There’s evidence that most major companies haven’t as yet appreciated the impact that this European-wide Regulation will have on their business and could be caught out unless they take action sooner rather than later.
The aim of the new European Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation.
From the first half of 2015, all EU Governments will have two years from which to ensure that the EU General Data Protection Regulation is fully observed.
Regulators in each 28 EU Member State will be designated as a Supervisory Authority (SA) where the data controller has its main establishment. The SA will be the point of contact for complaints via other local SA and each Member State SA will enjoy localised powers within their own territory.
The new EU General Data Protection Regulation tightens up the data protection regime and there are now enhanced requirements for data security and specifically there is a mandatory breach notification procedure to the Data Protection Authority (DPA) without undue delay and effectively within 72 hours of the incident.
There are no de minimis limits for reports to the DPA, so this increases transparency within the monitoring process. Data subjects will need to be notified and must be informed of their right to claim compensation from the data controller. The DPA must keep a public register of types of breaches notified and this is the responsibility of the DPO.
New breed of Data Protection Officers
The forthcoming EU Regulation will force multi-national companies to appoint Data Protection Officers (DPOs) in order to comply with tougher regulations on data protection across all 28 Member States.
The DPO is similar but not the same as a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations.
Monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors of the organisation that employs the DPO.
Timescales for compliance with the new EU General Data Protection Regulation
After the inevitable hiatus caused by the European Elections in May 2014, the new-look European Commission under European President Jean-Claude Juncker has defined its mission to get the draft Data Protection Regulation through the legislative process in the next six months. The European authorities aim to ratify the new Regulation within the first six months of 2015.
Business continuity risk
Many multi-national organisations are starting to become very concerned about the impact of the revised European Regulation on Data Protection as it represents the first major overhaul of data protection legislation since the ‘90s and the significant developments in data management, cloud hosting and social networking have brought this to a critical point.
At the same time, legislators have been under increasing pressure to tighten data protection laws and regulations in this area as a result of the threat to privacy and the increase in cyber-attacks on organisations that leaves the protection of personal data exposed and poses a risk to the invasion of privacy on an unprecedented scale. These contingencies are now a major business, continuity issue.
Despite this, a recent major European survey carried out by data security firm Sophos shows that the vast majority of organisations will fail to comply with this new EU Regulation by 2017, following a two-year implementation phase.
Companies risk fines up to 5% of global turnover or €100m for breach of the Regulation and this will force organisations to focus on whether it is always safe to share data between various devices, as well as cloud storage services, many of which do not comply with the new Regulation.
The new Regulation will bring all EU Member States under a single set of rules and mandatory breaches will force companies of all sizes to think much more carefully about data access.
From a practical perspective, the new EU General Data Protection Regulation will result in organisations carrying out a higher degree of data segmentation, a higher level of data encryption and more groups of data with policies around them.
Critical shortage of suitably qualified Data Protection Officers.
Research by Opt-4, a UK-based specialist data protection consultancy working with London city law firm Speechly Bircham, has shown that there is a critical shortage of suitably qualified DPOs in Europe and there is going to be fierce competition to train, retain and recruit these individuals.
The job of the DPO
The DPO will be responsible for monitoring data subjects as well as processing sensitive personal data. This new post-holder will occupy a unique role in the organisation as they will act autonomously of the Board. As an employee of the organisation, the DPO will enjoy four-year protected employment and have their own budget and will be responsible for:
- monitoring compliance
- liaising with works’ councils on Data Protection issues
- report on data protection breaches to the Supervisory Authority
- conduct regular periodic audits to ensure the organisation remains compliant.
It’s not too late for companies to wake up to the realities of re-wiring the way in which they need to prepare for being compliant. Over the forthcoming months, this website will offer guidance in how to do that to ensure that companies won’t face being caught with their pants down.