It is nearly three years since the European commission unveiled its ambitious plans to overhaul the data protection regime in Europe in the form of the draft General Data Protection Regulation. As we approach the end of 2014 we have a new European parliament, a new commission and a new council presidency so some might say that missed adoption targets were inevitable. However, the proposed reform reached a significant milestone in March 2014 when the European parliament approved an amended text.
There is still quite a way to go, but shapes are starting to form in the shifting sands, some of which are quite alarming for business. The bar for compliance will be much higher under the new regime and the sanctions for not complying far greater, with fines of up to 5% of global annual turnover proposed.
The direction of travel of the regulation, the current focus of the media and regulators on data compliance and the scale of the compliance challenge ahead means that organisations need to start transforming data compliance today to be ready for the new regime and to avoid costly fines and damage to hard earned trust and reputations.
But what should organisations focus on and what does compliance look like? In the absence of a crystal ball here is a view of the top issues under the draft regulation, how the proposals differ from current data protection laws and what the practical compliance challenges are for business.
1) Fines and enforcement
With fines of up to 5% of global annual turnover proposed, the new regime will put data protection on a par with anti-trust and anti-bribery sanctions. “Taking a view” on compliance is about to become prohibitively expensive. There is a great deal for organisations to do between now and 2017.
2) Territorial reach
The new regime will greatly extend the reach of the EU legislation to Silicon Valley and beyond. Non-EU controllers will also need to appoint representatives in the EU.
3) Scope of personal data
The definition of personal data is set to broaden under the regulation, bringing much more data into the regulated perimeter. Changes are proposed to keep pace with the online environment and rapid technological change.
4) Justifications for processing
The conditions that organisations need to meet to keep collection and use of data on the right side of the law will be even tighter than they are now. Member states might be allowed to pass national legislation to fine-tune justifications in specific sectors such as employment, health and journalism.
5) Data protection officers
There has been much debate as to whether organisations should be required to appoint a data protection officer (DPO) and incur significant cost, or if the current voluntary approach should continue.
6) Security and breach notification
The introduction of data breach notification looks certain, although important questions remain about how serious a breach needs to be in order to be reported and how quickly it needs to be reported. The broad requirement for “appropriate” security will be extended to apply to processors as well as controllers, although it is unclear how prescriptive the detail of the final regulation will be.
7) Processors and supply chain
Exposure to data-related liabilities – for both customers and suppliers – will increase. With the regulation potentially taking effect in 2017, new deals being negotiated now need to be future-proofed. Parties will need to document their data responsibilities even more clearly and the increased risk levels will impact negotiations on security standards, risk allocation and pricing.
8) Profiling
The scope of the concept of profiling remains subject to further debate. The outcome of these discussions will be critical for advertisers, insurers, employers and other sectors which rely on the ability to profile individuals.
9) Data portability
The introduction of a right to data portability now looks more likely than not in some shape or form, however there is much discussion around how to make it workable in practice, and whether it sits more comfortably in competition and/or intellectual property law rather than data protection. Some argue the concept has little to do with data protection at all and will lead to disproportionate compliance cost in markets which do not suffer from customer “lock-in”.
10) Right to be forgotten
Data subjects’ rights to erasure of information (formerly known as the right to be forgotten) will form a central part of the new GDPR under Article 17. However these rights will not be absolute; for example data controllers will be required to perform a balancing act against any competing rights to freedom of expression when considering removal requests. Other exceptions, allowing for continued storage of data, are proposed.
11) International transfers
While the new regime builds on the current framework with respect to the general principle for international transfers, the rules have been extended to apply to processors and to onward transfers of personal data to third countries or international organisations.
12) Privacy by design
Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject and that, by default, only the minimum and necessary personal data for each specific purpose is processed and it is not disclosed more widely than necessary.
Ross McKean is the head of data protection at Olswang
More like this
- How can YouTubers ensure advertising content doesn’t mislead?
- 10 predictions for the future of data
- The Internet of Things: answering the big questions
This advertisement feature is provided by Olswang, sponsors of the Guardian Media Network’s Changing business hub
