Get ready for the new Data Protection Rules
The European Commission’s proposed reform of EU data protection law, in the General Data Protection Regulation (the Draft Regulation), introduces new obligations for both data controllers and data processors, proposes new rights for individuals and strengthens the powers of the data protection authorities. The Commission clearly intends for tighter regulation but the Draft Regulation is not expected to become law until at least 2015. Given some of the concerns expressed to date, it would be surprising if significant amendments are not made before the Draft Regulation is finalised.
We set out some of the current proposals that could affect both a firm’s levels of risk and its compliance burden in the UK.
- Mandatory breach notification
At present, there is no general requirement for a data security breach to be notified to the ICO. However, the Draft Regulation requires a data controller to notify the ICO not later than 24 hours after becoming aware of a breach.
In principle, this means that every breach is notifiable. Not surprisingly, the ICO has highlighted the danger that it will be swamped with notifications of trivial breaches and that a 24 hour notification period is unlikely to be realistic.
- Broader definition of personal data
Until now, data protection legislation has only been concerned with personal data in the hands of the data controller. However, the Draft Regulation envisages a broader definition of “personal data” that includes all data that is capable of identifying an individual, even if the person who actually holds the data cannot make the link.
This will put pressure on businesses to ensure that whenever information is collected or processed in a way that might refer to data subjects, there are policies and processes in place that ensure that there is an audit trail around the processing and that the data subject is informed of his or her rights, even when the information processed is very limited.
- New obligations on data processors
Data security will no longer be the sole responsibility of the data controller. Under existing rules, the obligation of a data processor to comply with security requirements flows solely from its contract with the data controller. Under the Draft Regulation, “data processor only” businesses will fall directly under the data security requirements of the new regime and will face a compliance burden.
- New rights for individuals
A much touted “right to be forgotten” is proposed, allowing an individual the right to delete their data at any time – of particular significance where an individual wishes to remove data posted online. Fierce lobbying against this by social networks may well see this significantly watered down.
- Mandatory data protection officers
Data protection officers (DPO) will be mandatory for large private companies (with 250+ employees) and public authorities. The DPO must have “the necessary level of expert knowledge” and must not take on any other duties that may result in a conflict of interest with the DPO role.
For many, the role will be broader than many current DPO roles and will include informing the company of its legal obligations, monitoring implementation, training, and notification of breaches. The Draft Regulation appears to see the DPO as an independent watchdog and supervisor, albeit one employed by the company.
- New sanctions
There will be significant new sanctions for non-compliance. At the upper end, a fine of up to 2% of a company’s worldwide turnover is proposed for breaches of the Draft Regulation. This is much higher than the maximum fine of £500,000 that the ICO may impose.
International data transfers: the rise of Binding Corporate Rules
On 14 June 2012, Citigroup Inc became the latest of 15 international companies to obtain approval of its Binding Corporate Rules (BCRs) from the ICO.
Twenty nine companies across Europe now have approval for BCRs. Whilst the process has certain drawbacks, BCRs offer high profile adopters, such as Citigroup, a new and flexible way to ensure that any transfers of personal data around their global operations meet the strict European rules on international data transfers. Now increased co-operation between European data protection authorities is giving BCRs significant momentum for the first time.
What are BCRs?
BCRs are essentially a set of intra-group governance policies, agreements, declarations and undertakings relating to the transfer of data within a group company structure. They are designed to allow multinational companies to export personal data from the EEA1 to other group entities in territories located outside the EEA.
European data protection law prohibits such transfers unless the relevant territory provides an adequate level of protection for personal data. If such data transfers are governed by approved BCRs, then the transfer will be deemed to comply with this requirement.
Alternatives to BCRs
The other options available to data controllers to ensure adequate protection include: model contract clauses; the consent of the data subject; the Safe Harbor Scheme for EEA/US data transfers; and the data controller’s own finding of adequacy.
Although the uptake of BCRs began slowly in 2005, there have been 13 successful applications in the UK since April 2009. Four of these have occurred during 2012.
BCRs – the benefits
Once operational, BCRs can provide a framework for intra-group transfers. BCRs are maintained via an ongoing obligation on the data controller to monitor compliance, regularly provide training to employees and conduct regular internal audits.
Key benefits of BCRs include:
- Awareness: an increase in staff awareness of data protection compliance is an inevitable by-product of increased compliance measures.
- Flexibility: if drafted widely, BCRs can allow for changes in the company structure and data flows.
- Ease: BCRs remove the need to rely on complex intra-group contract structures using contracts based on the model clauses.
The application process
- Selecting a lead authority
The application procedure has been designed to avoid companies having to approach each individual European Data Protection Authority (DPA) separately. The applicant company must select a DPA to be the lead authority, usually based on the location of the European headquarters of the company. Once the lead authority is satisfied with the adequacy of the BCRs, it will refer the application to the other European DPAs for approval.
- Application documents
Applicants must demonstrate to the lead authority that their BCRs establish adequate safeguards for the protection of personal data throughout their organisation. Key features of the application content are unilateral declarations by a company that its group companies will perform in a certain way in relation to data transfers.
- Co-operation and Mutual Recognition
Once the lead authority is satisfied with the adequacy of the BCRs, it will refer the application to the other DPAs within the co-operation scheme for approval. Those DPAs will review the application papers (to varying degrees) and provide comments. Any comments or concerns will be fed back to the lead authority and the applicant, and will subsequently be addressed until each DPA is satisfied.
Mutual Recognition is a development which was introduced in April 2011 and which has improved the BCR process. If the lead DPA is satisfied that the BCRs provide adequate safeguards, then other DPAs can accept its findings without further scrutiny. Since its introduction, 19 countries have taken part in Mutual Recognition, including the UK.
BCRs – the drawbacks
BCRs do not always fit comfortably within the national laws of all EEA territories so BCRs are not yet the perfect pan-European solution.
Another disadvantage is that a straightforward application could take 12 months to conclude and there may be delays in the authorisation process within the other DPAs.
Having seen the recent rise in successful BCRs, it is likely that more companies with international outreach will submit their own applications. Companies who have had their BCRs approved to date include JP Morgan, Chase & Co, British Petroleum plc, Accenture Limited and eBay Inc.
Organisations that may particularly benefit from using BCRs include firms which operate internationally and in global networks, or which have centralised services such as payroll and HR based abroad.
As the application process becomes more streamlined, companies will be able to have increased confidence in the process and we are likely to see more companies benefiting from approved BCR status.