On 14 April 2016, a new set of data protection rules were adopted in the European Union. They provide for a single and comprehensive data protection framework that is valid and directly applicable to EU-based and, in certain cases, non-EU-based companies operating in the various Member States.
While the new regulation (the General Data Protection Regulation) reinstates fundamental principles and requirements currently in force and codifies notions that have originated in enforcement practice, it also introduces new obligations for businesses with respect to data management and security, on-going compliance, privacy safeguards, remedies for data breaches and liability for unlawful processing of personal data.
The new rules enter into force in two years. However, the scale of organisational and technical measures required for companies to meet the requisite compliance standards call for the early planning and start of preparations.
What are the major changes under the new data protection rules?
- More nuanced requirements as to when and how businesses may collect and process personal data: The grounds on which businesses may collect and process personal data remain largely unchanged. However, the Regulation fine-tunes some of them in a way that streamlines and narrows down their application. Currently, data may be processed only for the purposes prescribed by law or for which individuals agreed to. However, under the new rules, acquiescence or pre-ticked boxes will no longer be valid forms of consent for the processing of personal data. Companies will be allowed to process such data only on grounds of legitimate interests, if those interests could have been reasonably expected in the context and at the time of the collection of data. When companies handle personal data for entering in, or the performance of, a contract, they may process only data necessary in the context of the contract, and not across the board.
- More detailed rights of individuals with respect to data processing: Typically, companies must provide certain information (e.g. company identification, details of third parties involved in processing, the purpose of data processing) to individuals when obtaining their personal data. Under the new rules, companies must also inform individuals prior to collecting their personal data about the legitimate interests that the company has vis-à-vis the processing of their personal data and the duration of such processing. Individuals must know of possible automated decision making (such as profiling) that the data may be used for. They may object to such automated processing in certain cases. Individuals may request companies to stop using and to delete their personal data when, among others, its processing is no longer necessary or is unlawful (the “right to be forgotten”). If the company intends to transfer personal data outside the EU, it must first inform the individuals concerned.
- Portability of data: Personal data stored or processed by cloud computing providers, photo-sharing services, social media or in any other automated way on the basis of the individual’s consent can be migrated from one environment to another more easily under the new data protection rules. Individuals may request from such service providers to hand over the data in a structured and machine-readable way directly to third parties.
- Risk-based approach to data protection: Companies must design their data management and security systems with an understanding of the privacy and information security risks that they face. This means that they must implement processes and measures that correspond to the risk involved in the data processing operations they perform. If companies resort to new technologies, profiling or other forms of automated processing, they must assess in advance the impact of the operations and the associated privacy risks and determine appropriate mitigation measures. If processing involves a high risk that state-of-the art technology cannot counter at a reasonable cost, the company must consult the competent data protection authority on other suitable safeguards.
- Comprehensive and coherent compliance at companies with large-scale data processing as part of their core activities: Such companies must appoint a data protection officer, who will monitor compliance, assist with impact assessments and with the implementation of ensuing measures, advise the company on all other data protection aspects of its operations, and liaise with authorities.
- Data breach notification: Companies must notify the respective national data protection authority of non-accidental unauthorised access to or leakage of personal data (“personal data breach”). Companies must do this promptly within 72 hours from becoming aware of the breach. As part of the notification, companies must provide information on the types of data compromised and approximate number of individuals affected. When the breach concerns high-risk or highly sensitive data (e.g. bank account or health information, or may result in identity theft), the company must notify also the affected individuals directly and without undue delay.
- One-stop-shop enforcement mechanism: Under the new regime, a company that is active in several Member States will deal only with the data protection authority in the Member State of its main establishment. In important cross-border cases, where several national data protection authorities are involved, a single decision will be rendered. Individuals may still file complaints to their national data protection authority regarding unlawful data processing that takes place in its territory or targets them even if conducted abroad.
- Extra-territorial reach of the Regulation: The new rules will apply to data processing that takes place on the territory of an EU Member State. They will apply also to processing that – even if taking place abroad – relates to (i) targeting individuals residing in an EU Member State for the purposes of offering them goods or services, or (ii) profiling or tracking their behaviour within the EU online.
- Liability: Fines for company’s breach of the data protection rules will be determined as a percentage of the company’s worldwide annual turnover. Depending on the gravity of the infringement, sanctions may reach up to 4% of the company’s worldwide annual turnover in the preceding financial year.
What does these rules mean for businesses in Central and Eastern Europe?
Levels of data protection compliance and enforcement vary across CEE countries. Jurisdictions such as Romania, the Czech Republic and Slovakia have promoted compliance through more active enforcement and interpretative decisions. As a result, businesses in those countries approach privacy with caution. Jurisdictions such as Bulgaria have been more lax in their enforcement efforts, and compliance has been driven mainly by private parties’ complaints regarding improper handling of personal data. Generally, requirements have been interpreted and applied scholastically.
Going forward, the new rules will level the playing field because of their direct and uniform application. They will also set the compliance bar higher. The additional rights of individuals, the requirement for risk-based protection and for on-going compliance prompt a re-think of the way companies approach data processing. Companies will have to introduce and/or streamline their business and back office processes so that they:
- Better understand what kind of structured and unstructured data they collect, process and store;
- Better understand what route such data travels and what needs it serves within the organisation;
- Adapt processes and policies to manage the lifecycle of such data within their organisation. These processes must include relations with customers, processors and third-party vendors, sub-contractors, the use of cloud computing services, migration of data from one medium to another, and cross-border data transfers. The ultimate goal would be to ensure effective compliance and limit regulatory exposure without overburdening the day-to-day operations with additional red tape or costs.
- Pre-empt and manage data breaches. Companies will need to have tools to monitory security, establish non-accidental breaches quickly and identify the data and individuals affected promptly. Only then, will companies be able to counter risks, mitigate the impact and report the incidents to the respective data protection authority and individuals as required.
Companies with large-scale data processing operations as part of their core business will need to retain and fully integrate data protection officers into their organisation, as it is only in this way that such officers can ensure compliance and serve as an adequate liaison with the outside world.
These steps will require swift analysis of business processes and needs, as companies have only two years to comply with the new rules. This timeframe shortens the lead time for impact assessments, decision-making and budgeting to less than a year, and leaves only a few months for investing in and deploying IT solutions and compliance procedures.