The formal publication of the proposed EU-wide Data Protection Regulation is causing wide concern among boardroom members who fear potential fines of up to 2% of their global turnover. Legislators have delayed the progess of the proposed regulation until after the May 2014 European elections.
So, what can business owners do to prepare for proposed EU data protection regulation? E RADAR sets out the options...
The European Union's proposed Data Protection regulation would update the current data protection regime across all member states. This regime was introduced back in 1995 and implemented in the United Kingdom by the Data Protection Act 1998. Legislators feel that the law needs updating because of the rapid changes in technology and growth in social media which is threatening the individual's right to privacy. The proposed EU-wide Regulation aims to harmonise privacy rules and enforcement across the EU, and once adopted, would be directly applicable in all Member States without the need for national legislation. It could become law in the UK as early as 2015.
But, E RADAR takes a look at some of the governance challenges organisations now face in light of the new regime and asks the inevitable question....
How much will it cost UK business?
The answer to questions on cost of regulation is always caught up in arguments around administrative burdens or red tape. European Commission Viviane Reding claimed Europe's red tape was excessive. "In Europe we have too many rules, conflicting rules," she said. "The extra cost to business of this fragmentation is 2.3 billion euros ($3 billion) a year."
That's around £2 billion!
Among the key features of the bill is the new right for web users to force companies to delete all data held about them, or for them to easily be able to take their data elsewhere, for instance by moving from Facebook to LinkedIn.
Prepare for the proposed EU data protection regulation
So, what will the immediate impacts of the new regulation be upon your business? Here's our top 10 concerns...
1. Non-EU businesses will need to select an EU member state
All companies with EU customers will need to appoint an EU Data Protection representative. Non-EU businesses will look to balance the attractiveness of the enforcement approach in that state with other commercial factors, for example the number of customers it has in that state.
2. Systems and process design
Any architecture for a new IT system will need to take into account the Regulation's changes such as allowing consumer data to be permanently deleted and should ensure that all processing operations involving personal data are adequately documented.
The proposals also include:
- data minimisation (Article 5(c));
- the right to object to profiling (Article 20);
- privacy by design and default (Article 23);
- privacy impact assessments and even prior regulatory authorisation for higher risk processing (Articles 33 and 34);
- the right to be forgotten and erasure (Article 17);
- the right to data portability in a commonly used electronic format (Article 18);
- a duty to evaluate and take measures to mitigate security risks (Article 30).
Existing DP principles will also need to be reflected, for example, purpose limitation.
3. Outsourcing agreements
Long-term outsourcing contracts under discussion today and involving data processing will need to acknowledge that their data protection obligations will change once the new regulation become law.
4. Appointment of data protection officer
Organisations (data controllers and processors) with more than 250 permanent employees will be required to appoint a Data Protection Officer. Organisations currently without one will need to budget for a dedicated employee or an outsourced service. Staff training will also be required as well as possible changes to job specifications.
5. Risk assessment and compliance formalities
New obligations would require thorough – and ongoing – review, assessment and documentation of the main systems and processes where personal data sits within the organisation. These include:
- maintaining a paper trail of all processing operations under its responsibility" with mandatory information (Article 28) and to make these available on request to supervisory authority;
- data security evaluation and measures (Article 30)
- data protection impact assessments for higher risk processing, including profiling, health care information and CCTV/ surveillance (Article 33);
- verifying the effectiveness of general DP compliance – by external auditors if proportionate (Article 22(3)).
6. Security breach response and notification procedure
Introduction of a general notification requirement, tight deadline and strong sanctions for breach makes it essential for organisations to have a security breach team and robust procedures in place as soon as possible. This is already good practice – and good commercial sense from a crisis management perspective.
7. Formal transparency documentation
Businesses must have in place "transparent and easily accessible policies" on processing of personal data and the exercise of data subjects' rights (Article 11(1)) and in particular more extensive transparency information to be provided at the point of data capture (Article 14)
The definition of consent is amplified to "freely given specific, informed and explicit… either by a statement or by a clear affirmative action" - (Article 4(8)).
9. Collecting data from children
In the online context, consent for the collection and processing of data relating to under 13s would only be valid when "given or authorised by the child's parent or custodian". A controller must make "reasonable efforts to obtain verifiable consent taking into consideration available technology" (Article 8(1)).
10. Subject access, rectification and erasure
Existing rules would be extended with more extensive subject access disclosure requirements; the wider scope of "personal data" and greater sanctions for non or late compliance. (Articles 11-12 and 15).
There are also stronger rules on rectification and erasure.
Make sure that budgets and planned financial forecasts for 2014-2016 include provision for compliance with the new law, including the appointment of data protection officers where they are require by law.
As regards online business systems and processes (particularly in e-commerce) methods for obtaining consent for personal data use may need to be changed and steps will need to be taken to facilitate both portability and permanent deletion of data . In some cases, it may be better to wait until there is greater certainty before proceeding with major new systems- related commitments; where this is not practical, try to ensure that systems have some flexibility to meet changing conditions and make provision for possible additional implementation costs.