Rewised data protection regulation sets out new rules on data processing practices
Companies and public entities will face new challenges in terms of complying with the EU data protection rules and have to go through significant changes in data protection practices, when the new European Data Protection Regulation comes into force in 2015. The aim of the new Regulation is to harmonise the current data protection laws across the EU member states and the Regulation will be directly applicable to all EU member states without a need for national implementation.
The Regulation increases the responsibilities of controllers, which might result in significant administrative costs and challenges. Organizations are expected to establish an overall system of monitoring, reviewing and assessing their data processing procedures, aiming to minimise data processing and building in safeguards to all data processing activities. With the reform, companies based outside of Europe will have to apply the same rules.
According to the Commission’s proposal organisations should appoint a data protection officer (DPO), if the company has more than 250 employees. The role of the DPO is to ensure the rules are being enforced appropriately, give guidance and guarantee that documents are being handled according to the rules and principles set out in the Regulation. Moreover, organisations should establish a breach notification process. Any data breach must be reported to the relevant data protection authority, even if protective measures are in place or the likelihood of harm is low. The revised framework is widely expected to require organisations to notify users and authorities about data breaches within 24 hours.
Data protection authorities will be able to fine companies and public entities who do not comply with EU rules with significant administrative fines. Fines for noncompliance can be up to 2% of annual worldwide turnover, although the exact level is not yet clear, with reports ranging from 1% to 5%. This is a significant change to the Finnish legislation, because in the current legislative state the national supervisory authority has not been authorised to impose such fines. Fines would be imposed on the data collector on a case-by-case basis.
Organisations should also prepare to fulfil the “right to be forgotten”, which will include implementing a process for obtaining explicit consent from individuals. According to the proposal people have the right to ask for data about them to be deleted. Organisations will have to comply unless there are legitimate grounds to retain the data. Internet users must also give explicit consent to use data about them, be notified when their data is collected, and be told for what purpose it is being processed and how long it will be stored. Practically organisations should analyse the legal basis on which they use personal data and consider if they rely on data subject consent to process personal data, or whether they can show they have a legitimate interest in processing that data.
Because compliance with obligations takes time to become part of a company’s data protection culture, organisations should not delay in taking action in order to be well prepared for the future changes.