EU's Data Protection Regulation: Practical Advice On How Your Business Will Be Affected
Authors
This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.
Today, 25 January 2012, the European Commission unveiled its proposals for far reaching changes to EU privacy legislation. We foresee the Regulation being in force by 2015. Every aspect of an organisation's compliance obligations will increase - and there will be fines of up to 2% of global turnover for breach. We highlight the top three immediate action points to consider. We also provide seven further action points to address in the months ahead.
Three immediate impacts:
- Non EU businesses need to select an EU Member State
Scenario: a large US company holds personal data on US servers about its many EU customers. It has purposely not established a presence in the EU but will now need to decide which of the EU Member States in which it has customers to appoint its DP representative. It will need to balance the attractiveness of the enforcement approach in that state with other factors.
- Systems design
Scenario: the architecture for a new IT system is under discussion between the CTO and CEO of a large EU business. To future-proof the system, the CTO must take into account the Regulation's changes such as allowing consumer data to be permanently deleted (R2BF) and should ensure that all processing operations involving personal data are adequately documented.
- Outsourcing agreements.
Scenario: a five-year outsourcing contract involving data processing is under negotiation. The deal will be signed this year, well before the impact day of the Regulation, which will be some time in 2015. Because the processing will continue after impact day, the parties today need to anticipate in the agreement that their data protection obligations will change.
Please see below for Olswang's initial analysis of 10 potential practical impacts.
Please contact Olswang Partner Clive Gringras clive.gringras@olswang.com or Head of Commercial Know How Claire Walker claire.walker@olswang.com for more information about the impact of the proposals on your business.
Initial reaction
Today's proposal for a new General Data Protection Regulation from the Directorate General for Justice is more moderate in some respects than the draft leaked in December which we reported. However, the extent of new red tape imposed will still be of concern to businesses. The impact of these changes on the in-house lawyer's specific commercial, employment, consumer and M&A workload will need to be analysed. Many aspects of the obligations will be fleshed out in detail by further guidance from the Commission. However, the immediate headline to tell the Board is that - with potential fines of up to 2% of global turnover - data protection compliance now needs more than just lip service.
It's still a regulation - what does this mean for impact timescales?
One of the Commission's key aims is to harmonise privacy rules and enforcement across the EU. The proposal is therefore for a Regulation, which once adopted would be directly applicable in all Member States without the need for national legislation. It is impossible to predict how long agreement by the EU institutions will take. Less controversial regulations have been know to be adopted in under 12 months; such a wide-ranging and contentious measure is likely to take longer. Once it is formally adopted at EU level, businesses would have 24 months to become compliant with the new obligations. So "D - Day" could be as soon as early 2015.
What kind of practical changes will you need to make - and what if you don't?
Once the detail of the Regulation is agreed, the specific impacts will be as diverse as the businesses operations to which they apply. However, there are certain broad changes which all organisations will need to prepare - and budget - for. Here's a non-exhaustive "Top Ten".
TEN PRACTICAL CHANGES TO PREPARE FOR
| Proposed change | What will you need to do, and what are the risks of non compliance? |
| (1) DP representative for non EU-established businesses Businesses with no EU establishment but which target* consumers in the EU will need to appoint a DP representative in one of the EU jurisdiction where those individuals are located - Article 25. *See below for the trigger points. | Non EU-established businesses must plan for the appointment of a DPR. A business dealing with individuals in more than one Member State should select among the jurisdictions where its EU consumers/contacts are located, for the most appropriate jurisdiction. Sanctions? Fines of up to 2% of global turnover. |
| (2) Systems and process design: New or enhanced principles and obligations potentially affecting systems and process procurement and design, include:
Existing DP principles will also need to be reflected, for example, purpose limitation. | Privacy considerations will need to be actively factored into the design or upgrade of all systems and processes which process personal data. This would apply both to systems supplied by, and those used internally by the organisation. An assessment of systems and processes involving personal data should be made - particularly projects which are still in the pipeline. Privacy impact assessments and in some cases prior regulatory authorisation would be needed for certain "higher risk" processing, e.g. that involving profiling, CCTV and sensitive data (Article 33). Sanctions? Fines for breaches of the various provisions opposite could range up to 2% of global turnover.
