Data Protection Changes Coming to EU Firms
Big changes are coming in the form of European Union data protection mandates. In January 2012, the European Commission announced a proposal to reform the current European Union's data protection framework, currently known as the 1995 EU Data Protection Directive, to better protect the personal data of EU citizens and update the current legislation to fit in with the 21st century requirements and rapid evolution of technology (including the prevalence of social networking and smartphones).
The EU proposal will give individuals more control over their data while also serving to promote the importance of data protection in a globalised world. The European Commission expects the rules will go into effect two years after they have been adopted by the member countries - officially around 2014 or 2015.
While some of the current proposals will undoubtedly be amended over the course of this lengthy process, let’s look at some of the practical steps companies should be considering now.
Move towards compliance
One of the main recommendations of the proposed regulation would ensure that companies have only one regulatory authority that supervises their activities across all EU member states. Businesses with multiple offices across several European countries should therefore consider which regulatory authority would be its supervisor.
Right to be forgotten
The new directive will enforce a right to be forgotten, which will allow people to request firms to delete their data permanently. Companies faced with a request for deletion of data will have the responsibility to pass that request on to companies that have copies of that data.
This rule will certainly affect Internet platforms, which tend to never forget. For example, even if data is taken down from a social networking site, such as Facebook or Twitter, it is not completely gone and will remain within the Internet cache.
Don't delay, get ready
Given the timeframe, many firms may feel they have plenty of time to get ready for the new data protection framework in Europe, but that is not the case. The clock is ticking.
While there may be a lot of work that still needs to be done before the proposals are finalised, firms should not wait to start preparations. It is important that firms get their privacy policies, procedures and documentation in order and keep them up to date.
Best Practices to Start Employing Now
- Appoint a data protection officer to act as the focal point for all data protection activities.
- Take a closer look at your privacy policies. In some cases, they will likely need to be re-written (new guidance states they must be written in plain English).
- Refresh your information asset register so it clearly identifies what data is held, where, how and why.
- Write and employ processes and procedures to handle data subject and data deletion requests.
- Review your technical and procedural controls around your data. A serious breach could cost your firm up to 2% of its global turnover.