Comment from media and intellectual property law firm Howard Kennedy.

The much anticipated reform of data protection legislation was yesterday (14th April) approved by the European Parliament.

Along with a new ‘right to be forgotten’, the General Data Protection Regulation seeks to bring greater accountability on organisations holding personal data, says law firm Howard Kennedy.

Robert Lands, Head of Intellectual Property at Howard Kennedy said: “The General Data Protection Regulation introduces new rights for individuals and considerably more onerous obligations for businesses.  Get it wrong and businesses could face a fine of four per cent of global turnover or 20 million Euros (whichever is the greater).”

The General Data Protection Regulation represents the largest reform of this area of legislation in more than 20 years.

The reform covers many areas, but the key changes are summarised:
For individuals

  • A new right to be forgotten, known as the ‘right of erasure’;
  • A new right to data portability to enable people to switch service providers more easily; and
  • Enhanced rights to see information held by organisations.

For businesses

  • All data processors, not just data controllers, can now be held liable for mismanagement of data;
  • The regulations now extend to all businesses anywhere in the world if handle data about EU citizens, not just businesses based in the EU;
  • Strict limits on automatic personal profiling of individuals;
  • More detailed notices to individuals now required;
  • New rules which apply to the processing of personal data relating to children;
  • Business will need to carry our regular privacy impact assessments; and
  • Mandatory notification of data security breaches, within 72 hours of the breach.
  • Mandatory data protection officer’s in larger companies.

Robert Lands offers this advice for businesses on what they need to consider to comply with the new regulations.

  • Audit current data protection practices for potential areas of non-compliance.  Pay particular attention to the following:
    • Look at how the data is gathered – do you have the right permissions?
    • What are individuals told about how the data is to be used, and how does that match with reality?
    • Who has access to the data, and how is it stored?
    • Is the data held entirely within the EU, and, if not, have international transfers been done lawfully?
    • To whom is the data disclosed and why?
  • Considering internal policies and systems to help deal with the new rights of individuals and the new obligation to report breaches.
  • Checking contracts with IT suppliers and other companies which might process personal data on your behalf.  Those contracts must contain clauses which deal specifically with personal data, limiting its use.  Contracts should also contain an obligation on the supplier to immediately inform the client of any breach of security/loss or damage to the personal data.

Robert concludes: “This regulation fundamentally changes the way a business interacts, holds and uses data it collects on their customers and clients.  The message is also very clear that with this new regulation sits a desire to police more effectively the misuse of data.  With greatly increased fines, the potential increase in liability will be enormous.”

Related Articles