Become A Fan On Facebook
Join Our Network On LinkedIn
Follow Us On Twitter
Watch Our Videos On YouTube  ONE STOP SHOP FOR EU DATA PROTECTIONImplications for Business of new EU Data Protection Framework The EU has recently unveiled their proposal for a significant reform of the existing EU data protection framework. The proposed data protection framework sets the general data protection structure (the Regulation) and a Directive that applies to the processing of personal data, replacing the existing Data Protection Directive 95/46/EC. The changes create ‘a single set of European rules—valid everywhere across the EU’ stated Viviane Reding, the EU Commissioner for Justice, Fundamental Rights and Citizenship ‘one rule for 27 member states and 500 million people’. The new regulation sees national data protection authorities as the go-to regulators for organisations, meaning that an organisation will only have to work with one DPA rather than many or as Reding described it ‘a one-stop shop’. EU Directives must be implemented by each EU Member State via national legislation, which can give rise to different interpretations of the legislation and require a country-by-country analysis of the specific legal requirements. Replacing the existing Data Protection Directive with a Regulation means that individual countries cannot tailor the law in any way and that European law on data protection will be uniform. Viviane Reding said the proposals will improve the protection of Europeans’ personal data, reduce administrative burdens and save companies’ money. She identified the following key goals of the proposed reform:;
The main provisions of the newly proposed regulation include: Expansion of Definition of Personal Data: what constitutes personal data is outlined in an EU published factsheet on the proposed data protection reform and is defined as ‘any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, and posts on social network websites, medical information or computer’s IP address’. Breach notification mandate: in the event of a serious breach, organisations must notify the national supervisory authority as soon as possible (if feasible within 24 hours) Increased enforcement powers for Data Protection Authorities: DPAs will be able to fine organisations that violate the rules up to €1 million or up to 2 percent of the global annual turnover of a company Data Protection Officer Requirement: companies with more than 250 employees and certain other organisations will be required to designate a data protection officer. Data protection impact assessment requirement & security obligations: organisations involved in risky data processing will be required to conduct data protection impact assessments and implement appropriate technical and organisational measures ‘to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation’. Explicit consent requirement: wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation. Extra-territorial reach: The regulation applies to ‘personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens’. Significant Penalties : penalties for violations of the regulation range, based on the type of violation, from a written warning to fines for intentional or negligent conduct of anywhere from €250,000 or 0.5 % of the annual worldwide turnover of a company up to €1,000,000 or 2% of annual worldwide turnover of a company. Transfers of Personal Data to Third Countries: under the proposed regulation, transfers based on standard data protection must now be approved by just one supervisory authority and will not require further authorisation. The proposed data protection framework is currently under review by the European Parliament and EU Member States and is likely to undergo further modification before final adaptation. When sanctioned, the Regulation will go into effect and the Directive will be required to be incorporated into the national law of each Member State within approximately two years from the date of adoption. The prospect of hefty penalties coupled with more stringent operating security procedures may be an unsavory but necessary catalyst in getting organisations to become more protective and compliant in their approach to securing consumer data. The new framework is believed to be an ambitious but necessary means to enforce best practice data protection procedures across Europe in a single harmonisation and simplify the current patchwork of 27 different national laws. Once the new regulation is ratified, organisations across all industry sectors will need to accurately assess their security controls and proactively ensure that sufficient structures exist to properly and continuously protect valuable consumer data. This gives businesses some time to prepare and get their affairs in order by deploying security practice and robust policies which will bring about more clarity on the amount of data being lost through improved data breach prevention, reporting and control of sensitive data assets. About PixAlert PixAlert deploy world-class scalable enterprise content audit solutions which enable organisations to discover where unsecured, unstructured sensitive information and inappropriate images reside on corporate networks and email correspondence. PixAlert data solutions help to reduce risk, maintain compliance and safeguard corporate reputation through proven market leading data discovery technologies www.pixalert.com Original Article Source/Reference: 1. IAPP Article Author: Niamh Hayes, Marketing Advisor, PixAlert |