|
| (3) Impact on commercial arrangements Where these arrangements - including outsourcing or supply chain arrangements - involve the processing of personal data, relevant changes will include:
| In practice, these changes will require commercial parties dealing with personal data to address risks up front to a greater degree and to document how they have apportioned their respective liabilities. Sanctions? Several of these new requirements could attract a fine of up to 2% of global turnover if breached. |
| (4) Data Protection Officer Organisations (data controllers and processors) with more than 250 permanent employees will be required to appoint a DPO (Article 35). The requirement also applies to smaller organisations if their core activities require regular and systematic monitoring of data subjects (and to public authorities). The DPO's role and duties are set out in detail in Article 37. | A business with no existing compliance function would need to start considering who will fulfil DPO role. Budget for a dedicated employee or an outsourced service would need to be factored in. Businesses with a legal or compliance function, would need to implement suitable training and changes to job specs. Groups of undertakings may appoint a single DPO. Sanctions? Fines of up to 2% of global turnover. |
| (5) Risk assessment and compliance formalities General new obligations for data controllers (Article 22) include:
| This is a "gear change" in organisations' formal compliance (and the risks for failure to "tick all the boxes"). In practice, the various new obligations would require thorough - and ongoing - review, assessment and documentation of the main systems and processes where personal data sits within the organisation. Sanctions? The specific requirements in the opposite column could attract sanctions of up to 2% of global turnover. |
| (6) Security breach response and notification procedures Articles 31 and 32 would introduce the long expected breach notification requirement for all data controllers, both to the regulator (in every case) and to affected individuals (where an adverse effect on that person's privacy is likely). General security obligations on data controllers and processors are amplified - see Article 30. | Introduction of a general notification requirement, tight deadline and strong sanctions for breach makes it essential for organisations to have a security breach team and robust procedures in place as soon as possible. This is already good practice - and good commercial sense from a crisis management perspective. Sanctions? Failure to comply with security obligations and breach notification requirements could attract fines of up to 2% of global turnover. |
| (7) Formal "transparency" documentation Businesses must have in place "transparent and easily accessible policies" on processing of personal data and the exercise of data subjects' rights (Article 11(1)) and in particular more extensive transparency information to be provided at the point of data capture (Article 14). | This is a gear shift from current best practice on privacy policies to a formal legal obligation. If an organisation already has good transparency information at the point of data capture and via privacy policies, this would be a case of review and refresh. Sanctions? Fines of up to 1% of global turnover. |
| (8) Marketing The definition of consent is amplified to "freely given specific, informed and explicit… either by a statement or by a clear affirmative action" - (Article 4(8)). | Marketing permission mechanisms will need to be reviewed against the higher new standard of consent. Sanctions? Failure to comply with the conditions for "consent" could attract a fine of up to 2% of global turnover. |
| (9) Collecting data from children In the online context, consent for the collection and processing of data relating to under 13s would only be valid when "given or authorised by the child's parent or custodian". A controller must make "reasonable efforts to obtain verifiable consent taking into consideration available technology" (Article 8(1)). | Businesses will need to review permission mechanisms for under 13s to ensure verifiable parental consent and to ensure their practices continue to meet good practice standards. "Verifiable consent" will be fleshed out by subsequent Commission guidance. Sanctions? Failure to comply with the conditions for "consent" could attract a fine of up to 2% of global turnover. |
| (10) Subject access, rectification and erasure Existing rules would be extended with more extensive subject access disclosure requirements; the wider scope of "personal data" and greater sanctions for non or late compliance. (Articles 11-12 and 15). There are also stronger rules on rectification and erasure - Articles 16-17. | Review and update subject access procedures to ensure continued compliance and reduce the risk of sanctions. Sanctions? Fines of 0.5 - 2% of global turnover for failure to fully comply with different aspects of subject access procedures and response. Late response to subject access requests could, for example, attract a fine of up to 0.5%. The scope of "personal data" to be disclosed would also be wider than under the UK's current interpretation. The subject access fee (currently £10 in the UK) would be abolished (Article 12(4)) except in the case of "manifestly excessive requests" by the same person. |
Is there any good news to tell the Board?
- Proposed abolition of notification/registration:given the significant new administrative burdens and risks of the proposed new regime, it will perhaps be small comfort that the general notification requirement would be abolished (Recital 70) removing an annual administrative task and an annual fee (in the UK currently £35 for small and £500 for larger organisations). But what will this mean for the future funding of the UK regulator, the ICO - and could this result in over-zealous enforcement as regulators seek to replace lost notification fees with fines?
- One stop regulation for multinationals:of course, greater harmonisation and "one stop" enforcement across the EU will be great news for multinationals - provided these are the right rules, enforced in a proportionate manner by the most appropriate regulator!
- Some fine tuning: there is some sensible fine tuning and clarification to various bugbears in the current regime, for example international transfer rules. But will these be outweighed by the additional burdens of a more formalised approach to compliance?
When and how are non EU businesses affected?
As highlighted above, non EU entities may be caught in two ways. Processing "in the context of the activities of an establishment of a controller or processor in the Union" - Article 3(1). Establishment is described in Recital 19 as the "effective and real exercise of activity through stable arrangements" and the legal form of such arrangements, e.g. branch or subsidiary is "not the determining factor". Such businesses, whether controllers or processors, will be caught by all compliance requirements - including the requirement to appoint a DPO. For those with establishments in more than one EU jurisdiction, enforcement would be via the supervisory authorities in the "main establishment" which is defined in Article 4(13) as where the entity's (whether controller or processor) central administration in the EU is located and, if the entity is a controller, where the purposes, conditions and means of the processing are determined. Recital 27 expands on "effective and real exercise of management activities" as the test. The location of the technology processing carried out on the basis of those decisions is not the determining factor (Recital 27).
A non EU entity which has no EU establishment may still be caught if it is a data controller. The "trigger points" in Article 3(2) are: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour.
A non EU data controller which is caught by Article 3(2) is required to designate a representative (which may be an individual or an organisation) in the EU to comply with its obligations (Article 25). Failure to appoint a representative would attract a fine of up to 2% of global turnover. Any fines imposed on the data controller would be applied to the representative.
An organisation appears to have a choice over the EU jurisdiction in which it appoints its representative, provided it is one of the Member States in which the targeted individuals reside - Article 25(3). It will need to balance the choice of DP enforcement regime with other factors.
Please contact Olswang Partner Clive Gringras clive.gringras@olswang.com or Head of Commercial Know How Claire Walker claire.walker@olswang.com for more information about the impact of the proposals on your business.
The information contained in this update is intended as a general review of the subjects featured and detailed specialist advice should always be taken before taking or refraining from taking any action.
© 2012 Olswang
