Developing a compliance strategy to meet the proposed Data Protection Regulation
September 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Sweeping data protection law changes are on the horizon in Europe by virtue of the proposed new Data Protection Regulation. The Regulation is not yet finalised but we now have the European Council’s, the Commission’s and the European Parliament’s position on the Regulation. The final form of the regulation is being thrashed out through what is known as ‘trilogue’ and agreement is expected by the end of this year. Once agreed, it is likely there will be a two year lead-in period before the new Regulation comes into force, although when it comes to preparing for the Regulation, organisations should plan for the worst (i.e., a shorter lead in) and hope for the best.
The good news is that the new Regulation will have ‘direct effect’, which means that it will directly apply to each EEA country without a further layer of implementation into national laws. This is different to the existing Directive, which has been implemented by the local laws of each EEA country – this resulted in an inconsistent web of compliance within Europe creating a data protection compliance nightmare for multinationals or organisations that have customers in multiple jurisdictions. The Regulation will strengthen the concept of harmonising data protection law across Europe, which in turn, should simplify compliance for organisations doing business across multiple European jurisdictions. The bad news is, however, that the new Regulation will be tougher to comply with. It will introduce new compliance obligations as well as toughening up on already existing data protection compliance obligations.
The Regulation is a pretty comprehensive document with wide reaching changes for data controllers, processors and possibly systems providers (whether or not they process personal data). In terms of the changes on the horizon and how best to start preparing for them, below are some of the key areas to factor into your plan of action.
Unlike under the Directive, the Regulation will apply directly to data processors (i.e., parties processing personal data on behalf of a data controller). It will no longer be the case that just the data controller is caught by data protection laws. This means that all data processors will need to consider a suitable compliance strategy going forward, to comply with their own statutory obligations for personal data they process for their customers. Data controllers (i.e., organisations that determine the purposes for which and the manner in which personal data is to be processed) will want to consider what this will mean in terms of their relationship with processors and how compliance obligations are carved up. Processors will also need to consider what this might mean for them in terms of contractual liability where they have agreed with their controller customer to comply with applicable law. They may have agreed this at a time when data protection law was not applicable to them and the coming into force of the Regulation could represent a fundamental shift in terms of compliance obligations and risk.
Under the existing data protection laws, data controllers must give certain information to individuals whose personal data they process, which is usually done using privacy notices. The Regulation requires an even higher level of transparency than the Directive and as such, privacy notices will need to be even more detailed. They will need to include details of how long personal data is to be processed for, how long the personal data will be retained, details of third parties and the rights granted to data subjects (i.e., the individual to whom the personal data relates), to give some examples of additional information that will need to be included. This level of detail in privacy notices will be challenging. In an age of big data and the Internet of Things, these notices could become lengthy indeed. Data controllers will need to find ways of presenting information in a way that is appropriate to the audience (they need to understand it), is informative, clear and at the same time does not overburden the individual with information. This will not be easy and some controllers need to think about how their privacy notices are provided as well as what is in them.
Current data protection laws permit data subjects certain rights in respect of their personal data. For example, they can prevent processing of their personal data if it causes damage or distress. The Regulation bolsters this right with the addition of a ‘right to be forgotten’ – i.e., to have one’s personal data totally erased (albeit this right will be subject to certain carve outs).
If the proposed ‘right to be forgotten’ is agreed then the impact on organisations could be significant. Google is already grappling with the right to be forgotten, following the decision by the European courts in the Google Spain v Gonzalez case where it was held that this right in effect was already in existence. Indeed, the UK data protection regulator (Information Commissioner) has successfully dealt with over 120 ‘right to be forgotten’ complaints following the Google Spain case – so this is something to watch out for now and also in the future.
Another newly created data subject right put forward under the Regulation is the right of portability, where individuals will have the ability to transfer all of their personal data (whatever the format) from one data controller to another. There is already concern from organisations about the expense of ensuring compatible systems and data formats are in place. Organisations should consider format and compatibility now, especially if IT upgrades are on the agenda.
The requirements for obtaining data subject consent to processing of their personal data will increase under the Regulation. Where consent is needed, this consent will need to be explicit and informed consent. Implied consent will not be sufficient, which may create difficulties particularly for online organisations conducting activities where implied consent has been relied on (e.g., profiling and big data).
Under the proposed Regulation both controllers and processors will need to demonstrate their compliance with the Regulation by maintaining extensive documentation on how and why they are processing personal data. Some of this may even need to be made publically available, although there is some debate about this. This will place an extensive burden on controllers and processors alike, who should start building the body of their compliance documentation now. To kick off the process, conducting a data protection assessment will help your organisation’s understanding of what data protection documentation is currently in place and what other policies, notices, etc., might be needed. It will also help the organisation understand what it does with personal data (and whether it should be doing what it is doing), why personal data is processed, who it is shared with, where and for how long it is held, etc. This can be used as a means of understanding current compliance levels, closing any gaps in compliance and getting ready for the next step up to the Regulation compliance levels.
Privacy impact assessments are likely to become mandatory, especially where the processing of personal data is high volume or high risk. In any case, they are already a data protection practice that the Information Commissioner’s Office – the UK’s data protection regulator – recommends to help assess compliance. It is a good idea to get into the habit of doing these now.
Where a data protection breach is likely to be high risk for the rights and freedoms of individuals, data controllers will be required to notify their regulator and data subjects within specified timeframes (accompanied by extensive documentation). To do this, organisations will need to be ready to jump into action (appropriately) if a breach occurs which means having a breach investigation team trained and ready as well as breach procedures in place. This makes good business sense in any case. Swift, organised and effective action can significantly mitigate the cost of handling a breach.
Under the Regulation, risks of non-compliance will also increase significantly and the pending Regulation is ignored at your peril. Depending on which version of the Regulation wins out, fines could be as much as either 5 percent or 2 percent of annual worldwide turnover.
When it comes to data protection compliance and best practice, there is always room for improvement and organisations should keep their compliance under regular review regardless of the forthcoming Regulation. A good baseline of compliance practices and procedures will not only help avoid fines, other enforcement action and possible public embarrassment but can be brand enhancing.
So what are you waiting for?
Kirsten Whitfield is a director at Wragge Lawrence Graham & Co. She can be contacted on +44 (0)121 393 0755 or by email: firstname.lastname@example.org.
© Financier Worldwide
Wragge Lawrence Graham & Co.