The new EU Data Protection Regulation was informally agreed on 15 December. It will:
- introduce big new fines for non-compliance (up to 4% of worldwide annual turnover for the most serious offences);
- require companies that do large-scale processing to appoint a data protection officer;
- require businesses to notify the regulator of serious data breaches (eg hacks) as soon as possible;
- introduce stricter rules on getting consent to use customer and employee data; and
- extend to non-EU businesses that offer services in the EU.
It promises greater harmonisation, but there will be fragmentation in some areas, eg:
- there will in theory be a ‘one-stop-shop’, allowing businesses to deal with one lead regulator across the EU - but businesses may still need to interact with multiple national regulators; and
- tighter rules will apply to children’s personal data, but EU countries can define a ‘child’ as anywhere between 13 and 16 years old.
The new rules are likely to come into force in early 2018, but you should review your global data policy well in advance of that. We’ll publish more details when the full text of the Regulation is available, but here are 10 points you should be thinking about:
- the extent to which you will be able to use personal data to develop new products and services;
- how to incorporate privacy issues into your business processes – eg do you need to conduct ‘data protection impact assessments’?;
- how you’ll meet your new notification obligations if you suffer a data loss from a hack or other data leak (and there might be wider disclosure obligations for listed companies, or those seeking a listing);
- whether to change your employment contracts or handbooks, and what data privacy training your staff will need to deal with the new regime;
- how to anticipate and deal with regulator requests for data;
- whether to change your management and governance structure to deal with the new rules, and how to manage international group-wide data flows;
- how to structure relationships with third parties to reallocate responsibilities and liability risks – eg it’s likely there will be new rules on commissioned data processing and a new broad concept of joint data controllers;
- for non-EU businesses that haven’t previously had to think about EU privacy law, whether you will be caught by the new rules;
- whether a wider definition of ‘personal data’ – eg covering online or device identifiers - will bring more of your business within data protection law; and
- how to structure M+A transactions involving data-rich targets.
Meanwhile, the EU and US are still negotiating the ‘Safe Harbor 2.0’ agreement, which will make it easier for European businesses to send personal data to the US. Details of why the European Court of Justice struck down the current Safe Harbor arrangement are available here. Negotiators aim to agree on a deal by the end of January 2016.