In March 2014 the European parliament approved an amended text for the draft General Data Protection Regulation (PDF). It is quite a substantial reform reflecting the not insubstantial developments in ICT since 1995.
Compliance is more onerous and fines far greater, and organisations need to start preparing for compliance today to avoid penalty and to maintain the trust of its customers. If you’re feeling this pain, please get in touch with us here at the hi:project. In brief, here are some of the main issues.
Enforcement – Fines up to 5% of global annual turnover are proposed.
Geography – Non-EU controllers doing business in the EU must appoint EU representatives.
International – The framework will be extended beyond controllers to processors, and will apply equally to transfers beyond the EU.
Scope of personal data – A broader definition is set to be adopted in line with today’s digital landscape.
Justifications for processing – There will be tighter conditions for collection and use of data. There may be some room for tweaks at the state level for some sectors (e.g. employment, health and journalism).
Data protection officers – Appointment of DPO may no longer be voluntary.
Profiling – Some degree of profiling of individuals (customers and prospects) will be acceptable, and some will be unacceptable. Uncertain yet as to where or how the line will be drawn.
Breach notification – Notification is likely to be made compulsory, although how the bar will be defined and what might constitute appropriate security remains to be seen.
Processors and supply chain – Data responsibilities will need to be more clearly defined and documented.
Portability – The reform is likely to introduce some rights for individuals to ask for and to receive their data in a re-usable format with an open standard for data storage and transfer. It is not yet clear how this overlaps with aspects of IP and/or competition law. This idea gets some push-back from those operating in markets that aren’t subject to customer “lock in”, as if that is the only issue at play here. Obviously, the hi:project has a more advanced outlook.
Right to be forgotten / to erasure of information – Somehow data controllers will be asked to walk the fine line between privacy and rights to freedom of expression.
Privacy by design – The organisation must safeguard the rights of the data subject with appropriate technical and organisational measures, ensuring only the minimum and necessary personal data is processed for any given purpose, and that it is disclosed only as widely as is demanded by the purpose.
Image source: http://ec.europa.eu/commission/2014-2019_en