Following three years of negotiations, the text for new reforms for pan-European data privacy laws has finally been agreed upon. The new laws will come into force in early 2018 and companies should use the next year to put their houses in order.
The main burden for companies is likely to be administrative as there are significant record-keeping requirements under the new law. For example, companies with over 250 employees require a data inventory, and significantly more data processing situations will require the ‘free and informed’ consent of an individual before their data can be processed. Keeping an audit trail of that consent to demonstrate evidence of compliance and consent represents yet another challenge for the time-pressed business.
For those companies that breach EU data protection regulations, the regulators have the right to levy fines of up to 4% of global annual turnover, well in excess of the 2% that had been suggested. These new fines demonstrate a significant compliance change and for the first time, ‘privacy’ is likely to become an urgent item on Board agendas.
Responsibility for the protection of data will fall to the company or individual that processes it and this includes third parties. The ramifications of this are huge as anyone who touches or has access to data, wherever they are based, is responsible in the case of a data breach. Controllers will be required to inform and remind users of their rights, as well as document the fact that they have done so. Contrary to users having opt-out options, they will now have to opt-in to systems. You need to be aware of the lawful bases for using user data and ensure you are compliant.
Key points of regulations
Here is a quick overview of the key points in the new Regulations:
- Right of portability.
- Right to be forgotten – new erasure rights.
- Privacy by design.
- All organisations to have a data protection officer if they have a large scale customer database or are processing sensitive data on a large scale.
- Privacy impact assessments with a limited exception for SMEs unless considered high risk.
- Notify security breaches to the DPA without undue delay and within maximum of 72 hours.
Keeping data safe and private will be of paramount importance, both when stored and when communicated electronically. Emails will need to be encrypted as the regulation allows users to claim damages in the instance of data loss or as a result of unlawful processing and this could indeed prove costly to businesses both in financial terms and in terms of reputational damage.
A personal data breach is considered to be any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The definition of personal data includes “any information relating to a data subject” and therefore has implications for any business acting on behalf of clients that has cause to email information relating to the client that could potentially fall into the wrong hands. The loss or unauthorised modification of an email address or a phone number would constitute a personal data breach.
How to prepare for data regulations
The first steps to prepare for the incoming Data Regulations include:
- Protect against data security breaches with rigorous procedures that ensure emails cannot be sent to the wrong recipient.
- Use encrypted e-mail for communication of personal data – a document portal provides the highest levels of security.
- Put in place clear policies for a timely response to any data breach and notify in time where required.
- Ensure procedures meet the standards laid down in the new regulations to demonstrate compliance.
- Check that you have legitimate grounds for the retention of personal data.
- When transferring data internationally, it will be important to ensure that there is a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.
The UK Information Commissioner has already suggested that some large organisations may need to budget up to £5 million for initial compliance reforms as ‘token steps to comply will not be sufficient’. With the risk of such high fines for non-compliance, businesses cannot afford to take the risk of leaving it too late to make such essential changes. They will need to adopt entirely new behaviours in the way they collect and use personal information and the planning needs to start now.
Processes and procedures will need to be reviewed to ensure businesses are not vulnerable and the systems put in place to ensure that all data is kept confidential. Privacy is the key word here and businesses should prepare and budget for a new, stricter, and more complex era of data protection in Europe with more requirements and more stringent provisions.