In the first half of this year the European Parliament will enact the EU general data protection regulation. The new law will change the current understanding of the importance of the protection of privacy in business activities, particularly in the financial, telecommunications and technology sectors. It will also allow the regulator to impose extremely high fines, while at the same time opening up new opportunities for business.
According to public commentary, the process of enacting this regulation involved one of the biggest lobbying actions in the history of the European Union. On its website the European Parliament says that 3999 amendments to the text of the regulation had been proposed in early 2015. Aside from who lobbied and for what changes, this fact by itself shows the significance of the new law for business – not only European, but perhaps above all American. This is due to a simple reason – under some conditions, the regulation will be directly applicable to all entities that offer goods or services to EU citizens (or alternatively– monitor their behaviour on a large scale). In other words, in view of the course the legislative process has taken, we can conclude that the European privacy protection regulation may have a direct and significant impact on business conducted in the US, Canada or India. Is this good news for EU businesses? I guess so, since their competitors across the ocean will have to process European customers’ data on the same terms, which until now was not at all obvious. Another issue is the mechanism for enforcement of this new law, and the extent to which it will be effective. We will probably not have to wait long to see how the EU regulators put it into practice.
Without a doubt, the new regulation will change the attitude of EU and international business to the protection of customers’ and employees’ privacy. By replacing the national laws of the European Union countries, the regulation will force us to reflect more deeply on companies’ data protection policies at the highest levels of organisation. The first signs of this can be seen by observing the positions of those responsible for data protection in the structure of European companies – most commonly they report directly to the CEO or have the title of “Vice President” on their business cards. Businesses recognise the importance of data – including personal data – and how it can affect their position on the market. The EU legislator also recognises this, and directly indicates how to process data, for example, for customer profiling (where as a rule the consent of each customer will be required) and how to build a policy of transparency in data processing.
Currently, the protection of personal data in EU law is decidedly analogue, unsuited to the surrounding reality, not only business, but also social. This unfavourable situation will change as soon as the new regulation comes into force and answers – or at least tries to answer – a series of questions that are already digital. How can the new law help business? It may give a hint on how to profile individuals (in particular customers) without violating their privacy, or how to create personal data processing software (e.g. CRM/ERP) in accordance with the highest standards of data protection, or how to make a proper assessment when choosing entities to professionally process data, including providers of cloud computing services.
Despite the fact that the period to adjust to the new law is relatively long – the EU legislator gives businesses two years to adapt their activities – due to the nature of the changes businesses have no time to lose. It is necessary to intensely analyse the new regulatory environment now – especially if we suspect that our company has to catch up in this respect – and assess the expenditures required to comply with the new rules. But an analysis on its own is not enough. Compliance with the new rules will require a series of complex operations in which all units of a company must be properly involved, in particular, those responsible for IT, sales and marketing, i.e. departments that are crucial for most businesses. You may need to re-evaluate data security guarantees offered by service providers, even those which concern – at first glance – trivial issues, for example in connection with the use of employment agencies, calculation and payment of wages, or storage of backup data. More complicated cases, such as the use of cloud computing services, will require far more attention, and this is due to a much wider range of risks that may arise in connection with the transfer of data to many different entities and countries. In some cases it will be necessary to engage entirely new providers of such services, or at least amend the agreements concluded with current providers. You also cannot rule out that it will be necessary to adapt the software your company uses, not only to implement a “privacy by default” policy (offering a maximally high level of privacy from the very beginning of data processing) or a “privacy by design” policy (ensuring the compliance of all data processing IT systems and procedures with the new regulation), but also to check whether this software actually allows the permanent and real removal of data (as opposed to just “hiding” the data in the system).
The new law will also involve new processes. Apart from choosing appropriate service providers that guarantee a high level of data protection, in certain situations businesses will have to assess the impact of planned business ventures on their customers’ or employees’ privacy (Privacy Impact Assessment) – for example, when new, previously unknown technology is used for data processing. This complex task may require contact with the regulator and compliance with its instructions, which is worth bearing in mind before the planned process is implemented and before the company bears any costs associated with it.
Finally, a few words about possible sanctions. The regulation, in an expression of European pragmatism, does not provide for the imposition of criminal sanctions. Does this mean that the new law will be ignored? Probably not, as it provides with 27 cases when it is possible to impose financial penalties. And these are high – up to EUR 20 million or 4% of annual global turnover, which in my opinion could be very painful for even the most financially stable of businesses.