Significant changes are expected in EU Data Protection legislation and many companies are either not fully aware or adequately prepared for the transition.
The following is a briefing of significant changes which are due to be approved by the EU commission within the next few months. While the date for the formal approval has not been decided, it will probably be within the next 3 months.
All amendments made to the existing legislation, EU Data Protection Directive 95/46/EG have now been actively debated in commercial and legal forum and the summary below is the legislation which is most likely to be adopted.
After the formal approval, this legislation will be effective two years later – this is expected to be summer/autumn 2016. While this date seems a long way off, the amendments plus the sanctions for non compliance to the law can be significant for any type of organization managing or processing personally identifiable information. Many organizations are not fully aware of either the implications or their responsibilities.
The current legislation
- Is not EU law – each member state can interpret the legal requirements within the directive with a degree of flexibility. The Swedish interpretation of this legislation is Personuppgiftslagen (PUL).
- Does not require security breaches (data loss) to be reported. Since there is no legal obligation the number of breaches is currently unknown.
- Does not allow individuals the right to be forgotten. There are situations where an individual should be allowed the right to delete their personal records. Currently there is no obligation on the holder of such data.
- Does not allow individuals the right to transfer their personal data to another part. For example a customer changing telephone operator has cannot delete their personal records with the previous supplier.
- Does not sanction those responsible for data loss. So even if there is data loss, there is no economic penalty even if negligence has occurred.
The new legislation will make significant changes:
The new legislation
- Will be EU law – each EU member state must follow the same legal requirements.
- Will have a legal obligation to report security breaches (data loss) within 24 hours. Failure to report security breaches (data loss) will result in sanctions, up to and including legal proceedings.
- Will also allow individuals the right to be forgotten, their personal details to be deleted from systems of record and the right to transfer their personal data to another party, if the person provides consent.
- Will include sanctions enforceable by law. The sanctions can be significant if due diligence has not been taken to adequately protect personal data. Economic sanctions can be as high as 5% of global turnover or 100 million Euros (whichever is higher). For SMEs in particular this will be a significant challenge.
- Requires a Data Protection Officer responsible for personal data in all legal entities having more than 250 employees OR processing personal data as part of their business. Failure to appoint a Data Protection officer is subject to sanctions.
The legal obligation is to report incidents to the local data inspector within 24 hours. In the case of Sweden this is the Swedish Data Inspectorate who will have significant mandate to enforce the law.
Another obligation is to inform every user of the system – unless the information which is stolen is unreadable.
Consider how many incidents are reported and the headlines these incidents create in the national press and trade journals. These are incidents which are discovered not freely reported.
The new legislation will require much stronger protection of personal data and procedures and tools for managing information loss and reporting. I believe many companies are either under resourced or lack funding to meet these new legal requirements.
Serious offences will be subject to economic sanctions up to a maximum of 5% of an organizations global turnover OR 100 Million Euros whichever is larger. Sanctions will be determined by how serious the offence is
The following are considered serious offences and significantly increase the risk of economic sanctions:
- Collecting or processing personal data without consent of the individuals
- Failure to report incidents in time
- Not having documented internal policies for managing personal data
- Not implementing measures to ensure personal data is protected.
In summary the impact of the new legislation will be
- High sanctions for serious offenders
- An increased focus on personal integrity
- Increased costs for compliance
- Requirements for new systems or applications
- Upgrade of existing systems
- Databases which may be unusable under the new legislation
- Requirements for process improvements
- Training of personnel
- Appointment of a Data Protection Officer for companies with more than 250 employees
- Security Improvements which will be required by all companies include (as a minimum):
- Documentation of security policies and procedures
- Security controls and tools to identify and report incidents
- Security management to identify and manage security risk
The new legislation, taking effect in summer 2016 is EU law. The same law applies in all EU member states and there will be few exceptions. The major change is sanctions for not taking the required measures. A driving force behind this has been a number of incidents resulting in significant loss of personally identifiable information and or identity theft.
It shall be interesting to see, after the law has been passed for legislation, how significantly companies respond. I anticipate a significant increase in enquires for guidance and assistance with re-aligning to the new legislation.