Three years ago the European Commission proposed a reform of the European Union's data protection rules. The reform involves a draft Regulation setting out a general EU framework for data protection and a draft Directive on protecting personal data and the way it is processed.
On 24 June 2015 official discussions commenced between the European Commission, the European Parliament and the European Council, which are expected to produce the final version of the General Data Protection Regulation (GDPR) late 2015 or early 2016. When the GDPR is finalised, data protection laws will be completely harmonised for the benefit of both citizens and businesses across Europe.
Benefits for Citizens
- Any information that must be provided to data subjects regarding the processing of their personal data remains extensive, including specifying the legitimate interests pursued by the controller or the statutory or contractual requirements that are being relied on to justify its processing; data subjects must also receive an explanation of the various rights they have in relation to the data.
- It will become law under the GDPR that before consent is granted, data subjects must always be informed of their right to withdraw consent;
- The GDPR will bring clearer boundaries to the right to be forgotten and data portability.
- Decisions based on data profiling which legally or significantly affect the individual are prohibited unless carried out in the course of a contract, expressly authorised by national EU law or the data subject has consented.
Benefits for Business
Data is the currency of today's digital economy. The European Commission's data protection reform will help the digital single market realise this, notably through four main innovations:
- One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies processing data in all Member States will deal with one law, not potentially 28.
- One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, making it simpler and cheaper for companies to do business in the EU; and easier, swifter and more efficient for citizens to ensure their personal data is protected.
- The same rules will apply for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business in the Single Market. With the reform, the GDPR’s jurisdiction will reach outside the EU, with extraterritorial jurisdiction over the provision of goods or services to, or the monitoring of, data subjects in the EU. Non-EU controllers working in this capacity will need to appoint an EU representative “unless the processing is occasional and unlikely to result in a risk for the rights and freedoms of individuals”.
- European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their annual worldwide revenues. The European Parliament has even proposed to raise the possible sanctions to 5%.
Benefits for SMEs
The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, especially for small and medium enterprises (SMEs). First, by having one rule instead of 28 the EU's data protection reform will help SMEs break into new markets by only having to worry about one set of regulations. Second, the Commission has proposed to exempt SMEs from several provisions of the Data Protection Regulation – whereas today's 1995 Data Protection Directive applies to all European companies, regardless of their size. Under the new rules, SMEs will benefit from four reductions in red tape:
- Data Protection Officers: SMEs will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
- No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of 130 million euro every year. The reform will scrap these entirely.
- Every penny counts: Where requests to access data are excessive or repetitive, SMEs will be able to charge a fee for providing access.
- Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.
The rules will also be flexible. The EU rules will adequately and correctly consider risk, to ensure that obligations are not imposed except where they are necessary to protect personal data. In a number of cases, the obligations of data controllers and processors will be adjusted to the size of the business and to the nature of the data being processed.
The European Commission and data protection authorities across the EU will develop precise and concrete guidelines to explain how elements of planned new data protection laws should be interpreted, including on enforcement, however we set out below some guideline steps to prepare your business for the new GDPR.
Most businesses will need to make some changes to their data processing practises, and many will have to make extensive changes, however some SME’s may well be exempted and therefore completely unaffected by the requirements of the GDPR.
Prepare your Business for the new Data Protection Regulation
- Put your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time.
- Form a governance group that oversees all your privacy activities, led by a senior manager or executive. If you have over 250 employees, appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s annual report.
- Implement a breach notification process, enhance incident management processes and detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place, or the likelihood of harm is low.
- Prepare your organisation to fulfil the "right to be forgotten", "right to erasure" and the "right to data portability". A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, call centres and paper.