I know we are a few months out, but we spotted this information refernece European Data Protection Reform that is really interesting:
Summary of the Changes
The following key areas of the reform will impact on privacy and data protection compliance for organisations:
- A Single Set of Rules: The Proposed Regulation provides for a single set of rules for all organisations processing personal data in the European Union. It will replace the first Data Protection Directive (published in 1995), which will be repealed. This Proposed Regulation will have direct effect in all Member States and, as a result, will achieve greater harmonisation than if the reform was made by a revised Directive, which carries with it a risk of inconsistent implementation by Member States, as witnessed with the implementation of the Data Protection Directive. In addition to the Proposed Regulation, there will be a new Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
- Fines: National data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation. The 2011 proposal had set this amount at 5% of worldwide gross revenue.
- “One-Stop Shop”: The Proposed Regulation implements a “one-stop shop” approach to data protection compliance in the European Union, meaning that an organisation only needs to comply with the data protection laws in place in the jurisdiction in which it has its main establishment. This is similar to the passporting system and principle of home state supervision, which is already reflected in European financial services regulation. In addition, the Proposed Regulation will have extra-territorial effect. This means it will apply to organisations (such as many U.S. businesses) that are not established in the European Union, but are active in the European Union market and offer their services to European Union citizens.
- Data Breach Notification: The Proposed Regulation imposes a general requirement on all businesses to notify data protection authorities and data subjects in the event of a data breach. Notice of data breaches must be provided to the data protection authority “where feasible” within 24 hours, and to affected data subjects “without undue delay.” While breach notification has recently become a requirement for telecommunications and internet service providers, the Proposed Regulation extends this requirement to all organisations. Given the increase in global cyber risks and the reputational impact and associated costs of data losses and breaches, this aspect of the reform is likely to have a significant impact on organisations.
- Consent: Where consent is to be used as a justification for processing personal data, the Proposed Regulation requires that it must be given explicitly, rather than assumed. This will cause particular concern for e-commerce organisations worried about how to obtain consent without detrimentally affecting the user experience.
- Data Portability: The Proposed Regulation also introduces a new individual right of data portability, which is designed to facilitate an individual’s access to personal data. This requires organisations to permit customers to move their data to new organisations offering similar products or services. This is also intended to improve competition among services. While this may sound relatively straightforward, in practice the costs of migrating data from one system to another can vary significantly, and may be particularly burdensome for cloud providers and social networks.
- The “Right to be Forgotten”: The Proposed Regulation also adds a new “right to be forgotten” which allows an individual to require an organisation to delete personal data where there is no longer any legitimate reason for keeping it. This new right is more stringent in nature to the existing obligation for data controllers not to keep data for longer than is necessary.
- International Transfer of Data: The Proposed Regulation provides for a shift in the rules to reflect the way that data is currently transferred internationally. They seek to address the problem that current data protection laws function only within a given territory, usually defined along national borders, and do not reflect the reality of international business. In particular, organisations making use of the cloud will be collecting data in one territory and subsequently processing it in numerous other territories. The Proposed Regulation will simplify the requirements for organisations seeking to do this. In addition, it also aims to improve the current system of “binding corporate rules” to make compliance less burdensome – “binding corporate rules” are typically a set of intra-corporate global privacy policies that satisfy the European Union standard of adequacy when organisations are seeking to transfer the data outside of the EEA. The Proposed Regulation would require all data protection authorities to recognise “binding corporate rules” approved by an individual data protection authority.
- Data protection by design and by default: The Proposed Regulation requires data controllers to only collect and retain personal data to the minimum extent necessary in relation to the purposes for which they are intended by design to be processed. This will be particularly controversial for organisations seeking to undertake data analytics of their mass repositories of data.
- Accountability and Data Protection Officers: The Proposed Regulation seeks to increase the accountability of data controllers and data processors, including by requiring that they carry out data protection impact assessments prior to risky data processing activities. In addition, organisations with over 250 full time employees will be required to have a Data Protection Officer.
- NHS Trust fined £90,000 for serious data breach (invudocumentmanagement.wordpress.com)
- The true cost of a data breach (viewfromthebunker.com)
- Are You Prepared for the EU’s New Data Protection Regulation? (pcworld.com)