European businesses are pretty tightly regulated when it comes to the handling, processing and storage of personal data but significant changes are afoot as European law makers seek to bring the regulatory framework up-to-date in the face of rapid technological change.
The emergence of cloud computing, mobility and the “as a service” economy, together with the rise of social media platforms, has meant that the ways that data about individuals is collected and used are changing rapidly.
The term “personal data” is extremely broad – it encompasses any information about a living individual, whether relating to that person’s private, public, business or professional life, such as name, address, email, data of birth, bank account details, and medical information; hence, these new rules will have potentially a very wide impact.
The current regime
Current European data protection laws govern businesses which operate within the EU or, if based outside, those which process personal data within the EU. These laws are based on the Data Protection Directive which was brought in nearly 20 years ago and tend to vary from country to country. This is because each individual EU member state had to implement the Directive into its own local laws and, in so doing, would often interpret the requirements differently, or would ‘gold plate’ the base EU-level requirements by adding their own additional requirements on top.
This approach has made compliance more difficult for businesses which operate across borders or online, and is counter to the idea of a ‘one-stop shop’ for EU regulatory matters which is very much in vogue in Brussels right now.
What is changing?
To try and coordinate the privacy rule book across the EU, the new regulation will have ‘direct effect’ meaning, under European law, that it will not need to be implemented locally by each of the 28 member states. In terms of current status, the text of the regulation itself is under development having been proposed by the European Commission and is currently within a “trilogue” between the EC, the European parliament and the Council of the European Union discussing each of their amendments to the EC’s proposal.
When it does come into force, widely expected to be sometime in 2017, the new regulation will shift responsibilities and impose new obligations. Current laws only regulate data controllers so that entities which carry out processing of personal data on behalf of a controller have no direct regulatory obligations nor do they owe any duties to the individual data subjects whose data they process, outside of whatever is imposed via contract. Of course, such entities will often be controllers of other types of data, such as their own employee data, for which they are directly regulated, leading to a pretty confusing picture. A key change will see obligations placed directly upon data processors for the first time.
There will also be a new right to know when personal data has been hacked. Companies and organisations will have to notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours) so that users can take appropriate measures. Other changes include the so-called ‘right to be forgotten’, and the principles of ‘data protection by design’ and ‘data protection by default’ meaning that data protection safeguards should be built into products and services from the outset, with privacy-friendly default settings as the norm. A new ‘right to data portability’ will make it easier for individuals to transfer their personal data between service providers. Large organisations will also be required to appoint a data protection officer.
A key issue for data processors is that the new regulation will expose them to the risk of direct regulatory action for the first time. The amount by which controllers and, now processors, can be fined is also likely to be significant. Data protection authorities will be able to fine companies who breach the EU rules up to 2 per cent of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5 per cent.
Supply chain contracts and outsourcing
Where appropriate a privacy impact assessment should be carried out and data controllers should be thinking about how to future-proof current procurement processes. For example, when selecting suppliers who will process personal data as part of the services provided, controllers should select only suppliers who can demonstrate that they are able to manage and process the data to the appropriate security standards and principles.
In terms of contractual requirements, certain additional mandatory terms will need to be included in agreements with data processors. These agreements should also address what happens if a data breach occurs, set out where responsibility for complying with the new laws lies and, if there is a breach, who is liable for what. Where subprocessing is permitted, this also needs to be carefully considered and covered in the agreement.
Preparing for the changes
The new regulation will provide a sunrise period to enable controllers and processors to get to grips with the new regime. However that sunrise period will be over all too quickly. Organisations should take steps now to ready themselves. Help is available, for instance, from the Association for Information and Image Management and other industry associations. However, before downloading and relying on any materials, make sure that it is up-to-date since there have been quite a few changes to the draft regulation since it was first published.
Key actions will include (a) mapping where and what data is currently handled by the business, including clearly identifying data flows and third party touch points, and developing a strategy to address gaps and issues; (b) identifying and updating information security, data access, governance and privacy policies and ensuring that appropriate controls and audit rights are in place; (c) ensuring that there is a data and information framework which complies with the new regulation; and (d) regularly testing the security of information within the organisation.
In terms of arrangements with third parties, data controllers should use this time to ensure that their current data processors, and the related contracts, can comply with the new requirements coming into force.
Tim Wright, Global Sourcing Partner, Pillsbury Law