EU Data Protection Regulation Moves One Step Closer to Adoption
Amethyst’s Mark Chown discusses why businesses should prepare now
In December last year, the three major European bodies agreed on the content of the proposed EU Data Protection Regulation (EDPR) which has been under debate and review since the European Commission released its first draft in 2012. Since then, the Commission, EU Parliament and Council have been negotiating the text which will eventually replace the UK Data Protection Act.
There are still rounds of voting to be held to formally ratify the regulation, however, this new consensus on the text makes adoption one major step closer. The formal ratification process is expected to be completed early this year with the EDPR coming in to force two years later in 2018.
The new data protection reforms that will be introduced have been welcomed by the UK Information Commissioner who has been quick to emphasise that they will mean change for UK businesses:
‘The reforms agreed will mean change. Four years of work has created a set of rules that will need adjustments from consumers, businesses and, of course, the regulator. But it is progress that the EU is moving on from trying to regulate 21st century digital developments with legislation dating from 20 years ago. Most crucially, a new law will remind people of their data protection rights, and remind organisations of their data protection responsibilities. That can only be welcomed.’
Source: ICO website: (https://iconewsblog.wordpress.com/2015/12/16/reform-of-data-protection-laws-hits-home-straight/)
The final content of the EDPR will not be known until later this month and businesses will have a two year window to transition to the new regulations which are expected to include some significant changes.
Increased Reach - The regulation will apply to any business that provides goods or services in the EU regardless of where it is located. This is especially relevant to non-EU located suppliers of online services.
More Challenging Breach Notification – Both Data Controllers and Processors will be required to notify national data protection authorities and data subjects of data breaches within 72 hours. In the typical early confusion of an incident this leaves a short window for businesses to validate the extent of a breach and co-ordinate effective communications to its customers.
Hugely Increased Maximum Fines – Fines for data breaches will rise to a maximum of 20 million euros or 4% of global annual turnover, whichever is the greater. This compares to current ICO limits of £500,000, for large multi-national companies future fines have the potential to be huge.
Explicit Data Consent - Data subjects will need to provide explicit consent for their data to be used and agree to the specific purposes that the data will be used for.
Accountability - Businesses will be required to maintain auditable documentation that evidences its data processing activities and controls which demonstrate adherence to the new regulation. This is a new obligation that may require additional resource to manage.
What should Businesses do now to prepare?
Stay Informed - The ICO has committed to providing regular updates and clear guidance on its website, use this as a regular resource to make sure you understand the impact of the new regulation
Analyse – Implementation of the new regulation will be far easier if you fully understand your data flows, processes and systems. If you are not confident that you have a good understanding of your environment then you should act now to properly map your data processing environment. This will help you to respond more efficiently when the full impact is better understood, and provide the necessary security training to staff.
Plan - Whilst there will be a two year transition period, businesses should start planning now, especially when designing and implementing new systems or processes this will help to minimise retrospective change programmes.