EU Data Protection Regulation: Key Elements & Progress Update
If your business operates in the European market, you probably already understand that the European Union nations place an even greater emphasis on privacy and the safeguarding of personal data than what occurs in the United States. All EU member nations abide by Directive 95/46/EC, better known as the Data Protection Directive. Implemented in 1995, this directive is comprised of strict regulations for the handling and processing of personal data within the EU. No comparable all-encompassing data privacy law currently exists in the United States.
In the ensuing years, advancements in technology such as cloud computing and the phenomenal growth of social media have rendered many areas of the DPD ineffective and even obsolete. In January 2012 the European Parliament and the Council of Ministers released a proposed new regulation intended to reform the DPD to meet the more complex data privacy challenges of the 21st century. Known as the EU Data Protection Regulation, this set of updated rules has been designed as an overhaul of the original DPD.
Background
The 1995 Data Protection Directive regulates the manner in which personal data pertaining to EU citizens is processed, used, or exchanged. The directive consists of seven basic principles:
- EU citizens must be given appropriate notice whenever their personal data is being collected
- Data must only be collected for the specific stated purpose
- Personal data cannot be disclosed to or shared with third parties without the individual’s consent
- Appropriate measures must be taken to ensure the security of the collected data
- Full disclosure regarding the parties collecting the data must be provided to the citizen
- Individuals must be given free and full access to their personal data and be permitted to correct
- Citizens have the right to hold data collectors accountable in regard to their adherence to these principles
inaccuracies
Proposed changes
After more than two years of debate, the European Parliament voted to approve an amended version of the EU Data Protection Regulation in March 2014. Some of the more notable provisions of the new law are:
- Expanded scope: Entities based outside the EU must follow all regulations pertaining to the processing of data related to EU citizens. In contrast, the DPD only applies to EU-based organizations.
- One law: Instead of each of the 28 EU members having its own set of laws regarding data protection, there will be one uniform law encompassing the entire EU.
- One authority: Companies will now only have to deal with one supervisory authority as opposed to a separate regulatory body in each nation.
- Equal enforcement: The same set of rules and enforcement measures will apply to all companies, whether they are based inside or outside the EU.
- Appointment of DPO: Companies with more than 250 employees must appoint a designated Data Protection Officer to oversee and ensure compliance with the new regulation.
- Right to be forgotten: The new law will afford EU citizens with greater power to manage their personal data. The so-called “right to be forgotten” provision stipulates that citizens have the right to have their data deleted if the company does not have legitimate grounds for processing it or no longer has a need to retain it.
The Data Protection Regulation could be formally ratified by early 2015 and be fully implemented after a two-year transition period.
Ensuring compliance with the EU Data Protection Regulation
Should the proposed regulation become law, strict compliance will be essential. Violators can face substantial penalties, including heavy fines, if a data breach occurs. Although the new regulation is not yet the law of the land, the prudent course is to begin to prepare your company for compliance now. A few steps to consider include:
- Conduct a PIA: A Privacy Impact Assessment is a process involving a thorough analysis of how an organization collects, uses, shares, and maintains personal data. Combine the PIA with a detailed risk assessment of personal data use by your company.
- Allocate budget resources: Ensuring adequate Data Protection Regulation compliance is likely to require a financial commitment. Be sure to consider the allocation of adequate funds for computer system redesigns, reviewing legacy data, and executing a data discovery during future budget planning sessions.
- Review your existing consent procedures: If your organization already collects personal data, review and update your consent procedures to ensure you are clearly communicating your specific reasons for collecting personal data to your customers.
- Designate a DPO: While there is no immediate need to appoint a Data Protection Officer, it’s a good idea to begin to consider candidates for the position. Even if your company does not conduct business in Europe, having a designated individual to oversee the data privacy aspects of your operation can be viewed as a best practice for your business.
In short, making an effort to identify and address any compliance gaps between the current and proposed legislation will assure your preparedness and provide the residual benefit of improving your current data handling procedures.
To learn more about the issue of data privacy compliance in the EU, please review the informative Lighthouse Services whitepaper “Launching a Whistleblower Hotline Across Europe.”