Changes to EU data protection legislation set to be introduced next year will see stricter requirements on companies and greater fines in relation to data breaches.
The EU data protection regulation was proposed in 2012 to harmonise data protection legislation across Europe and bring it up to speed with the age of cloud services and big data. After a record number of amendments to the draft regulation, the detail is being finalised by the Council of Ministers and looks set to be approved in 2015.
However, it appears few businesses are prepared for the changes, with one study reporting that only one percent of cloud providers meet the new requirements. While there is a two-year wait until the regulation becomes effective, and so companies would have until 2017 to adopt compliant working practices, ensuring correct procedures are in place takes time. Coupled with the increased fines and greater reach which will be available to the UK Information Commissioner’s Office (ICO), businesses should be aware of the new landscape.
How will the EU regulation affect my business?
One of the key differences from the current regime is that the fines for breaching data protection regulation will be increased.
While the final level of fines under the EU regulation has to be agreed, it will almost certainly be an increase on the £500,000 maximum currently available to the ICO in the UK. The European Parliament suggested the maximum be 5% of global turnover or €100 million.
Companies will have to adopt prescriptive measures to demonstrate that they are complying with the regulation, including having policies in place, carrying out privacy impact assessments and self-auditing.
There is a strong focus on demonstrating compliance under the new regulation. This is far more onerous than the current regime, which sets out the legal requirements and leaves organisations to decide how to meet these.
Greater territorial scope
The current UK legislation, the Data Protection Act 1998, applies to data controllers established in the UK as well as data controllers that are not established in the European Economic Area (EEA), but which use equipment in the UK. The regulation would extend the territorial scope of EU data protection laws to:
– Data controllers or data processors established in the EU.
– The processing of personal data by a data controller established outside the EU in relation to data subjects residing in the EU where the processing relates to the offering of goods or services to data subjects in the EU, or the monitoring of the data subject’s behaviour.
The European Parliament’s proposal is that the regulation would apply to data controllers and data processors established in the EU, regardless of whether the processing is in the EU. The big change here is that for the first time the legislation will apply to organisations when acting as data processors. US based social media companies and cloud service providers are clearly in the regulator’s sights.
Damages for individuals
Under the regulation, individuals who suffer loss as a result of a breach would be able to claim damages from data controllers and data processors – not just data controllers as at present.
Is this regulation needed?
Both the UK Government and ICO agree that data protection laws need to be reformed. An ICO statement said "e-citizens currently enjoy ‘paper age’ access rights".
However, both the ICO and Government have reservations about the form and content of the regulation. The ICO feels the regulation is too prescriptive and that the two-year lead in time is unnecessary.
As the EU moves towards a common digital market, data protection harmonisation can only be beneficial for businesses and individuals. It will provide businesses with the certainty needed to operate effectively, knowing both that they are complying with legislation and can rely on assurances given by foreign partners. It also provides individuals with the means of claiming compensation when dealing with companies across Europe.
While a focus on process will force companies to examine data protection practices, it may prove to be an unnecessary burden which does not lead to fewer data breaches. One thing is clear, companies must have the correct processes in place or they will risk substantial fines in future.