By Jonathan Armstrong, data regulation adviser for Absolute Software and lawyer at Cordery
Back in 2012 the European Commission (EC) revealed its plan to completely revamp the 1995 EU data protection law, bringing it out of the Stone Age and making it fit for the 21st century. Every two days we create more data than ever existed before 2003. Businesses and consumers expect data to be accessible wherever and whenever they want. With the increasing adoption of sensor driven technology, cloud computing, BYOD and a whole host of other advances many feel that the old 1995 legislation needs, at the very least, a refresh.
In 2012 the EC finally published the long-awaited proposals for the new EU General Data Protection Regulation (EU GDPR). Although this regulation is still only in its draft stage and is not expected to come into force before 2017, it is imperative that businesses are aware of what’s on the horizon so that they can start preparing for the colossal upheaval the regulation will cause. To help companies ensure they’re not caught off-guard by the pending regulation, here are five of the most important changes they need to be aware of:
- The regulation will apply across Europe
Not only will the new law apply throughout the EU, but also to organisations based outside of the EU that are active in the EU market and offer services to EU citizens. So, even though a US company may have all of its offices based in in the US, if it handles the data of EU citizens, it can still be investigated, fined and even prosecuted by an EU Regulator for data loss and misuse.
- Companies are liable to fines of up to two percent of their corporation’s annual global turnover
There are increased sanctions including fines of up to €100 million or up to two per cent of annual global turnover – whichever is greater. Compared to the current maximum fine in the UK of £500,000 from the Information Commissioner’s Office, the new law will dramatically raise the stakes. However, a fine may be avoided if a company can prove it had data policies in place, provided suitable education to employees, and used the correct technology software.
- Companies will have to notify those whose data has been breached
Unless a company can prove that it has technology in place that leaves a lost device inoperable or completely wipes the data contained on it, it will have to notify those involved in a potential data breach. So, if 100,000 customers’ data is lost, via a lost employee phone for example, then a company will have to tell all of them that their data may have been compromised. This can lead to significant brand damage, litigation and media reporting of the incident, as well as leading to significant cost in contacting the people affected.
- Organisations must notify the authorities about data breaches as soon as possible
The draft Regulation states that ‘if feasible’ companies should report a data breach within 24 hours. While it could be in the best interest of the business to report a breach within 24 hours, this is easier said than done. An employee may lose their device on a Friday evening and only report it on Monday morning or may be completely unaware that they’ve uploaded data onto the cloud for all to see. Breaches also take time to deal with. Most people would rather an organisation spent the first hours after discovering a breach fixing it rather than preparing reports and completing other less essential tasks.
- Companies with 250 or more employees have to employ a corporate data protection officer
Enterprises of a certain size will need to hire someone who’s responsible for data protection. In the past, a few different people may have had some data protection training within their company but there may not have been a particular person who was directly responsible for data breaches. Now, companies will be obliged to appoint a properly trained data protection officer. And with the penalties set that much higher, it is advisable for businesses to seek out sound legal advice before choosing the correct candidate.
While we don’t know for certain the exact provisions of the EU GDPR, we do know that it is going to bring about considerable consequences to organisations across the globe. As we get closer to the official launch of the legislation, there will be two types of business; those that will only start making changes to their data protection policies once the law comes into force, and those who are already preparing for it. The latter, of course, has the upper hand. By clarifying data protection policies, educating employees, employing technology software, and for those larger organisations, hiring a data protection officer, all the right boxes will start to get ticked.
Of course, data breaches can still happen, but by proving all of these steps are imposed; companies can avoid the gargantuan fine. 2017 may seem a long way off, but the smart organisations will start seeking the correct advice and take action now, to ensure full compliance once the regulation comes into force.