It has taken over four years but the European Commission’s revision of data protection rules has finally passed the European Parliament.
The new regulations will come into force in the summer and then member states have two years to adopt the laws.
The changes might have been a long time coming but they show how data protection is now an issue for the board of directors, not just for the IT department.
One reason the board will be interested is because of the threat of massive fines for companies found guilty of not properly protecting private information.
Regulators will be able to fine companies up to four per cent of global turnover if they get data protection wrong.
The new laws will bring other changes apart from huge fines.
Large companies will have to employ a data protection officer to make sure they are following the rules. This person will not only have to make sure a company’s data protection systems are up to the job – they will also have to prove this to regulators.
Companies will also have to respond more quickly to questions from members of the public about their private data.
They will also have to inform individuals, or the relevant regulator, if their data is breached or lost to a hacker. This has to happen within 72 hours of the breach – a major challenge if your security systems are not up to scratch.
The public also has the right to move data more quickly to another company – so cloud providers and web mail companies will need to find easier ways to transfer customer accounts.
In the UK the Information Commissioner’s Office welcomed the changes.
Steve Wood, ICO’s head of policy delivery, said: ““Many of the principles in the new legislation are much the same as those in the current law, but there are important new elements, and some things will need to be done differently. It will enhance the data protection rights of individuals and make organisations more accountable …But there’s still plenty of work to do to make sure the UK is ready for the reforms in 2018.”
The UK has a partial opt-out from the new laws but in practise any company trading with European companies or citizens will likely want to follow the new rules.
Business leaders have broadly welcomed the changes and say they strike the right balance between protecting privacy and allowing for business innovation and the development of new ‘data driven’ applications.
They also hope that following the same set of rules across Europe will mean lower costs for business.
As always ‘the devil is in the detail’ and there are still areas where the courts will decide how to implement the rules in the real world.
One controversial area is the ‘right to be forgotten’ – whether this means the right to delete your Facebook account or if it extends to demanding the removal of news articles is still being fought over.
But whatever the final decisions, and however your organisation deals with data – whether as a processor or controller – this is a good time to take a proper look at your data protection procedures.
The ICO has a 12 step programme to help organisations get ready for the changes here: