rather than consents will be the primary route, although 'Safe Harbor' for the US and exports to other countries deemed by the EU to have adequate safeguards for the processing of personal data will stil apply.
- Companies with 250+ employees must appoint a Data Protection Officer - a job for life!
- The 'right to be forgotten', which to some extent already exists under current law, could lead to major challenges for social media and platforms hosting information (e.g. photographs) posted by 3rd parties.
- The obligations on data controllers and data processors to maintain internal documentation, to audit and verify their personal data handling procedures is substantial. In effect, the Regulator is outsourcing compliance to companies.
- Rather like the world of regulated financial services, there will be a legal obligation to notify security breaches to the Data Protection Authority.
- Fines will be serious - e.g. potentially up to 1m euros or 2% of global turnover for a security breach or unauthorised international transfer.
And that's for starters. There is some good news as well in the Proposal, including a 'one stop shop' for legal compliance for companies who have data processing activities in several member states. There's some clarification about the definition of a 'Data Controller' and rules governing non EU data processors who are caught by the EU regime.
The timeframe for introducing the Regulation is not yet definite. I have heard two years. We'll see and, of course, the devil was in the detail.
But one thing is clear: this needs to be on your business agenda now.
Have a good week,