Jonathan Waters, corporate partner at Hay & Kilner, looks at the introduction of a new European regulation which is set to boost individual data protection rights.
A single data protection law will be enforced across the continent, impacting on almost every business operating in the EU. Broadly speaking, the new regulation is based on the following main principles:
1. A single set of rules
A single data protection law will overcome the patchwork of legislation that currently exists across the EU, which has resulted in a historical lack of uniformity. The bad news for businesses is that they will be faced with hefty fines for non-compliance. Regulators will have the power to levy fines of up to €100 million or 5% of annual worldwide turnover, whichever is greater.
2. A one-stop (regulatory) shop
Businesses which operate “cross border” will no longer have to comply with the individual requirements of multiple EU states. Compliance will instead be governed by a single lead authority. The EU suggests that this simplification should allow greater opportunity, particularly for smaller businesses, to break into new markets, knowing that they do not have to deal with different regulations or associated costs.
3. “Explicit” consent and the strengthening of citizen’s rights
The new regulation requires consent to the processing of an individual’s personal data to be “explicit” as opposed to implied, and requires a statement or a clear affirmative action by the individual.
Individuals now have the right to be “forgotten” and have their personal data erased, however such a request must be on the grounds that the data is no longer relevant (i.e. an individual could not ask for deletion of data if they are still employed by a company). Organisations processing an individual’s data will also be required to take reasonable steps to inform all relevant third parties of the deletion request.
What do the changes mean for businesses and what can be done now?
Given that the new regulation will place a bigger emphasis on obtaining consent, it is important that existing processes are reviewed and amended to ensure that “explicit” consent is obtained. For bigger businesses, the shift from a “risk-based” approach to a “compliance” approach, and the need to appoint an internal data protection officer, is likely to translate into a red tape burden that costs more to manage. There is also a requirement to advise the regulating authority of any data security breach within 24 hours of identifying the breach, together with a requirement to notify individuals if there has been a breach involving their information.
The compliance requirements are reduced for SMEs who, unless data processing is their core activity, will not have to appoint a data protection officer. Additionally SMEs will no longer have to provide notifications to the regulator, and will not need to undertake impact assessments unless there is a specific risk. It is suggested that the implementation of the new regulation will save businesses up to €2.3 billion per year, compared with the costs of dealing with the fragmented legislation currently in place. These costs savings could well be negated however, by the increased investment required to meet new compliance requirements, underpinned by potential fines of up to 5% of annual worldwide turnover.
Whilst there may be a temptation for businesses to “wait and see” what transpires, taking a pro-active stance and reviewing existing data protection systems could ultimately save in the long run.
For further information or advice, contact Jonathan Waters on 0191 232 8345 or email: Jonathan.Waters@hay-kilner.co.uk